How to set up Mikrotik to access a local server by domain name from an internal network?

Z

Zakhar Skorokhodov2016-08-24 18:12:10

Mikrotik

Zakhar Skorokhodov, 2016-08-24 18:12:10

Initial:
RouterOS v6.36
Subnet: 192.168.88.0/24
Router: 192.168.88.1
Server: 192.168.88.8
Static external IP: 10.10.10.10
Domain: domain.com
The domain is bound to IP and works fine from outside the internal network. However, if you try to reach out from the inside, the connection is cut. At the same time, the web interface of the router is easily accessible via the domain, and there is no ssh from the local network to the router.
Will anyone tell me how to resolve the rules so that you can:
1. Reach out to the router via ssh. (The port was changed on purpose)
2. Reach out to the local server 192.168.88.8 from the local network named donain.com
and at the same time not break everything else that works properly?

/ip firewall filter> print 
0 chain=forward 

1 chain=input action=accept protocol=icmp log=no log-prefix="" 

2 chain=input action=accept connection-state=established,related log=no log-prefix="" 

3 chain=input action=accept protocol=tcp dst-port=8037 log=yes log-prefix="router_http" 

4 chain=input action=accept protocol=tcp dst-port=2237 log=yes log-prefix="router_ssh" 

5 chain=input action=accept protocol=tcp dst-port=2137 log=yes log-prefix="router_ftp" 

6 chain=input action=accept protocol=tcp dst-port=80 log=no log-prefix="" 

7 chain=input action=accept protocol=tcp dst-port=443 log=no 

8 chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix="" 

9 chain=input action=accept protocol=tcp dst-port=21 log=no log-prefix="" 

10 chain=input action=accept protocol=tcp dst-port=64000-65000 log=no 

11 chain=input action=drop in-interface=vladlink log=no log-prefix="" 

12 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

13 chain=forward action=accept connection-state=established,related log=no log-prefix="" 

14 chain=forward action=drop connection-state=invalid log=no log-prefix="" 

15 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=vladlink log=no log-prefix=""

/ip firewall nat> print 

0 chain=srcnat action=masquerade out-interface=vladlink log=no log-prefix="" 

1 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=80 protocol=tcp in-interface=vladlink dst-port=80 log=yes log-prefix="local_http" 

2 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=443 protocol=tcp in-interface=vladlink dst-port=443 log=yes log-prefix="local_https" 

3 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=22 protocol=tcp in-interface=vladlink dst-port=22 log=yes log-prefix="local_ssh" 

4 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=21 protocol=tcp in-interface=vladlink dst-port=21 log=yes log-prefix="local_ftp" 

5 chain=dstnat action=dst-nat to-addresses=192.168.88.8 to-ports=64000-65000 protocol=tcp in-interface=vladlink dst-port=64000-65000 log=yes log-prefix="local_ftp_over_ftp"

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

Kirill Vasiliev, 2016-08-24
@ZAhmed

Hello, if there is no possibility or desire to change IP using DNS, then there is an implementation that solves this problem and it is called Hairpin NAT
wiki.mikrotik.com/wiki/Hairpin_NAT

P

paxlo, 2016-08-25
@paxlo

It's called Hairpin NAT
In your case it's
/ip firewall nat
unset 0 out-interface
unset 1,2,3,4,5 in-interface
set 1,2,3,4,5 dst-address=10.10.10.10