4
4
4k42015-12-02 23:52:48
Computer networks
4k4, 2015-12-02 23:52:48

How to set up NAT loopback on Mikrotik without specifying an external address?

Recently replaced the old dd-wrt router with Mikrotik. I configured DDNS on it (www.mysite.xyz), as well as NAT for a web server located on the local network (www.mysite.xyz:80 -> 192.168.1.10:8080).

Router WAN IP: Dynamic. DDNS: mysite.xyz
Router LAN IP: 192.168.1.1
Web Server IP (Port): 192.168.1.10:8080

;;; default configuration
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
;;; www
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=8080 protocol=tcp
in-interface=WAN dst-port=80 log=no log-prefix=""

Now there is a desire to go to this web server from the local network, but through an external address / IP (so that Firewall rules, NAT and everything else work out). In dd-wrt, the desired logic was right out of the box, without any tweaks.
The main question is: How to organize it on Mikrotik?
--------------------- I
found a similar question on the Internet and, at first glance, the solution is wiki.mikrotik.com/wiki/Hairpin_NAT.
But the whole problem is that my WAN IP is not permanent , and such rules do not fit.
I tried to specify a specific IP for the "address" mysite.xyz (IP - DNS - Static: mysite.xyz -> 192.168.1.10), but this option did not work. in this case, the DDNS update script falls offand additional additional configuration of DNS is required on machines running Windows 7.
Unfortunately, I am not strong in advanced filter / routing settings.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
S
Stealth13, 2016-03-12
@Stealth13

And I wanted to share my experience.
The task was probably banal: it was necessary to forward ports on Mikrotik to internal network resources, but in such a way that these internal network resources could be accessed using the Mikrotik Internet domain name both from the Internet and within the network. Normal port forwarding "on the forehead" works only for requests from the Internet. When accessing within the local network by an external domain name, we get a bummer. There were 2 solutions on the Internet: one - to register Mikrotik's DNS "Static DNS" domain.name -> Internal_IP_address_of_resource, and then all calls to the domain name within the network will be directed to this internal resource. But this is not suitable when there are several internal resources, and not one, because we can write "Static DNS" for only one resource. The second solution is Hairpin NAT, described in Wiki wiki.mikrotik. com/wiki/Hairpin_NAT . However, it also has problems if the external IP address is dynamic and changes frequently (with a domain name from dyndns, for example). In Hairpin NAT, as described in the Wiki, the NAT rules must specify the external IP, which is unacceptable when it changes frequently. On reflection, I came up with the following "perfect" solution, combining both methods into one:
/ip dns static
add address=192.168.88.1 name=myname.dyndns.org
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-gateway default configuration)
add action=dst-nat chain=dstnat comment=RDP dst-address-type=local dst-port=3389 protocol=tcp to-addresses=192.168.88.2
add action=masquerade chain=srcnat dst-address=192.168 .88.2 dst-port=3389 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24
(2 such lines for each port forwarding)
Those. we register in the static DNS the mapping to the domain name of the internal IP address of the router (and not the internal resource!). Any client within the network will get to the router by domain name.
We write 2 rules for each forwarding - one for mapping, the second for masquerading. Thus, we get rid of the need to necessarily specify the external IP address in the NAT rules, which often changes with us.
This approach has been tested and works successfully on my network. It is more versatile than those described earlier, so I decided to share my experience, maybe it will come in handy for someone.

N
Nikita Sizov, 2015-12-03
@sizaik

Actually with DNS the easiest option, I don't see why it doesn't suit you.
The script (if you use the first option) has nothing to do with the local DNS - it only checks if the external IP has changed and sends it to DynDNS if it has.
The second option may not work because it uses the resolve command without arguments - which means that by default it tries to resolve the name on the same router, and the router issues the internal address 192.168.1.10. To avoid this, you must use resolve with an explicit indication of the external DNS server. This is done like this:
As for additional DNS configuration on machines in the local network - well, you can distribute them via DHCP. And in general it is not very clear what additionaladditional configuration is needed if your router is registered as a DNS server.

A
alegzz, 2015-12-03
@alegzz

wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

L
LionG, 2020-12-06
@LionG

I asked myself the same question and found a solution based on the rules without scripts, etc...

add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 out-interface=local-bridge src-address=192.168.10.0/24

Port forwarding:
add action=dst-nat chain=dstnat dst-address=!192.168.10.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.10.10 to-ports=80

wan - external interface
local-bridge - LAN bridge
192.168.10.0/24 - LAN
192.168.10.10 - server local address
192.168.10.1 - default gateway

B
bukass, 2015-12-03
@bukass

add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1-gateway protocol=tcp \
    to-addresses=192.168.88.247 to-ports=80

Just don't specify an address - just port, protocol, interface.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question