Hi!

We have a Mikrotik that is working fine except for what my colleague calls loopback.

We have a website running on 192.168.2.15 that everybody on the internet can access (added nat rules for that).

But we, inside the LAN can't!

I mean, we can access if we set local dns to 192.168.2.15 but accessing the public IP 213.63.137.210 from LAN won't open the website (nor ftp)

How can we overcome this without custom dns entries?


Thanks in advance

What are the permissions in the server? Virtual domains or just 1?

Sorry, but I don't see how the server is relevant.

It is a simple apache server. What permissions are you referring to?

make a simple diagram of how your server is connected, and how the users can and can't access it.

Try to masquerade traffic coming from your LAN and going to 192.168.2.15. Currently 192.168.2.15 is responding directly to user, while user waits response from router.

please read before posting. try what kirsteins suggested

Ok.

Our public IP is 213.63.137.210. Mikrotik has a interface with this IP.

from outside you can access http://213.63.137.210
from inside WE CAN NOT access http://213.63.137.210
we can access http://192.168.2.15


http://i50.tinypic.com/24dits4.jpg

Try to masquerade traffic coming from your LAN and going to 192.168.2.15. Currently 192.168.2.15 is responding directly to user, while user waits response from router.

Theoretical that makes absolute sense.

Thank you for understanding my issue. So I am going to look into inserting a masquerading rule.

Thanks once again.

Sorry to bug you but I don't think this is correct:

chain=srcnat action=masquerade src-address=192.168.2.0/24 dst-address=192.168.2.15

I tried several ways, without dst address with out-interface...

what am I looking for exactly?

Search the forum for "hairpin NAT". Recent posts about that term will be telling people telling other people to search for "hairpin NAT", threads further back contain working configurations.

Will do. Thanks

For troubleshooting you can add general masquerade (masquerade everything) rule on top of your SRC-NAT rule list.

Hi kirshteins, thanks for helping out.

I tried that. I did: add chain=srcnat action=masquerade out-interface="WAN ArTelecom" src-address-list="Allowed-Internet" comment="aaaaaaa" disabled=no

I placed it in position 0.

I tried taking out the "Allowed-Internet" bit as well (wich is a list that contains 192.168.2.0/24)

I noticed it counts up traffic, but I still can't access the public IP directly...

Pada just updated a thread on this:

http://forum.mikrotik.com/viewtopic.php?f=13&t=36548

eish fewi, you're too fast. I was just about to post here that I've updated an old thread about NAT loopback

Today is actually the first time that I've seen/heard about "hairpin NAT". Previously I've seen people calling it: "NAT loopback" / "Reverse NAT" / "PAT"

Heh, sorry about that.

Yeah, there's lots of different terms for it. Coming from Cisco I call it hairpin NAT. They named it after the voice world where hairpinning a call refers to directing a call back out the way it came in. When you draw that out on a piece of paper as far as flow goes it looks U-shaped, like a hairpin.