Hello experts,

First things first: I am new to Mikrotik and I have a mentor who is quite experienced on networking and Mikrotik
Still we got an issue which seems to be not easy for us to be solved.

Internet Access: stand alone Cable Modem
Hardware: RB4011iGS+5HacQ2HnD, rev. r2, 7.13beta2, factory firmware. 7.8 IP: 192.168.100.1
Synology NAS IP: 192.168.100.235, NGINX Reverse Proxy Server (running on an Intel NUC) IP: 192.168.100.238

For accessing services on the Synology NAS there are several entries made on the revprox like audio, video, photo, also a Nexcloud instance is on the network and has its entry on the NginXRevProx.

Portforwards on the RB4011 for 80 and 443 point to the NGINXRevProx and from external all works fine like:
https://disks.test.net is routed to 192.168.100.238:5001 (the Synology NAS). Also externally all other serivces like Nextcloud which points to a Proxmox container running Ubuntu and Nextcloud does work like well when accessing https://next.test.net

The issue: Internal access with FQDN

Hairpin NAT looks like:
#Hairpin-NAT - local to local
chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24

# ReverseProxy - https
chain=dstnat action=dst-nat to-addresses=192.168.10.238 to-ports=443 protocol=tcp dst-address-list=WanIP dst-port=443

What settings need to be made, so that internally (within the LAN) clients like tables and phones can access the NAS services (and others with domain *.test.net) using the FQDN like https://disks.test.net or https://photo.test.net. No all services are running on the Synology NAS but the reverse proxy has all necessary rules loaded incl. SSL certificates.

Btw, the previous setup was a Asus RT-AC68U as a router and the port forward of port 80 and 443 to the NGINX ProxyMgr was enough that acces internally and externally did work.


Please apologize my personal level of knowledge right at this stage, I started to learn but am just at the beginning.

regards

The functionality you need is called "NAT Hairpin"
https://help.mikrotik.com/docs/display/ ... HairpinNAT

The functionality you need is called "NAT Hairpin"
https://help.mikrotik.com/docs/display/ ... HairpinNAT

of course NAT Hairpin - and as I saw this:
--> ok with 192.168.100.0

but so far it is already implemented...

@tritor - chain=srcnat action=masquerade src-address=192.168.100.0/24 dst-address=192.168.100.0/24

the hairpin nat describes all on IP base but is the approach the same when using FQDN?

Just another question - is the timezone on you Nginx Proxy set right?
SSL cers otherwise wont be valid and a browser wont do anything...

check this via -k is the parameter to not check any ssl certs.

BR