Cannot access to web server from lan

franrtorres77 · Tue Feb 25, 2014 10:57 am

Hello, I have a webserver behind a Mikrotik router and cannot access to it using the domain name from the local network, on the other hand if I access to the webserver from an external computer I can reach the webserver and watch the website.

Any idea?

Thank you very much

SurferTim · Tue Feb 25, 2014 12:40 pm

You probably need a hairpin nat to access the localnet server with the public ip.
http://wiki.mikrotik.com/wiki/Hairpin_NAT

franrtorres77 · Tue Feb 25, 2014 2:24 pm

You probably need a hairpin nat to access the localnet server with the public ip.
http://wiki.mikrotik.com/wiki/Hairpin_NAT

Hello. I have tried to do the hairpin but wihtout success:

my firewall nat looks like this:


ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=8125 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.95 to-ports=8121

add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.95 to-ports=80

add action=dst-nat chain=dstnat dst-port=8084 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.249 to-ports=80

add action=dst-nat chain=dstnat dst-port=8083 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.251 to-ports=80

add action=dst-nat chain=dstnat dst-port=8085 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.248 to-ports=80

add action=dst-nat chain=dstnat dst-port=8082 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.250 to-ports=80

add action=masquerade chain=srcnat dst-address=192.168.223.95 dst-port=80 \
    out-interface=ether2-master-local protocol=tcp src-address=192.168.223.0/24

The last one is for trying to connect to the webserver, but as I told you I cannot reach it and also I cant reach the rest of the cameras using http://mydomain:80 or http://mydomain:8082 for a cam.

SurferTim · Tue Feb 25, 2014 2:37 pm

Where is your dstnat rule to port forward the public ip to the camera?

I'm not sure how this is going to work with your VPN.

franrtorres77 · Tue Feb 25, 2014 7:07 pm

Where is your dstnat rule to port forward the public ip to the camera?

I'm not sure how this is going to work with your VPN.

Hello, One of the cameras is this one:

add action=dst-nat chain=dstnat dst-port=8084 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.249 to-ports=80

Also I can't reach it from the LAN side using the http:/mydomain:8084

SurferTim · Tue Feb 25, 2014 7:21 pm

Just so I understand, your internet connection on all your VPN clients is through your VPN server?

franrtorres77 · Tue Feb 25, 2014 7:28 pm

Just so I understand, your internet connection on all your VPN clients is through your VPN server?

This router connects to a ppoe server and then I have set up a pppt server for connecting some pptp clients. Nevertheless it allows connections to internal servers and cams for remote access using NAT.

The vpn clients have their own ppoe connection with an ISP.

SurferTim · Tue Feb 25, 2014 7:39 pm

Then any public ip does not route through your VPN, and having a rule associated with pptp-out1 isn't going to work.

Do your VPN clients have different public ips?

franrtorres77 · Tue Feb 25, 2014 7:46 pm

Then any public ip does not route through your VPN, and having a rule associated with pptp-out1 isn't going to work.

Do your VPN clients have different public ips?

Yes, they all have differents IP's, but the vpn clients are working ok, the main problem is in this router, from the LAn of this router. I tried the hairpin_nat as you told me but it is not working for viewing our website from our lan side.

SurferTim · Tue Feb 25, 2014 7:57 pm

Only the lan with the server should need a hairpin nat. The other lans should be able to access the server without it IF the public ip has a dstnat to the server's private ip.

franrtorres77 · Tue Feb 25, 2014 8:03 pm

Only the lan with the server should need a hairpin nat. The other lans should be able to access the server without it IF the public ip has a dstnat to the server's private ip.

So for achive that, I add this nat rule, but I dont get it to work:

add action=masquerade chain=srcnat dst-address=192.168.223.95 dst-port=80 \
    out-interface=ether2-master-local protocol=tcp src-address=192.168.223.0/24

But I think I have to add it like this, but it still is not working:

add action=masquerade chain=srcnat dst-address=myPublicIP dst-port=80 \
    out-interface=ether2-master-local protocol=tcp src-address=192.168.223.0/24

SurferTim · Tue Feb 25, 2014 8:10 pm

Forget the routers with their own public ips. They should be able to access your server.

It is the localnet with the server that is in question here. Post "/ip firewall nat" from that router.

franrtorres77 · Tue Feb 25, 2014 8:12 pm

Forget the routers with their own public ips. They should be able to access your server.

It is the localnet with the server that is in question here. Post "/ip firewall nat" from that router.

Here you are: (the last one is the Hairpin NAT)

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1

add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.95 to-ports=80

add action=dst-nat chain=dstnat dst-port=8081 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.252 to-ports=80

add action=masquerade chain=srcnat dst-address=192.168.223.95 dst-port=80 \
    out-interface=ether2-master-local protocol=tcp src-address=192.168.223.0/24

SurferTim · Tue Feb 25, 2014 8:21 pm

So pppoe-out1 is your WAN interface?

What is the localnet ip of the server? 192.168.223.252 or 192.168.223.95?

franrtorres77 · Tue Feb 25, 2014 8:28 pm

So pppoe-out1 is your WAN interface?

What is the localnet ip of the server? 192.168.223.252 or 192.168.223.95?

The wan interface is ether1-gateway and the pppoe-out1 uses this interface for being connected with my ISP.

The local server where the page is hosted is 192.168.223.95

SurferTim · Tue Feb 25, 2014 9:10 pm

This dstnat is incorrect.

add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.223.95 to-ports=80

It should look like this:

add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.223.95

Replace 1.1.1.1 with your public ip.

franrtorres77 · Tue Feb 25, 2014 9:12 pm

ok,It is working now with these nat rules:

add action=dst-nat chain=dstnat comment=\
    "hairPin NAT" \
    dst-address-type=local dst-port=0-65535 protocol=tcp to-addresses=\
    192.168.223.95 to-ports=0-65535
add action=masquerade chain=srcnat comment=\
    "hairPin NAT" \
    dst-address=192.168.223.95 dst-port=0-65535 out-interface=bridge-local \
    protocol=tcp src-address=192.168.223.0/24

Thank you very much for your cooperation and time.

Cannot access to web server from lan

Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan

Re: Cannot access to web server from lan