Access to local IP-address / service

omberli · August 14, 2020, 8:46am

I’ve set up a RB951 as a router for our small office. Have a fixed, official IP-address. Several units are connected to the LAN and wifi ports on the 951 (that also works as a DHCP server for the LAN).
In our LAN we have a mailserver running, and have set up firewall rules to forward ports (25, 487, 465 (smtp), 143, 993 (imap) and 80, 443 (webmail and sync service). Most of this works just fine. There is, however, one service that I’m not able to set up right. It is a synch access from my mobile to the mail server. This runs on port 443 on the mail server.

If phone is NOT connected to our LAN, the access to our mail (port 443) server (mail.ourdomain.no) works fine.
If phone IS connected to our LAN (on the 951 wifi) I’m not able to access the mail server.
I have not been able to figure out this… It may be the firewall, but it may also be a dns issue, since the access from the phone is an url - not an IP-addres.
An export of the FW settings below.

Would be great to get some feedback to this. Thanks!

-Olaf-

aug/14/2020 10:29:30 by RouterOS 6.46.6

software id = FD82-GUBJ

model = 951G-2HnD

serial number = 469902EBAE3A

/ip firewall address-list
add address=66.23.227.156 list=Attack-IPs
add address=192.168.137.25 list=Attack-IPs
add address=211.69.141.13 list=Attack-IPs
add address=175.6.7.144 list=Attack-IPs
add address=69.248.160.232 list=Attack-IPs
add address=95.111.17.138 list=Attack-IPs
add address=84.38.135.176 list=Attack-IPs
add address=84.252.213.12 list=Attack-IPs
add address=37.82.78.85 list=Attack-IPs
add address=185.143.223.0/24 list=Attack-IPs
add address=170.254.16.0/24 list=Attack-IPs
add address=178.216.51.0/24 list=Attack-IPs
add address=103.207.36.0/22 list=Attack-IPs
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“Block Attack IPs” log=yes
src-address-list=Attack-IPs
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related dst-port=
8291 protocol=tcp
add action=drop chain=input disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat comment=“Mail SMTP” dst-port=25 in-interface=
ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=25
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.10 to-ports=587
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.10 to-ports=465
add action=dst-nat chain=dstnat comment=“Mail webmail/synch” dst-port=81
in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=81
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat comment=“Mail IMAP” dst-port=143
in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=143
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.10 to-ports=993

erlinden · August 14, 2020, 9:02am

Either use Hairpin NAT or solve it by using internal DNS server.

anav · August 14, 2020, 1:29pm

Anytime you have a local device on the same lan as a server and want to access the server by your WANIP then you will need to install hairpin nat for example.
You could put the server on a different vlan/subnet or your phone and then should work as well.

omberli · August 14, 2020, 1:42pm

Thanks for the feedback!
Seems like I need to set up a hairpin rule in my Mikrotik. Seeml logical. Looked around for a dns server that could run on a win10 machine in he LAN, but hairpin is probably easier.

Strange thing is that this has been working well at another location with an old ZyWall router without setting up a hairpin rule. Maybe a built-in feature in the Zywall…

-Olaf

omberli · August 15, 2020, 8:07am

Tried to set up a “Hairpin rule” in my router, but couldn’t make it work. Follower instructions at https://yaleman.org/2014/10/23/hairpin-nat-on-mikrotik-v6-19/ but something went wrong, and all Internet access was lost. Had to restore the old firewall rules from a .rsc file.

Is there a script somewhere here on the forum that may be used?
or
someone who could do the setup for me (I’ll pay for it).
I’m hesitant to post the entire router config here, but could do it if it is needed in order to get a solution that works.

Thanks!
-Olaf-

anav · August 15, 2020, 12:09pm

Olaf, the zyxel probably had a checkbox for LOOPBACK, that you had used and thats why it works (loop back = hairpin).
On the MT one has to configure it manually…
Read through this thread…

http://forum.mikrotik.com/t/port-forwarding-nat/140845/2