Accessing Local Server with a domain

jamesa · May 27, 2017, 4:25pm

Hi,
I recently changed ISP. I used to have a modem, now I am using PPPoE. I had to add the PPPoE interface, and change Filter and NAT rules to use the new PPPoE interface instead of the WAN ethernet-1 gateway I was using before (I hope that is correct). Internet and everything seems to be working fine. GRC’s Shields Up says my firewall is safe.

I have a NAS and a couple other services on my network. I also have DDNS setup and working. I have setup the appropriate port forwarding and everything seems to be working fine from outside my network. However, if I use the DDNS domain xxxxxxx.com:XXXX from within my network, it doesn’t work.

Any ideas how I can make this work?

erlinden · May 27, 2017, 9:10pm

I used to run an internal DNS server to revolve My domains to private (internal) IP adresses. The other option is (I think it is called) hairpin NAT.

jamesa · May 28, 2017, 11:21am

thank, I tried following these instructions.
https://wiki.mikrotik.com/wiki/File:Hairpin_nat_4.png

I added this, adapted for my network.

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 \
  dst-address=192.168.88.200 protocol=tcp dst-port=5025 \
  out-interface=ether2-master-local action=masquerade

Still doesn’t seem to work. How do I chose the out-interface? What else could I be missing? What position in the NAT should this masq be in? Beginning, end?

BartoszP · May 28, 2017, 1:25pm

Follow all steps from
https://wiki.mikrotik.com/wiki/Hairpin_NAT

Do you have the first rule added ? This one tailored with your settings:

/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2

What IP do you use ?
The problem is that this rule have to follow DDNS address. How ?
Instead of dst-address use dst-address-list which list should have your ddns address added as follow:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=DDNS_DST_LIST dst-port=80 protocol=tcp to-addresses=192.168.1.2
/ip firewall address-list
add address=myddns.name list=DDNS_DST_LIST

jamesa · May 28, 2017, 3:12pm

Yes, I had the first rule added, but without a dst-address and with a random port for my NAS admin panel, not port 80. Access from the outside worked. I added my temp dynamic IP address for testing, and it still works accessing from outside.

I do have DDNS but for now I’m trying to get to work assuming I have fixed IP.

My masquerade/hairpin NAT still doesn’t seem to work. I also tried with scr-address the IP address of my current computer, instead of 192.168.88.0/24. Could it be the out-interface?

Sob · May 28, 2017, 11:13pm

What about your dstnat rule? Based on this:

… does it perhaps have in-interface=? That would be problem, because when connecting from LAN, in-interface is - no surprise - LAN. So you need either dst-address= or dst-address-type=local (= any address owned by router). For the latter, if you want to use some port that you also need to access on router (e.g. 80 for WebFig), add dst-address=!<router’s internal address>.

jamesa · May 29, 2017, 5:49am

Sob, you are correct, my dstnat had my new PPPoE as in the in-interface. Good catch! It looks like BartoszP also had the solution, but I hadn’t noticed that he didn’t have an in interface in his solution. As I have DDNS, I had to create a dst address list with my DDNS domain. It seems to be working now.

Not quite sure I understand why I didn’t need a masquerade when I had an external modem on my WAN, but need one with a PPPoE internet.

Thanks everyone!