Accessing xyz.com:123 xyz.com:456 from inside the network

MikeDavis · August 27, 2014, 12:09am

Hi,

I am still new to Mikrotik, so I am hoping I can define my question properly
I have a simple network using RB951Ui 6.18
WAN – ether1 (DDNS – “mydomain.com”)
LAN – Bridge (ether2-5 and wlan1) 172.16.80.10/24
I have two test servers with static IPs
Server1 172.16.80.40:808
Server2 172.16.80.41:809

Here is my NAT section
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=808 in-interface=ether1 protocol=tcp to-addresses=172.16.80.40
add action=dst-nat chain=dstnat dst-port=809 in-interface=ether1 protocol=tcp to-addresses=172.16.80.41

I can access the two servers from outside
mydomain.com:808
mydomain.com:809

Inside the network I can access the servers with their static IP:port
172.16.80.40:808
172.16.80.41:809

My question is how can I access the servers within the network with their domain:port (mydomain.com:808 and mydomain.com:809)?

With the current configuration I get “This webpage is not available”
I know is something very simple but I can’t figure it out.

Thanks in advance

CelticComms · August 27, 2014, 4:06pm

Have a look at this link:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

MikeDavis · August 27, 2014, 5:00pm

Thank you for the prompt replay.

I did check Hairpin NAT and I added:

add action=masquerade chain=srcnat dst-address=172.16.80.40 dst-port=808 out-interface=bridge-local protocol=tcp src-address=172.16.80.0/24
add action=masquerade chain=srcnat dst-address=172.16.80.41 dst-port=809 out-interface=bridge-local protocol=tcp src-address=172.16.80.0/24

as the tutorial shows but that doesn’t give me any different result. I still get “This webpage is not available” when I type mydomain.com:808 or mydomain.com:809 in the browser.

(bridge-local interface is my LAN bridge (ether2-5 and wlan1))

What else can I try?

mervincm · August 27, 2014, 10:01pm

well, are you hoping to access these servers via their internal IP or their external? if you are OK using internal, why not just add these hosts to your internal DNS?

MikeDavis · August 27, 2014, 11:31pm

I can access the servers with their local IP:port but my point is to access them with mydomain.com:port from in and out my local netwotk

MikeDavis · August 27, 2014, 11:50pm

I found the solution, thanks to Joudicek Jouda - http://superuser.com/questions/663820/port-forwarding-from-inner-network-to-inner-network-hairpin-nat/663952#663952

Actually He/She found if before me so I should give him/her all the credit.
The solution is not to use in-interface=ether1, but dst-address-type=local in the dst-nat section.
So here is my NAT section after the changes:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=808 dst-address-type=local protocol=tcp to-addresses=172.16.80.40
add action=dst-nat chain=dstnat dst-port=809 dst-address-type=local protocol=tcp to-addresses=172.16.80.41

add action=masquerade chain=srcnat dst-address=172.16.80.40 dst-port=808 out-interface=bridge-local protocol=tcp src-address=172.16.80.0/24
add action=masquerade chain=srcnat dst-address=172.16.80.41 dst-port=809 out-interface=bridge-local protocol=tcp src-address=172.16.80.0/24

So after making these changes I can access my servers with mydomain.com:808 and mydomain.com:809 from inside and outside the network.

Now my question would be are there any flows in this solution?

Can someone point me to a good tutorial that explains address-type?

Thanks again everyone for your help!

CelticComms · August 28, 2014, 4:10am

You do not have to use dst-address-type. In this case I suspect it is working because you didn’t have the dst-address itself specified.

dst-address-type local means the address is allocated to one of the router’s interfaces.

mervincm · August 28, 2014, 9:54pm

I was suggesting using internal DNS to resolve to internal IP of those hosts to the FQDN name. This achieves your goal if you want to hit your server on it’s internal IP.

MikeDavis · August 28, 2014, 9:54pm

You are correct!

Seems like that in-interface=ether1 was stopping me from accessing mydomain.com:port from the inside. Using either dst-address=(my WAN IP) or dst-address-type=local is giving me access.
The only issue that I see when using dst-address=(my WAN IP) is that my WAN IP is dynamic and if my ISP change it I have to change it in my NAT rules. I am sure I can write a script to get my IP and put it in address list.

Which way do you think is better: Using dst-address=(my WAN IP) or dst-address-type=local ?

MikeDavis · August 28, 2014, 10:00pm

Yes this would work great if I had only one server for that domain. Then I can add static mydomain.com → 172.16.80.40
How do I do it for two or more servers with one domain name?

mervincm · August 29, 2014, 2:52pm

Yes this would work great if I had only one server for that domain. Then I can add static mydomain.com → 172.16.80.40
How do I do it for two or more servers with one domain name?

I see. of course you are correct. A DNS can’t resolve to a set of IP’s based on the port you will attempt to connect to after the name is resolved