Dear all I have a mikrotik CHR ros7.11.2 that has essetially 3 interfaces:
- WAN1(PPPoE-OF1) - I use this for internet access of office workstations
WAN2(PPPoE-OF2) - I use this for internet access and forwards of some servers
LAN-10G (192.168.25.0/24)- for local LAN(is a unique interface so no bridges around)
each pppoe connection gives to me a static pppoe IP and an extra dedicated subnet of 8ips.
For routing servers or clients through WAN2 I use v7 routing tables/rules approach so no mark/mangle in firewall.
I use NAT1:1 for reaching the servers through the extra subnet.
I tried everything about nat reflection and hairpin but I cannot reach the servers from inside my network using the public IPs or related DNS(from outside it’s ok).
This is my nat table, what I’m interested more is the web server responding to mywebsite.com that has local ip 192.168.25.136 and is mapped 1:1 to 195.xx.xx.72 on the first two lines, what I tried is to add the last line with comment “NAT harpin WEB-SERVER” without success
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT1:1 WEB-SERVER" out-interface=PPPoE-OF2 src-address=192.168.25.136 to-addresses=195.xx.xx.72
add action=dst-nat chain=dstnat dst-address=195.xx.xx.72 to-addresses=192.168.25.136
add action=src-nat chain=srcnat comment="NAT1:1 PBX-SERVER" out-interface=PPPoE-OF2 src-address=192.168.25.200 to-addresses=195.xx.xx.73
add action=dst-nat chain=dstnat dst-address=195.xx.xx.73 to-addresses=192.168.25.200
add action=src-nat chain=srcnat comment="NAT1:1 MAIL-SERVER pop,imap,webmail" out-interface=PPPoE-OF1 src-address=192.168.25.5 to-addresses=195.xx.xx.42
add action=dst-nat chain=dstnat dst-address=195.xx.xx.42 dst-port=110,995,143,993,587,80,443 protocol=tcp to-addresses=192.168.25.5
add action=src-nat chain=srcnat comment="NAT1:1 MAIL-GATEWAY" out-interface=PPPoE-OF1 src-address=192.168.25.75 to-addresses=195.xx.xx.42
add action=dst-nat chain=dstnat dst-address=195.xx.xx.42 to-addresses=192.168.25.75
add action=src-nat chain=srcnat comment="NAT1:1 FTP-SERVER" out-interface=PPPoE-OF1 src-address=192.168.25.139 to-addresses=195.xx.xx.45
add action=dst-nat chain=dstnat dst-address=195.xx.xx.45 to-addresses=192.168.25.139
add action=dst-nat chain=dstnat comment="Forward OPENVPN ports" dst-address=195.xx.xx.62 dst-port=1195,1196 in-interface=PPPoE-OF2 protocol=udp to-addresses=192.168.25.76
add action=masquerade chain=srcnat comment="MASQ FOR EXTERNAL VOIP SERVICE THROUGH WIREGUARD" dst-address-list=anek-voip out-interface=LAN-10G src-address=10.0.25.0/24
add action=masquerade chain=srcnat comment="NAT local lan PPPoE-OF2" out-interface=PPPoE-OF2 src-address-list="PPPoE-OF2 clients"
add action=masquerade chain=srcnat comment="NAT local lan PPPoE-OF1" out-interface=PPPoE-OF1 src-address=192.168.25.0/24
add action=masquerade chain=srcnat comment="MASQ FOR EXTERNAL SOFTWARE SERVICE THROUGH WIREGUARD" dst-address-list=Attica-BS out-interface=PPPoE-OF1
add action=masquerade chain=srcnat comment="NAT harpin WEB-SERVER" dst-address=192.168.25.136 log-prefix=HARPIN out-interface=LAN-10G src-address=192.168.25.0/24
I don’t know why but sometimes I can ping mywebsite.com and I receive response from 192.168.25.136, but is random, like if I change and save something the ping works for a little, but even in that case the website is unrechable from the inside of my network
>ping mywebsite.com
Esecuzione di Ping the mywebsite.com [195.xx.xx.72] con 32 byte di dati:
Risposta da 192.168.25.136: byte=32 durata<1ms TTL=64
Risposta da 192.168.25.136: byte=32 durata=1ms TTL=64
Risposta da 192.168.25.136: byte=32 durata=1ms TTL=64
in firewall I have enabled an accept rule for forward/input if source address is my local lan 192.168.25.0/24
UPDATE
ok for sure the problem is related to the routes rules, because if I exclude the web server from the WAN2 routing table I can make the hairpin to work, but obviously I loose the src-nat action because the public ip address of the web server will be the same as WAN1
