Can't access to my services with my public IP

RouterOS Beginner Basics
1

Hi,

I have the next setup:

ISP router (192.168.0.1) → Hap AC2 (192.168.0.2 for the ISP router - 192.168.1.1 for the LAN) → devices

And i have the next problem: if i try to access to my internal services, i only can via private IPs. If i try to access from the same LAN to one of my services like webserver via public IP, i can’t reach. But if i try from another network (like mobile phone without connecting to the wifi), it works.

My current setup is the next:

0 chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=“”

1 ;;; adguard
chain=dstnat action=dst-nat to-addresses=192.168.1.60 to-ports=853
protocol=tcp dst-address=192.168.0.2 in-interface=all-ethernet
dst-port=853 log=no log-prefix=“”

2 D ;;; upnp 192.168.1.10: 54cfaca957523bb98db6ce66dea85c0c-Web Admin
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=8080
protocol=tcp dst-address=192.168.0.2 in-interface=ether1 dst-port=8080

3 D ;;; upnp 192.168.1.10: 54cfaca957523bb98db6ce66dea85c0c-Secure Web Admin
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=443
protocol=tcp dst-address=192.168.0.2 in-interface=ether1 dst-port=443

4 D ;;; upnp 192.168.1.10: 54cfaca957523bb98db6ce66dea85c0c-SSH/SFTP
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=2202
protocol=tcp dst-address=192.168.0.2 in-interface=ether1 dst-port=2202

5 D ;;; upnp 192.168.1.10: 54cfaca957523bb98db6ce66dea85c0c-Secure Web Serve
chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=8081
protocol=tcp dst-address=192.168.0.2 in-interface=ether1 dst-port=8081
protocol=tcp dst-address=192.168.0.2 in-interface=ether1 dst-port=8081

6 D ;;; upnp 192.168.1.12: DemonwarePortMapping
chain=dstnat action=dst-nat to-addresses=192.168.1.12 to-ports=3075
protocol=udp dst-address=192.168.0.2 in-interface=ether1 dst-port=3075

7 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24

Someone can help me, please? Thanks!

2

Search for “hairpin nat”.

And as you are behind an ISP router, you should probably implement it there, not on mikrotik.

3

Yesterday i saw some posts about “hairpin nat” and tried to implement, but still doesn’t work (currently are not implemented as you can see in the FW rules).

In ISP router i have DMZ rule to the Mikrotik router IP. I need to do something else? ISP router are very basic and limited.

4

If you post your entire config I will have a look
/export hide-sensitive file=anynameyouwish

5

How exactly did you try to implement hairpin nat?
As your public IP is not assigned to your mikrotik but to the ISP router, you should add an additional regular dst-nat rule together with the hairpin (src-nat) one.

6

Sure:

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=spain disabled=no
frequency=auto installation=indoor mode=ap-bridge ssid=1
wireless-protocol=802.11
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto
installation=indoor mode=ap-bridge ssid=“2”
wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.3-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ip vrf
add list=all name=main
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
add name=prometheus policy=“read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!
write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp”
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set enabled=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=wlan2
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.122 mac-address=3C:8D:20:44:B5:CA server=dhcp1
add address=192.168.1.121 mac-address=B0:2A:43:18:FD:B8 server=dhcp1
add address=192.168.1.120 mac-address=00:17:88:6E:FB:8E server=dhcp1
add address=192.168.1.101 client-id=1:0:e0:4c:68:1f:3f mac-address=
00:E0:4C:68:1F:3F server=dhcp1
add address=192.168.1.12 client-id=1:28:16:a8:8e:2:97 mac-address=
28:16:A8:8E:02:97 server=dhcp1
add address=192.168.1.105 client-id=1:e4:fd:a1:dc:9a:cd mac-address=
E4:FD:A1:DC:9A:CD server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.60 gateway=192.168.1.1
netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=adguard dst-address=192.168.0.2
dst-port=853 protocol=tcp to-addresses=192.168.1.60 to-ports=853
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24
/ip service
set telnet disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes
/system ntp client servers
add address=17.253.108.125
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto

7

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0

should be
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0

For Hairpin NAT
/ip firewall nat
add action=masquerade chain=srcnat source-address=192.168.1.0/24 destination-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN **
add action=dst-nat chain=dstnat comment=adguard dst-address=192.168.0.2
dst-port=853 protocol=tcp to-addresses=192.168.1.60 to-ports=853
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24

ALSO if you have a fixed wanip I believe its 192.168.0.2
then your first masquerade rule should be
** add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.0.2 (vice the masquerade action default rule).

But do you have a second wan input? WLAN2?? if you do and its dynamic
add chain=srcnat action=masquerade out-interface=wlan2 or if its fixed IP as well
add chain=srcnat action=src-nat out-interface=wlan2 to-addresses=x.x.x.x

8

Thank you so much, but unfortunately still not working, now is configured like this (following your advices):



add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0


add action=src-nat chain=srcnat out-interface=ether1 out-interface-list=WAN to-addresses=192.168.0.2
add action=dst-nat chain=dstnat comment=adguard dst-address=192.168.0.2 dst-port=853 protocol=tcp to-addresses=192.168.1.60
to-ports=853
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24

9

Could you bring me an example of this dst-nat rule, please?

10

/ip firewall nat add action=dst-nat chain=dstnat dst-address=your_public_IP to-addresses=192.168.1.60

And with it the hairpin rule:

/ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.1.60 src-address=192.168.1.0/24 to-addresses=192.168.1.1

11

Tried and doesn’t work :frowning:

12

Can’t see anything else in your config, that could interfere with it.
Apart from what @anav had already pointed out (address being assigned to the wrong interface).