One of our MSP clients wants to access his company’s website, which is hosted on a VM in the same LAN, using the WAN IP address. To be clear, the website is accessible externally from the WAN IP address on port 80, and we have been unable to convince him to use the FQDN instead, which resolves correctly to the LAN IP address when in the LAN and the WAN IP address when outside the LAN.
Would this somehow be possible via filter and dst-nat rules in the nat table?
Take what you need from this. Explains how to hairpin NAT, create the correct port forwards and can be adapted for dynamic or static WAN IP (plus some comedy phrases); https://www.youtube.com/watch?v=_kw_bQyX-3U
The Youtube video nailed the solution for me. If Youtube ever yanks it though, here’s the solution for future visitors:
In /ip firewall nat, you need to create a rule in the srcnat chain that masquerades traffic from the internal LAN subnet to the same internal LAN subnet.
Then in /ip firewall filter, change/create the appropriate port forward rule and instead of forwarding based on in-interface, forward based on dst-address.
Dear future visitor, if the Youtube video exists at the time you’re reading this post, please go watch it - and don’t do anything that will make your network go batshitcrazy! LOL
