Hello.
I have a little bit of a trouble.
We have a internal Exchange server. It’s ok to connect to it from the outside using the ddns name company.domain.com . So fas so good.
We also have some laptop clients that use the external hostname on theire laptops so it would work both on the inside and outside with one adress.
The problem is that when connecting to a external adress that is redirected to a internal network just stops.
So i tried to do a src-nat on the (internal) out interface, the bridge and then did a masqurade. But when running torch I see connections still trying to go out and resolv the external ipadress. I have done this with PF (Freebsd) but are not yet that good in the implemeted firewall of the microtiks. Ideas and help is much appriciated.
BSD style
no nat on $lan proto tcp from $lan to $lan_net
nat on $lan proto tcp from $lan_net to $server port 25 → $lan
nat on $lan proto tcp from $lan_net to $server port 443 → $lan
With
Regards
Goran Nilsson
For the time I added the zone to the internal DNS. But are still looking for a “Mikrotik” solution.
That will solve the problem when a client connect to a external hostname that is redirected to a internal server.
Best regards
/Goran
I played with this until I got mine working. I am a very poor loser.
I found the nat rules were interfering with the local port forward if not exact.
I have two servers behind a MT router now, and I can access both Apache servers from the other computer by any method. public or private IP, domain, whatever.
The servers are assigned local ips 10.0.0.2/24 and 10.0.0.3/24
I use these rules:
/ip firewall nat
add chain=srcnat action=src-nat src-address=10.0.0.2 to-addresses=xxx.xxx.xxx.1
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.1 to-addresses=10.0.0.2
add chain=srcnat action=src-nat src-address=10.0.0.3 to-addresses=xxx.xxx.xxx.2
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.2 to-addresses=10.0.0.3
add chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.3 src-address=10.0.0.0/24
xxx.xxx.xxx.1 and xxx.xxx.xxx.2, and xxx.xxx.xxx.3 are my public ips assigned to the internet interface.
Did you notice there are NO references to “out-interface”?
Linux can not route to an interface from which it came. This is a bug/glitch/feature in the Linux Kernel that exists even today I believe.
For example, if your ether1 is 24.1.2.3 (WAN) and ether2 is 10.0.0.1/24 and your PC is 10.0.0.199 when going from your PC to 24.1.2.3 looking for the dst-nat rules it goes from ether2 and winds up right back to ether2.
In every situation I have with this I simply create a static DNS entry and it has solved the problem for my needs.
Hi iam8up,
I just checked my network again. I can get all webpages from all servers from any computer by any means, apparently all routed through one port, ether1. (EDIT: To my surprise, the servers will even serve their own pages to themselves using the public ip.)
Mine works great with the nat rules above. I guess that only leaves a few reasons that mine works so well:
- I am lucky.
- My O.S. is haunted.
- All my routers fear me.
I am looking at fixing this for my new 493 AH router, with 1 server behind the MT. However, your explination requires the public IP interface to be manually typed in. Is there a way to fix this issue without manually entering the IP, for when the Ip changes from the ISP. Mine dont change very often, well, every 2 years, but I know in two years, I won’t remember how to fix the issue again 
I tryed a DNS entry on the MT, but my url is forwarded to another, eg mail.BUSINESSDOMAIN.com forwards to http://server.com/exchange
My domain’d DNS is done at MYDOMAIN.com ( yes that is the name of the domain)
So I could not enter a url in place of the ip.
I would liek to fix this, as some people for some reason on the inside of my lan require to use webmail, instead of outlook.. I think they just want to make me work harder.
That has absolutely nothing at all to do with this situation, and is spam.
Properly configured exchange handles this automatically…