I would like to achieve something but I don’t know how to, or it is possible at all.
I have a DDNS address, which get updated by a scheduled script in the router. (example.dyndns.org)
I would like to access the computers from inside the LAN network by the DDNS address, even when there is no internet connection.
(Now I using it, with Hairpin NAT, but it doesn’t work when there is no internet, because the dns servers doesn’t reachable)
So I added a static DNS record to the router with the example.dyndns.org pointing to 192.168.0.1 (router’s ip) and redirected the packets by the ports to the specific local IPs.
I know I could use multiple DNS to computers, or use LAN ip addresses, but I would like to make a connection (eg.: SHH connection) to use only one DNS address, which can connect in any situation.
So from the ports I could tell which computer is the destination, and if I am outside the local network the same should work by the DDNS records (from the DNS servers) translated into my network.
Since you have multiple internal servers sharing a single public IP address, you have to use hairpin nat.
Adding the host to static DNS entries is definitely the way to keep the hostname available even if the Internet is down… but I would recommend using a dummy IP on the Mikrotik and not the LAN IP - this will keep things easier to deal with so that you can still access the same ports of the Mikrotik itself (e.g. lan-ip:80 = webfig, while dummy-ip:80 → redirected)
so put a dummy IP on the WAN interface in addition to the dynamic IP
172.16.0.1/32
Then make your NAT forwarding rules look like this:
/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=tcp dst-port=80,443 action=dst-nat to-address=192.168.1.80
add chain=pinholes protocol=tcp dst-port=22 action=dst-nat to-address=192.168.1.22
add chain=pinholes protocol=tcp dst-port=25 action=dst-nat to-address=192.168.1.25
etc…
add chain=pinholes action=return (any un-configured port will just go back to the normal dstnat chain)
Then make your proxy static DNS entry use address=172.16.0.1 (instead of the LAN IP)
Finally, you need the hairpin rule:
/ip firewall nat
add chain=srcnat out-interface=LAN src-address=192.168.1.0/24 action=masquerade
Of course, in these examples, change 192.168.1.x to suit your actual LAN addressing scheme.
Firstly, thanks for your answer.
Secondly, sorry for the late answer.
I am a bit new with the Mikrotik programming.
From your answer I managed to do the following settings:
Maybe I misunderstood some piece of your instruction, because when I open the client program on Android which communicates with the server (running on a Raspberry PI) (both programmed by me, and using UDP protocol only), the client can’t connect to the server using the ddnsaddress:port
Also the client-program works if I use the lanip:port
As I see on the attached image, the #2 rule never catch a package, but why? Or the problem is somewhere else?
Thanks for your answer in advance.
