Domain resolution + local services

RouterOS General
1

Not sure if this belongs in “Forwarding Protocols” section – if so, sorry!

I’m new to RouterOS, and some things that I’ve done for years with consumer hardware is proving to be difficult for me with RouterOS.

I have a main RouterOS rounter, doing all the normal things a SOHO router usually does. I have a number of local machines with various services, some used internally only and some that have NAT rules to allow external access. The problem I am having…

  • I have a domain mydomain.com, and a subdomain sub.mydomain.com with CNAME record pointing to a DDNS service, which points to the public IP of the router.
  • Machine A inside the network hosts a service on port X that needs to be externally accessible.
  • I have added a Firewall NAT rule for this:
    Chain: dstnat
    Protocol: TCP
    Dst. Port: X
    Action: dst-nat
    To Address: <A’s local address>
    To Ports: X
  • Connecting to A on port X from another local machine using A’s internal address works fine.
  • Connecting to A on port X from a remote machine using the subdomain works fine.
  • Connecting to A on port X from another local machine using the subdomain does not work.
  • The subdomain always resolves to the proper router public address.

What am I doing wrong?

2

The server A is in same subnet as the client right?
Are the dst-port and to-ports same? Then just add a static dns entry on Tik for the sub-domain pointing to the internal ip.

If ports are different, you’ll need to add src-nat nat rule for traffic from lan to lan. See “hairpin” for more details

3

RouterOS doesn’t do some things automatically. You need srcnat rule for packets going from LAN back to LAN:

/ip firewall nat
add chain=srcnat src-address=<your LAN subnet> dst-address=<your LAN subnet> action=masquerade

Explanation what it does and why it’s necessary is at https://wiki.mikrotik.com/wiki/Hairpin_NAT.

4

Thanks, @Sob. I ended up finding the hairpin solution after posting this topic, and it does indeed work. However I would prefer to be able to log distinct local client IPs for the services running in the network.

@sebastia I like this idea, but I can see one problem: Different machines in my network (other than A) host different services. So it seems a local domain entry will not work as it can only point to one local IP.

5

http://forum.mikrotik.com/t/ros-hairpin-nat-preserving-origin-ip-for-log-purpose/128750/1

6

Awesome.