dst-nat outbound traffic?

logannc · January 12, 2018, 6:58am

Let’s say I have a service running on privateIP on privatePort and wish to enable connections to it via publicIP on publicPort.

That easy, we just set up a dst-nat action on dstnat chain in the NAT table from dst-address=publicIP dst-port=publicPort to to-address=privateIP to-port=privatePort.

And now anyone outside of my LAN that tries to access the service using the public values get access and all is good with the world.

But if I try to use the public values from INSIDE the LAN, it seems to not work. I had originally thought this might be because I didn’t have something in srcnat chain but I can see a single packet in the statistics for my dst-nat action. Is such a configuration possible or do I just need to use the private values inside the LAN?

Chupaka · January 12, 2018, 1:14pm

https://wiki.mikrotik.com/wiki/Hairpin_NAT

So - yes, using private addresses is the most correct solution.

You may use DNS names, when somename.org resolves into public address, and then add static entry with that name to router’s DNS, so all internal clients will resolve it to private IP.

logannc · January 13, 2018, 12:06am

This is exactly what I needed, thank you! I knew I must have been missing something!