I have an RB750Gr3 connected to a cable modem and supporting internal VLANs. I configured a dst-nat from the WAN interface (ether1) to a machine running on a VLAN that hosts an Internet facing service.
I do not have a static IP and use dynamic DNS service. I have a guest VLAN for visitors. When visitors attempt to access the Internet facing service using the dynamic DNS based URL this dst-nat doesn’t apply. I am assuming this is because the in-interface is not ether1. I don’t think migrating from in-interface to dst-address is feasible because the WAN IP is dynamic and changing. Is there a simple way to specifically target this traffic with a dst-nat rule?
As a work around, I setup a static DNS entry that takes priority over the dynamic DNS IP and points to the internal server IP eliminating the need for a dst-nat. Unfortunately this DNS entry is caching on the clients and causing issues when users disconnect from the guest lan and switch to 3G.
------Internet w/dynamic IP--------(ether1)----[RB750Gr3]-----------(vlan1)----------------------[server with Internet facing service]
------------(vlan2 - guest lan) -----[guest mobile device accessing Internet facing service via dynamic DNS based URL]
The type of DNS record you are after is a CNAME. Make the record for your web-site say, www.bestwebsiteever.com, be a CNAME for your ddns name. If you are using the built-in MikroTik ddns service then a simple “/ip cloud print” will show the name you need to enter as the CNAME record target.
Here is a snip from a provider I commonly use (Gandi) for public DNS referencing a name like you would get from the built-in ddns service:
Once you have that situated you will to implement hairpin NAT for the traffic. Specifically the rule at the bottom of Wiki page to handle reply traffic appropriately. https://wiki.mikrotik.com/wiki/Hairpin_NAT
Thank you for your reply. To clarify, I already have a dyndns service that functions properly. As I understand, Hairpin NAT solves for a request coming from a client on the same subnet as the web server by ensuring all response packets from the web server are fed back to the router rather than direct to the client where they would be dropped. This does not apply to the issue I’m facing as my clients are on a different subnet than the web server and all traffic passes through the router.
The issue for me is the NAT rule that forwards traffic destine for the WAN IP address to the web server is targeting packets based on in-interface=ether1 not dst-address=[WAN IP]. That doesn’t affect packets from a client on any internal subnet because the in-interface is one of the other interfaces (i.e. ether2-ether5). I believe I have to target the traffic using in-interface=ether1 because the WAN IP address is dynamic and I can’t specify it in the NAT rule. If I change the targeting in the NAT rule to dst-address=[WAN IP] instead of in-interface=ether1, everything works properly. Eventually though, the WAN IP address changes and the NAT breaks.
I need a reliable way to target these packets in a dstnat rule regardless of the in-interface. Note: In the Haripin NAT documentation example the dstnat rule targets based on dst-address
a) Use dst-address-type=local and it will match any target address owned by router. You may want to add exception for router’s internal address, i.e. dst-address=!192.168.x.x.
b) Add your hostname in address list, router will resolve it and then you can use dst-address-list=.
I’d use a), because b) might have short outages when address changes, because router will resolve hostname only when its TTL expires.
