dynamic ip in a dst-nat rule

mogul · March 3, 2019, 2:28pm

Using a RB450G (sw 6.43) in front of my home networks. Im on a cable connection where I get assigned a new Ip address once in a while. I have a dyn-dns service to follow me around.

One of the machines is a docker host with a bunch of web services on, all having individual public DNS records.
I would like these services accessible both from the outside world, but also from the inside.

To make this I have the following dst-nat rule:

add action=dst-nat chain=dstnat \
  dst-address=88.77.66.55 dst-port=80,443 \
  to-addresses=192.168.40.13

where 88.77.66.55 is my current public IP.

Now when my provider moves me to a new IP, I have to manually go in and do a

/ip address print

and then update the IP in the NAT rule above.

Question is if I somehow can say to the dst-address in the NAT rule “use the address you got assigned on ether1” ?

anav · March 5, 2019, 11:55am

in-interface=eth1wan or if you have several wans, in-interface-list=wan (instead of IP addresses)

Steveocee · March 5, 2019, 3:32pm

This won’t be totally applicable but it explains how to get the dynamic bit down far easier than my typing will do.
https://www.youtube.com/watch?v=_kw_bQyX-3U

anav · March 5, 2019, 4:56pm

For inside connections to your own servers (but for some strange reason want to use the public wan ip address) the typical answer is to use hairpin-nat.
There is another option i don’t quite understand but it has to do with routing the traffic… directly to the server.

/ip route rule
add action=lookup dst-address=<an IP not sure which one???> table= main???

2frogs · March 5, 2019, 6:25pm

I prefer this nat rule over using the ddns shown in the video.

add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.40.1(or router ip) dst-port=80,443  to-addresses=192.168.40.13

nostromog · March 5, 2019, 11:53pm

In a separate thread somewhere around I read that one way would be:

activate /ip cloud set ddns-enabled=yes update-time=no (for time it is better to use ntp)
create a mypublicip firewall address.list with the .sn.mynetname.net dns name: /ip firewall address-list add address=[/ip cloud get dns-name] list=myip
use this address list in the firewall rules, substituting dst-address=88.77.66.55 → dst-address-list=mypublicip

You obviously could do the same with whatever dynamic dns you are using, instead… Works quite well in practice