after you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address=“your global IP” dst-port=80 in-interface=“LAN interface for your web server”
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface=“LAN interface for your web server” protocol=tcp src-address=192.168.10.0/24
Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN.
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=“your global interface”
protocol=tcp to-addresses=192.168.10.10 to-ports=80
Ok my friend, now i have only these rules enabled.
/ip firewall nat
1 chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp dst-address-type=local in-interface=ether1 dst-port=443
dst-limit=25,40,dst-address/1m log=yes log-prefix=“WEB CONNECTION”
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can’t establish hairpin nat mechanic.
now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.165) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.165) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.165) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
I have 2 INTERNET input. (Load balancing in local network)
RADIO-LINK connect on port 1 directly.
RADIO-LINK's static IP is: 1.1.1.10
VDSL-ETH connect port 2 over adsl modem.
mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.
, I can see you translate the source IP of the TCP requests, coming from your local subnet and forwarded to the server at 192.168.0.52, to Mikrotik’s own IP address using the following rule:
This forces the server at 192.168.0.52 to send the response to Mikrotik rather than directly to the client (which would normally be the case as the client and the server are in the same subnet).
But even though the response packet is forced through Mikrotik this way, the client in 192.168.0.0/24 still gets the response from 192.168.0.52 while it has sent its request to 1.1.1.10, which may confuse it. Now a srcnat rule implicitly creates, thanks to “connection tracking”, an equivalent of a dstnat rule for the opposite direction, so the Mikrotik changes the destination IP in the received response from its own one to that of the real client. However, I’m not sure the same is the case for dstnat rules. So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
