I use roteros v6.41rc52 .
I have web site in my local network on my server with ip 192.168.1.10 port 8000 and i have public ip . i have dst.nat for users that are out of my network and rule is ok and users can open we site
but in my local network i want to open web site with public ip too but i cant open it with public ip
so how can i do this?
Please do not give a wiki website,That is not fix it. I have two ISP line .
I checked all website ,can not make it working .
Wiki examples are working. Believe me. The receipe to forward outside traffic to internal router is two lines of rules long. Harpin is the third one.
Try to configure it for one ISP’s address and then for the second.
DST-NAT rule needs to be to destination address and not mention the inbound interface.
You need a hairpin rule as your rule 0 to go from src address your lan range to dst address your lan range and masquerade.
Sorry if that doesn’t read too easily, I made a video showing this on YouTube which has helped another member on here;
https://youtu.be/_kw_bQyX-3U
i have exactly same problem like @ait
i’ve tried a lot of solution from google search and mikrotik forum search.
@Steveocee, your solution have not worked for me.
i want reach to local server (192.168.0.52) form local network (my local ip: 192.168.0.165) with external ip (1.1.1.1). (My external IP is static)
When i try reach form out network (e.g. 2.2.2.2) to (1.1.1.1) → SUCCESS
When i try reach form in network (192.168.0.165) to (192.168.0.52) → SUCCESS
When i try reach form in network (192.168.0.165) to (1.1.1.1) → FAIL : ERR_CONNECTION_REFUSED
RouterOS 6.40.1
RouterBOARD 3011UiAS
/ip firewall nat export
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=629 protocol=tcp to-addresses=192.168.0.52 to-ports=629
mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.
It is possible? Where do i make mistakes?
Here is below what I am using, this is from my main router with rules working, the only thing I can see is your dst-nat rule is set to change the port when it is not needed.
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.10.10.0/24 src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1 src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment=Transmission dst-address=1.1.1.1 dst-port=9091 protocol=tcp to-addresses=10.10.10.20
Are you using any kind of fasttrack or similar? If you are the router is seeing Lan > Lan so bypassing the routing.
i remove “to-ports=629”, but still it not worked.
i am not using any kind of fasttrack. actually i dont know that what is fasttrack.
if you talking abount filter rules, i have only 4 drop rules.
1 ;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=8080 log=no
log-prefix=""
2 ;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=8080 log=no
log-prefix=""
3 ;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=53 log=no
log-prefix=""
4 ;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=53 log=no
log-prefix=""
when i add following fasttrack flter rule, but still it not worked.
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=“”
Thank you for the tutorial. I have a dynamic WAN IP, but I wanted to mention that I took a slightly different approach. Instead of doing all the cloud stuff, I simply set the dst-address for my port forwarding rule to my current WAN IP like you would if it were static. Since I also use No-IP DDNS, I modified the No-IP script on the wiki so that when the IP address is updated, the dst-address on the port forward also gets updated. It was just a couple lines to add (well, really only one is necessary):
# Update port forwarding rule
/ip firewall nat set numbers=2 dst-address=$currentIP
:log info "Updated dst-address for HTTPS port forward rule"
Note: 2 is the number of my port forwarding rule. Change it as appropriate for your setup.
If you are not using No-IP DDNS, you could still use the No-IP script for this task, but just comment out the lines where it sends the update to no-ip.com.
Just reread your first post. My solution won’t work for dual WAN. You could try adding both WAN ip addresses to the wan list from my video, that might work?
Very unique way to solve this and it worked flawlessly for me. Thank you!
@ayit can you show us yout topology?
Thank you. I had went through every forum thread on this board to try and find what I’ll term as the “simplest” (least lines of config) solution to this. It’s painful that there isn’t a simple “Hairpin” button in routeros but if there was my video wouldn’t get any more views lol
Thanks for wonderful and helpful video that you share in youtube, I am totally new user to Mikrotik but base on your guidance from the video, after some testing and reboot finally I able to get the loopback/ Hairpin NAT plus DYNDNS work perfectly with my Dynamic IP.
Keep up the good job and million thanks
Thank you for the kind words.