What a perfect answer! Forum Guru? In number of posts for sure.
If I registered an account, write a question with my config, that means I probbably miss something and dont know how to resolve my problem, dont you think?
Next reply “search forum” is the worst answer you could send. Seriously I know in Poland we’ve got so much hate, you are next example of that, but please, imagine that not all people who has Mikrotik are experts.
Your LAN traffic doesn’t reach the router via ether1 I presume.
Remove in.interface and add dst.ip=your.wan.ip
Doesn’t hurt to read other examples of how to do it better.
Cheers.
Oh my goddnes, thank you guys for replies but I think you miss the clue.
I can connect my webserver both - from internal or external Network. It’s not that typical error of Loopback NAT.
I can connect and use it normal with IP address.
I cannot connect with domain name. With my www.examplesite.com, which redirects me exactly to that Public IP.
If I use external Network (for example mobile Phone with LTE), I can connect to my webserver. But if I use internal Network, it redirects me to router login page instead.
Thank you for testing, I used exact same command to check if I do something wrong (just with my IPs ofcourse) and… it’s not working for me.
I check my public address on www.myip.com, and I copy it → paste as dst-address, and from local network I can use that IP, but from external network it doesn’t work.
If I use in.interface=ethernet1 → it works fine. Exactly the same IP…
Exported config:
# dec/16/2022 21:33:57 by RouterOS 6.49.7
# software id = W51K-T1ZZ
#
# model = RB750Gr3
# serial number = ##
/interface bridge
add admin-mac=DC:2C:6E:53:AF:F8 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.122 mac-address=00:1B:9C:0A:9F:30 server=defconf
add address=192.168.0.50 client-id=1:52:54:0:20:c6:d mac-address=\
52:54:00:20:C6:0D server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="HTTPS Input" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment="HTTP Input" disabled=yes dst-port=80 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HairPin WebServer" dst-address=\
192.168.0.50 out-interface=bridge protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Webserver NAT" dst-address=\
109.xx.public.wan.ip dst-port=80 protocol=tcp to-addresses=192.168.0.50 \
to-ports=8123
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So how is that possible? If I put ether1 in interface, I can use my public IP on any device out of my network and connect to my webserver… I don’t understand it at all.
Only if whoever gives you that 10.50.52.126 also forwards port 80 from that public IP to your private IP.
You need two dst-nat rules then, one with the public IP to make hairpin work, and another one as you’ve had in the first place, with ether1 to make it available from outside.
I’m so sorry, I don’t want to be rude. I’m just helpless in that situation.
I call my ISP and they told me that everything is setup from their side. Before I had simple TP-Link Archer Router and I was able to port forward everything simple way.
The problem is, when I put it in in.interface=ethernet1, and I “open” any port (f.e. 1234) I can connect using my WAN-IP without problems. If I also check it with any site like portchecker.co - it shows me that port is open on my public IP.
So I’m confused - is it public or not?
My config is in code - in post #10
I checked as you described in linked post if my Public IP is Public,
Cloud IP and IP read in browser is the same - 109.xxx.xxx.xx
DAC and DHCP Clinet IP is different - 10.50.52.126
I don’t know how safe is that, but as a quick soulution it works. I made 2 dstnat rules to port 443 - one to Public IP (that allows me to connect via domain name from localc network) and second one with that address 10.50.52.126, which allows me to connect from external network.
What is your ether1 interface connected to? It seems it is a router (perhaps provided by your ISP) and it is already doing nat.
Do you have access to login to that device? And can you do port forwarding? If the address on your ether1 interface was in the range 100.65.0.0 - 100.127.255.255, then that would indicate your ISP was using CGNAT to conserve public IP addresses, but it is still possible that your ISP is providing you with a private IP and doing NAT before your RB705gr3 gets its ip address via DHCP.
About all we can say is the there is at least one layer of NAT between the global ip address you will get when browsing to www.myip.com provides, and the ether1 interface on the RB750gr3.
Perhaps your ISP had your Archer’s WAN mac address and it was giving it a global ip address (perhaps grandfathered?). If you still have it, and it still works, you can probably spoof its mac address with the RB750gr3 and the ISP will think it is your old Archer Router.