I have a docker host running many docker apps. Some apps are exposed are using the host 192.168.12.8:port. How to create hairpin so I can access the apps thru FQDN within my LAN?
Here is my config:
# 2025-01-21 18:35:43 by RouterOS 7.14.3
# software id = YDH9-P57P
#
# model = RB5009UG+S+
# serial number = XXXXXXXXX
/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
add name=containers
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
10
add comment="Traefik proxy" interface=br-Uplink name=Proxy-11 vlan-id=11
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan12-Servers vlan-id=12
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add disabled=yes name=Sofia
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
dhcp-management
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
"dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan12-Servers name=dhcp-servers
/container
add interface=veth1 root-dir=usb1/Adguard start-on-boot=yes workdir=\
/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb2
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe" interface=\
ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=12
add bridge=br-Uplink comment="ABB IPS" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=\
10
add bridge=containers interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=\
ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid \
vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
ether2-LAN-Hybrid vlan-ids=12
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
ether2-LAN-Hybrid vlan-ids=11
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add disabled=yes interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
add interface="Smart Home-30" list=LAN
add interface=vlan12-Servers list=LAN
/interface wireguard peers
add allowed-address=10.10.20.2/32 comment=lubo-pc interface=wireguard1 \
public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=10.10.20.3/32 client-dns=172.17.0.2 comment=\
"Lubo iphone 15 Pro" interface=wireguard1 public-key=\
"qY77/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
add allowed-address=10.10.20.4/32 client-dns=172.17.0.2 interface=wireguard1 \
public-key="ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
/ip address
add address=XXX.XXX.XX.XX/24 interface=ether8-WAN-Static network=151.237.32.0
add address=192.168.12.1/24 interface=vlan12-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0
/ip dhcp-server
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users \
parent-queue=*FFFFFFFF
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
"Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
"TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
"TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
"iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
"Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
"Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
"Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
"dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
"YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
"Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
"dhcp-smart home"
add address=192.168.12.244 client-id=1:3c:2a:f4:4c:81:e8 comment=\
"Brother HL-3170CDW Printer" mac-address=3C:2A:F4:4C:81:E8 server=\
dhcp-servers
add address=192.168.30.251 client-id=1:e2:2e:15:51:59:4e comment=\
"Lubo Ipad Pro" mac-address=E2:2E:15:51:59:4E server="dhcp-smart home"
add address=192.168.100.251 client-id=1:9a:62:bd:95:32:39 comment=\
"Lubo IPhone 15 Pro" mac-address=9A:62:BD:95:32:39 server=dhcp-users
add address=192.168.30.252 client-id=1:36:aa:c:fc:82:7d comment=\
"Lubo IPhone 15 Pro" mac-address=36:AA:0C:FC:82:7D server=\
"dhcp-smart home"
add address=192.168.30.194 client-id=1:68:fc:ca:ce:9d:42 comment=\
"\?\?\? Sofia Device" mac-address=68:FC:CA:CE:9D:42 server=\
"dhcp-smart home"
add address=192.168.100.10 client-id=1:c2:47:9e:35:37:4d comment=\
"Lubo iPhone" mac-address=C2:47:9E:35:37:4D server=dhcp-users
add address=192.168.100.179 client-id=1:82:46:39:9f:cb:1d comment=\
"\?\?\? Sofia Device" mac-address=82:46:39:9F:CB:1D server=dhcp-users
add address=192.168.100.144 client-id=1:4a:3a:9d:84:1f:47 comment=\
"\?\?\? Sofia Device" mac-address=4A:3A:9D:84:1F:47 server=dhcp-users
add address=192.168.100.143 client-id=1:32:4:6b:61:39:85 comment=\
"Lubo Iphone" mac-address=32:04:6B:61:39:85 server=dhcp-users
add address=192.168.100.2 client-id=1:bc:24:11:62:b7:2a comment=\
"Home Assistant second interface" mac-address=BC:24:11:62:B7:2A server=\
dhcp-users
add address=192.168.100.4 comment="Tedee Bridge" mac-address=\
94:C9:60:DF:C1:65 server=dhcp-users
add address=192.168.100.142 client-id=1:6c:c7:ec:91:f7:b1 comment=\
"Sofia Galaxy S9" mac-address=6C:C7:EC:91:F7:B1 server=dhcp-users
add address=192.168.100.173 client-id=1:f4:3b:d8:11:2b:c3 comment=\
"Sofia School Tablet" mac-address=F4:3B:D8:11:2B:C3 server=dhcp-users
add address=192.168.100.3 client-id=1:a0:dd:6c:29:6e:4 comment=\
"Shelly Plus Uni" mac-address=A0:DD:6C:29:6E:04 server=dhcp-users
add address=192.168.100.127 client-id=1:8e:4b:3f:da:e2:c6 comment=\
"lubo iphone" mac-address=8E:4B:3F:DA:E2:C6 server=dhcp-users
add address=192.168.30.6 client-id=1:ec:71:db:1b:95:5c comment=\
"reolink camera" mac-address=EC:71:DB:1B:95:5C server="dhcp-smart home"
add address=192.168.12.4 comment=bumblebee mac-address=7A:33:B6:2F:9E:8F
add address=192.168.12.5 comment="docker-server(wiki-js)" mac-address=\
3A:A8:87:E3:A2:9A
add address=192.168.12.7 comment=calibre mac-address=FA:75:1F:A8:D2:F4
add address=192.168.12.6 comment=rclone-service mac-address=BC:24:11:3A:C7:90
add address=192.168.12.245 client-id=\
ff:ca:53:9:5a:0:2:0:0:ab:11:67:b8:45:2:18:ee:dd:bf comment="omv nas" \
mac-address=BC:24:11:73:9C:B2 server=dhcp-servers
add address=192.168.12.8 comment=ironhide mac-address=BC:24:11:D3:9A:04
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt dns-server=8.8.8.8 gateway=\
192.168.10.1
add address=192.168.12.0/24 comment=servers dns-server=8.8.8.8 gateway=\
192.168.12.1
add address=192.168.30.0/24 comment="smart home" dns-server=8.8.8.8 gateway=\
192.168.30.1
add address=192.168.100.0/24 comment=users dns-server=172.17.0.2,8.8.8.8 \
gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=172.17.0.2,8.8.8.8
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=XXX.XXX.XXX.XXX list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
add address=192.168.100.251 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.4 comment="admin remote ios wireguard" list=Authorized
add address=10.10.20.0/24 list=LAN
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
disabled=yes dst-address=192.168.12.140 dst-port=32400 protocol=tcp \
src-address-list=LAN
add action=accept chain=forward comment="allow access from LAN to Frigate" \
disabled=yes dst-address=192.168.12.141 src-address-list=LAN
add action=accept chain=forward comment=\
"allow access from LAN to Home Assistant" dst-address=192.168.30.2 \
dst-port=8123 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment=\
"allow access from LAN to MQTT service @ Home Assistant" dst-address=\
192.168.30.2 dst-port=1883 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment="Allow connection to doorbell camera" \
dst-address=192.168.30.6 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment="LAN to Adguard" dst-address=\
172.17.0.2 src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"allow access for containers to internet" in-interface=containers \
out-interface=ether8-WAN-Static
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
protocol=udp
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
MGMT src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" disabled=\
yes dst-port=443 in-interface=ether8-WAN-Static protocol=tcp \
to-addresses=192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 80 to docker host" dst-port=80 \
in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.8 \
to-ports=81
add action=dst-nat chain=dstnat comment="port 443 to docker host" dst-port=\
443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.8 \
to-ports=444
add action=dst-nat chain=dstnat comment="port 32400 to Plex" disabled=yes \
dst-port=32400 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
192.168.12.140 to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=151.237.32.1 routing-table=main \
suppress-hw-offload=no
/ip service
set www disabled=yes
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether2-LAN-Hybrid
Thanks.