I can remotely reach my local web server with the following rule…

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp in-interface-list=WAN dst-port=443 to-address=10.0.0.10 to-port=443 comment=“myconf: HTTPS”

However, I cannot reach my local web server from the LAN…

curl --insecure https://10.0.0.10
curl: (7) Failed to connect to www.example.com port 443 after 21008 ms: Connection refused

I tried the suggested hairpin rules to no affect…
/ip firewall address-list add address=192.168.1.0/24 list=LANS comment=“MNIC”
/ip firewall address-list add address=10.0.0.0/24 list=LANS comment=“XNIC”
/ip firewall address-list add address=192.168.2.4 list=WANS comment=“WAN”
/ip firewall mangle add chain=prerouting action=mark-connection dst-address-list=WANS new-connection-mark=“Hairpin NAT” passthrough=yes src-address-list=LANS
comment=“Mark connections for hairpin NAT”
/ip firewall nat add chain=srcnat action=masquerade connection-mark=“Hairpin NAT” place-before=0 comment=“Hairpin NAT”

I apologize for being daft at networking.

Thanks for looking!


My base configuration is as follows…

jan/02/1970 00:01:31 by RouterOS 7.8

software id = SQHV-H5U8

model = RB5009UG+S+

serial number = HF309DV1GSA

/interface bridge
add admin-mac=78:9A:18:5D:E5:1D auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment=myconf name=XNIC ranges=10.0.0.200-10.0.0.240
/ip dhcp-server
add address-pool=XNIC comment=myconf interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.0.0.1/24 comment=“myconf: LAN” interface=bridge network=
10.0.0.0
add address=192.168.2.4/24 comment=“myconf: WAN” interface=ether1 network=
192.168.2.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=myconf dns-server=10.0.0.1 gateway=10.0.0.1
netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“myconf: HTTP” dst-port=80
in-interface-list=WAN protocol=tcp to-addresses=10.0.0.246 to-ports=80
add action=dst-nat chain=dstnat comment=“myconf: HTTPS” dst-port=443
in-interface-list=WAN protocol=tcp to-addresses=10.0.0.10 to-ports=443
/ip route
add comment=myconf dst-address=10.0.0.0/24 gateway=bridge
add comment=myconf dst-address=192.168.2.0/24 gateway=ether1
add comment=myconf dst-address=0.0.0.0/0 gateway=192.168.2.1
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

There is an easier hairpin NAT rule:

https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT

No need of mangle whatsoever

P.S. You shouldn’t consider the 192.168.1.0 network for the hairpin NAT rule because the web server is not part of it

per the docs that you directed me to; i tried adding the following rule…
[picasso@MikroTik] /ip/firewall/nat> add action=masquerade chain=srcnat dst-address=10.0.0.10 out-interface=LAN protocol=tcp src-address=10.0.0.0/24
input does not match any value of interface

Also, I have many local servers that I wish to access locally. Is there a general rule that would hairpin nat them all rather than having to make a rule for each one?

Thanks!

The rule can be generalized with the help of address lists - add all addresses of local servers to an address list and reference it in the hairpin NAT rule (dst-address-list instead of dst-address). Also remove or disable the settings which include the default address 192.168.88.1 (/ip address, /ip dhcp-server, /ip dhcp-server network, etc.) because they’re a good premise for trouble

Observation. You do not have a public IP on the WAN side. However you report successful exterior connectivity. Its always best to be upfront and state, no public IP but I can forward a port on the upstream router ( usually the ISP router) to my Mikrotik, so that its very clear what is going on!

Concur,
(1) Remove this line its getting in the way!!
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.0.0.1/24 comment=“myconf: LAN” interface=bridge network=
10.0.0.0

NOTE you have no dhcp server settings for the default .88 network and that is what gives me the impression its a non-player for your configuration.

(2) If you manually added netmask for this to show up on the config REMOVE IT.
/ip dhcp-server network
add address=10.0.0.0/24 comment=myconf dns-server=10.0.0.1 gateway=10.0.0.1
netmask=24

(3) Remove IP DNS STATIC setting

+++++++++++++++++++++++++++++++++++++++++++
(4) This one is part of your port forwarding issue… Modify this default rule in forward chain
From:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(5) Similarly you will need to modify your DST NAT RULES TO:>
add action=dst-nat chain=dstnat comment=“myconf: HTTP” dst-port=80
dst-address=192.168.2.4 protocol=tcp to-addresses=10.0.0.246
add action=dst-nat chain=dstnat comment=“myconf: HTTPS” dst-port=443
dst-address=192.168.2.4 protocol=tcp to-addresses=10.0.0.10

Note1: to ports not required if identical to dst-ports.
Note2: Ensure you have in IP services both WWW and WWW-SSL greyed out!!!

(6) Finally if you have users attempting to reach the server on the same subnet then use the following sourcenat rule.
add chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24

Anav, thankyou very much for all your detailed suggestions!

Things are working great for me now!

I have one lingering question however.
Do I have to modify the ipv6 rules in any way?

Thanks!

P.S. I will try to be more concise in the future.

If you have IPv6 connectivity and you’re not doing anything weird, access to webserver is only accept rule(s) in forward chain, e.g.:

/ipv6 firewall filter
add chain=forward dst-address=<server's address> protocol=tcp dst-port=80,443 action=accept

It may be a bit more complicated if you have dynamic addresses.

Not required. Dstnat will catch those packets and won’t let them reach services on router. And you might still want to use WebFig on other addresses than 192.168.2.4.

Ok, I think I have the idea. Thanks!