I can't view my Websites from LOCAL (LAN), because via LAN I see Webfig.

RouterOS Beginner Basics
1

Hi, I have a problem with my new Mikrotik Router. I have two Servers in my office, from external connection (WAN) I can see the Websites and other pages via HTTPD protocol and FTP/SFTP protocol.
But if I execute one connection at my Public IP or Domain (connected at my Public IP with NameServers and DNS) I see WebFig. I don’t want Webfig, I would like disable it, because I’m using WinBox.

Also, I would like work and view my Websites (and client area) from my office, I can’t connect to my server for work from another connection! It’s important connecting to the server via Local Area Network of my office.

So, how can i disable WebFig? And How I can view and use my Services (Website, SSH, SFTP, and other…) via LAN (of my office)?

You can help me please?

Thanks, have a good day!

# apr/24/2020 11:42:41 by RouterOS 6.43.16
# software id = DI0N-3PZP
#
# model = RB3011UiAS
# serial number = B88E0BB9A60E
/interface bridge
add admin-mac=C4:AD:34:2F:39:49 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=MYPASSWORD service-name=MYISPNAME use-peer-dns=yes user=MYUSERNAME
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.232 comment="Server-002 (VHM & cPanel)" mac-address=\
    00:15:5D:00:6C:14 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=CPAN dst-port=1 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=1
add action=dst-nat chain=dstnat comment=FTP dst-port=20 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=20
add action=dst-nat chain=dstnat comment=FTP dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=21
add action=dst-nat chain=dstnat comment=SSH dst-port=22 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=22
add action=dst-nat chain=dstnat comment=SMTP dst-port=25 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=25
add action=dst-nat chain=dstnat comment=SMTP dst-port=26 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=26
add action=dst-nat chain=dstnat comment=RDATE dst-port=37 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=37
add action=dst-nat chain=dstnat comment=WHOIS dst-port=43 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=43
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=53
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.232 to-ports=53
add action=dst-nat chain=dstnat comment=HTTPD dst-port=80 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=80
add action=dst-nat chain=dstnat comment=POP3 dst-port=110 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=110
add action=dst-nat chain=dstnat comment=IDENT dst-port=113 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=113
add action=dst-nat chain=dstnat comment=IMAP dst-port=143 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=143
add action=dst-nat chain=dstnat comment=HTTPD dst-port=443 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=443
add action=dst-nat chain=dstnat comment=HTTPD dst-port=443 in-interface-list=\
    WAN protocol=udp to-addresses=192.168.88.232 to-ports=443
add action=dst-nat chain=dstnat comment=SMTP-SSL/TLS dst-port=465 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=465
add action=dst-nat chain=dstnat comment=cPHulk dst-port=579 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=579
add action=dst-nat chain=dstnat comment=Exim dst-port=587 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=587
add action=dst-nat chain=dstnat comment=ApacheSpamAssassin dst-port=783 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=783
add action=dst-nat chain=dstnat comment=ApacheSpamAssassin dst-port=783 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.88.232 to-ports=783
add action=dst-nat chain=dstnat comment=Rsync dst-port=873 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=873
add action=dst-nat chain=dstnat comment=Rsync dst-port=873 in-interface-list=\
    WAN protocol=udp to-addresses=192.168.88.232 to-ports=873
add action=dst-nat chain=dstnat comment=IMAPSSL dst-port=993 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=993
add action=dst-nat chain=dstnat comment=POP3SSL dst-port=995 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=995
add action=dst-nat chain=dstnat comment=Razor dst-port=2073 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=2073
add action=dst-nat chain=dstnat comment=WebDAV dst-port=2077 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=2077
add action=dst-nat chain=dstnat comment=WebDAVSSL dst-port=2078 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2078
add action=dst-nat chain=dstnat comment=CalDAV-CardDAV dst-port=2079 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2079
add action=dst-nat chain=dstnat comment=CalDAV-CardDAVSSL dst-port=2080 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2080
add action=dst-nat chain=dstnat comment=cPanel dst-port=2082 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=2082
add action=dst-nat chain=dstnat comment=cPanelSSL dst-port=2083 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2083
add action=dst-nat chain=dstnat comment=VHM dst-port=2086 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=2086
add action=dst-nat chain=dstnat comment=VHMSSL dst-port=2087 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=2087
add action=dst-nat chain=dstnat comment=WebMail dst-port=2095 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2095
add action=dst-nat chain=dstnat comment=WebMailSSL dst-port=2096 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.232 to-ports=\
    2096
add action=dst-nat chain=dstnat comment=MySQL dst-port=3306 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=3306
add action=dst-nat chain=dstnat comment=DCC dst-port=6277 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.88.232 to-ports=6277
add action=dst-nat chain=dstnat comment=DCC dst-port=6277 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.88.232 to-ports=6277
add action=dst-nat chain=dstnat comment=Pyzor dst-port=24441 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.232 to-ports=24441
add action=dst-nat chain=dstnat comment=Pyzor dst-port=24441 in-interface-list=\
    WAN protocol=udp to-addresses=192.168.88.232 to-ports=24441
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router-001
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Disabling Webfig alone will not fix it.
What you need is HAIRPIN NAT (aka “NAT Loopback”)
There are dozens of examples on this forum, basically you needs to add a specific rules to make it work.

https://wiki.mikrotik.com/wiki/Hairpin_NAT

3

I can’t set that! The mikrotik IP is 192.168.88.1 and the Server IP is 192.168.88.232, what command I do write in the RouterOS terminal, for apply the configuration (that suggest you)?

4

Disable webfig simple in the ip → services and disable “www” and “www-ssl” to disable webfig.
In CLI this would be something like

/ip service
set www-ssl address=office.internal.IP-range disabled=yes
set www address=office.internal.IP-range disabled=yes

Then for the hairpin (to be able to access your internal resources FROM the inside LAN when doing http(s)://my.public.ip


/ip firewall nat
add action=masquerade chain=srcnat comment=“Mikrotik Hairpin NAT” dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.232

Add this NAT statement as your first rule, all the way at the top. You’ll have to create it with “add-before” config option to insert at the top or first use Webfig/Winbox to easiliy “drag” it to the top.

You should be good then. Not sure if you need an additional FORWARD-rule. You have these rule to allow traffic in the FORWARD-chain, but its for related,established packets. Your first packets will be new ones.

5

Okay first error, wonder that your network, works at all…
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0

Should be
/ip address
add address=192.168.88.1/24 comment=defconf interface**=bridge** network=
192.168.88.0

Advice from previous poster for hairpin nat is close but there is no TO rule for that extra sourcenat config line.
Should be
add action=masquerade chain=srcnat comment=“Mikrotik Hairpin NAT” dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24

Since you have a dynamic WANIP, you have two options for Destination NAT, if you want to be able to reach all of those services from the LAN side using the WANIP.
Regardless of that decision, I can boil down all your rules to two rules. Which will be helpful depending upon what route you decide for hairpin NAT.

add action=dst-nat chain=dstnat dst-port=1,20,21,22,25,26,37,43,53,80,110,113,143,443,465,579,587,783,873,993,995,2073,2077,
2078,2079,2080,2082,2083,2086,2087,2095,2096,3306,6277,24441 in-interface-list=WAN
protocol=tcp to-addresses=192.168.88.232

add action=dst-nat chain=dstnat dst-port=53,443,783,873,6277,24441 in-interface-list=WAN
protocol=udp to-addresses=192.168.88.232

6

Hairpin NAT is for when the user/device is in the same subnet of the server!
Note the extra masquerade rule works and is required for both cases 1. Fixed, static wanip and 2. Dynamic WANIP.
For Fixed static WANIP there is no change to DSTNAT rules (except drop in-interface-list=WAN and replace that with – > dst-address=fixedwanip )

For Dynamic WANIP its a tad more complicated with two options.

OptionA - Use the MT cloud service*** and slightly alter dstnat rules (works for internal and external users).

add action=dst-nat chain=dstnat dst-address-list=cloudDNS dst-port={tcplist}
protocol=tcp to-addresses=192.168.88.232

add action=dst-nat chain=dstnat dst-address-list=cloudDNS dst-port={udplist}
protocol=tcp to-addresses=192.168.88.232

*** Requires
a. Turn on mikrotik cloud service
b.Go to IP-> Firewall-> Address lists, create an entry with whatever name you wish e.g “cloudDNS” and at the address type the cloud DNS of your Mikrotik…
This will automatically resolve the name to your Public IP address…
c. If you have a dyndns name already or something similar I think you can simply point it at the clouddns.

OptionB - Modify Existing DST nat rules (and thus why easier to change two rules vice a gazilliion).

add chain=dstnat action=dst-nat dst-address=**!**192.168.88.1
dst-address-type=local protocol=tcp dst-port={tcplist} to-address=192.168.88.232

add chain=dstnat action=dst-nat dst-address=**!**192.168.88.1
dst-address-type=local protocol=udp dst-port={udplist} to-address=192.168.88.232

7

Interesting finding indeed. So my Webfig/Winbox have indeed the hairpin NAT rule like you say, WITHOUT a TO-rule in any of the fields populated.
However when I went into SSH and did a export of that it DID contain this…strange!

I’ve deleted & re-created my Hairpin rule anyway and now indeed no “to” rule (as it should be) reference anymore when I check in SSH.

8

I wouldnt use SSH to access anything VPN only but then I am leery of ssh.