Hello everyone, I’m new to mikrotik, recently I decided to give it a go with the rb2011uias-rm that looked like great value for the money, I’m quite happy with it.
The issue; I have a web server in one of the computers of my local network. I’m running a small wordpress site. The forwarding works without issues but I wasn’t being able to access the site while on the local network. After some research I went for the hairpin method, it worked, but soon after I noticed that every port was being exposed to the internet. I tried a few things but I have not been able to keep the functionality while blocking all ports but 80.
This is what I did:
add action=masquerade chain=srcnat comment=\"Workaround for WEB Server behind NAT" dst-address=192.168.1.0/24 \ src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=\"Workaround for WEB Server behind NAT" src-address=192.168.1.20 \ to-addresses=(WAN IP)
add action=dst-nat chain=dstnat comment=\"Workaround for WEB Server behind NAT (exposes server, like DMZ)" \ disabled=yes dst-address=(WAN IP) protocol=tcp to-addresses=\ 192.168.1.20 to-ports=80
Any ideas as how I could do this without making it a security risk?
Are you attempting to get the webserver on a DMZ or should it be on the LAN? If it is to reside on the LAN, you should never have to route anything to it from your LAN, i.e. the firewall rules will never apply in this case.
Assuming you want it on the LAN, something like the following ought to work:
add action=dst-nat chain=dstnat comment="Expose server from the world" dst-address=(WAN IP) protocol=tcp to-addresses=\ 192.168.1.20 to-ports=80
add action=masquerade chain=srcnat comment="Hide private LAN segment behind NAT" out-interface=wan
Thanks for the reply. The “DMZ” on my commenting is misleading, I wrote that to remember that that line would redirect all incoming traffic to this PC, like DMZ would do on a home router. While I look into the code you posted I will clarify my problem:
I have the web server on the LAN. It’s a small network around 10 PCs. One of them is a server with a webserver hosting a website. I have a registered domain www.site.com that forwards to my fixed WAN IP. I have configured the router so the incoming traffic on port 80 is redirected to the webserver on this local IP 192.168.1.20. It works well. But when I try to access the website from another PC in the LAN, if I type the local address it works, but if I try the internet name www.site.com it doesn’t. So I tried the hairpin method. It works too, but why I have noticed is that it also redirects all incoming traffic to this PC, exposing guest file sharing and other local services.
My question is how can I keep the hairpin functionality without forwarding all the incoming traffic to this PC.