Loop Back?

cusco · June 29, 2010, 11:37am

Hi!

We have a Mikrotik that is working fine except for what my colleague calls loopback.

We have a website running on 192.168.2.15 that everybody on the internet can access (added nat rules for that).

But we, inside the LAN can’t!

I mean, we can access if we set local dns to 192.168.2.15 but accessing the public IP 213.63.137.210 from LAN won’t open the website (nor ftp)

How can we overcome this without custom dns entries?

Thanks in advance

bafh · June 29, 2010, 11:40am

What are the permissions in the server? Virtual domains or just 1?

cusco · June 29, 2010, 11:47am

Sorry, but I don’t see how the server is relevant.

It is a simple apache server. What permissions are you referring to?

normis · June 29, 2010, 11:54am

make a simple diagram of how your server is connected, and how the users can and can’t access it.

kirshteins · June 29, 2010, 12:01pm

Try to masquerade traffic coming from your LAN and going to 192.168.2.15. Currently 192.168.2.15 is responding directly to user, while user waits response from router.

normis · June 29, 2010, 12:02pm

please read before posting. try what kirsteins suggested

cusco · June 29, 2010, 12:12pm

Ok.

Our public IP is 213.63.137.210. Mikrotik has a interface with this IP.

from outside you can access http://213.63.137.210
from inside WE CAN NOT access http://213.63.137.210
we can access http://192.168.2.15

http://i50.tinypic.com/24dits4.jpg

cusco · June 29, 2010, 12:13pm

Theoretical that makes absolute sense.

Thank you for understanding my issue. So I am going to look into inserting a masquerading rule.

Thanks once again.

cusco · June 29, 2010, 12:55pm

Sorry to bug you but I don’t think this is correct:

chain=srcnat action=masquerade src-address=192.168.2.0/24 dst-address=192.168.2.15

I tried several ways, without dst address with out-interface…

what am I looking for exactly?

fewi · June 29, 2010, 1:17pm

Search the forum for “hairpin NAT”. Recent posts about that term will be telling people telling other people to search for “hairpin NAT”, threads further back contain working configurations.

cusco · June 29, 2010, 1:31pm

Will do. Thanks

kirshteins · June 29, 2010, 1:35pm

For troubleshooting you can add general masquerade (masquerade everything) rule on top of your SRC-NAT rule list.

cusco · June 29, 2010, 1:55pm

Hi kirshteins, thanks for helping out.

I tried that. I did: add chain=srcnat action=masquerade out-interface=“WAN ArTelecom” src-address-list=“Allowed-Internet” comment=“aaaaaaa” disabled=no

I placed it in position 0.

I tried taking out the “Allowed-Internet” bit as well (wich is a list that contains 192.168.2.0/24)

I noticed it counts up traffic, but I still can’t access the public IP directly…

fewi · June 29, 2010, 10:47pm

Pada just updated a thread on this:

http://forum.mikrotik.com/t/wan-services-not-available-to-local-users-please-help/32923/1

Pada · June 29, 2010, 10:51pm

eish fewi, you’re too fast. I was just about to post here that I’ve updated an old thread about NAT loopback

Today is actually the first time that I’ve seen/heard about “hairpin NAT”. Previously I’ve seen people calling it: “NAT loopback” / “Reverse NAT” / “PAT”

fewi · June 29, 2010, 11:00pm

Heh, sorry about that.

Yeah, there’s lots of different terms for it. Coming from Cisco I call it hairpin NAT. They named it after the voice world where hairpinning a call refers to directing a call back out the way it came in. When you draw that out on a piece of paper as far as flow goes it looks U-shaped, like a hairpin.