Nat address from public ip to router adress

RouterOS General
1

Hello,
My home routers Wan IP is 192.168.47.9
Isp Gateaway is on 192.168. 47.1
My public static IP is 90.46.65.88
My router lan ip is 192.168.88.1

I can not connect to a port forwarded local IP from my public ip with my isp connection. All devices connected to home router.
But I can connect from my phone 4g int. Or other isps.
Also all port test results are closed when I test in same network. With other isps my public ip ports are open. And can establish connection.

I think a nat address setup can solve this problem. I have script that try to connect router from public ip.
May be can set up rule to redirect public ip calls to router IP address.??
If it is possible can any one write me the right settings? I’m trying and reading guides but not understanding.
Thanks!

2

Search for “hair-pin nat” and implement it.

3

I prefer to solve these problems with DNS, just have the service resolved to your internal IP address on your network (and your public IP address for the rest of the world).

4

I can only agree with this. And it's doable without having "split" DNS on some extra LAN gadget, one only needs a few static DNS entries in RB's DNS config.

But ... some users just insist on searching for pins in haystacks...

5

Yes I heard about hairpin. I checked it several times but couldn’t understand which one of the 3 scripts my situation and where to put dest. Source ips. I’m just a user with mikrotik router '(
Sorry, If I ask please is it possible to write an example with IP addresses I wrote?
About That dns setting also I didn’t get what to do.
May be someone else also can benefit from this.
Thank you.

6

I’m still stuck on how your wanip does not equal your public IP??

Are you saying that the IP for the router is your WANIP and a separate wanip (public) is for one to one mapping to the server??

As for using DNS to ensure LAN personnel can reach a server through ones public IP vice LanIP, well I am all ears as this sounds infinitely less complex than hairpin nat.

Thus mkx, please explain to someone with a standard router setup how to accomplish this feat?
For example many of us have the following setup.
input chain - allow DNS from lan to port 53, udp,tcp

/ip DNS
allow external entries
1.1.1.1,8.8.8.8 etc.

/ip dhcp-server network
(lan1) dns=192.168.1.1 gateway=192.168.1.1
(vlan20) dns=192.168.20.1 gateway=192.168.20.1

+++++++++++++++++++++++++++++++++++++++++++++++++++

Now what???

7

If one is using IP address to connect back home to connect to surveilance camera or whatever … then sorry, he needs either hair-pin NAT or new brains.

If, however, one uses deadbeef0000.sn.mynetname.net to connect (or whatever DNS FQDN), then one can enter this:

/ip dns static
add name=deadbeef0000.sn.mynetname.net address=192.168.88.42

Surely this doesn’t work nicely with gazillion devices hidden behind single WAN IP … for that one would need some proper DNS service (so one could construct any number of CNAME records on WAN side and the same number of static entries on RB for LAN hosts). But then … if one runs gazillion of devices, why not another one (e.g. rPI with proper DNS server) and run own domain with split DNS (external vs. internal). Doesn’t cost a fortune …


Regarding WAN IP not being the same as public IP … ever heard of netmap? Some kiddos are doing it so why not ISP?

8

Hello thanks for reply’s :smiley:
Before i have phone called Isp and told my ip address on Router wan is an internal grey ip not a public ip which is i am paying 1 euro extra for public ip :smiley:
They told me as usual i can check my public ip from some website. And my all ports are open. If any port is closed thats my fault i am not capable of port forwarding bla bla bla…
Even i mailed them but same result. I locate at Estonia. Isp is russian/estonian speaking.
Im like behind something like a isp Dhcp .May be they are placing one router to every building.I am not sure.Fact is, There is an internal network connects me to my static external public ip .

9

Well we have two parter LOL
First,
Okay so if external users use the same DNS name, then they will get to the server via DSTnat rules while internal folks putting in the same name will simply get redirected to the internal server without even going out of the router?? How does this work if for example lan1 where the people are, and lan2 where the server is located, and they are not L2 connected. In other words not on same bridge etc.. Would one need a filter rule accept lan1 to lan2(specific lanip) to allow that redirected traffic to be forwarded ???

As for public and wanip, can I assume
PUBLIC is what is visible to the internet (what DYDNS NAME would point to)?
WANIP is what the router actually gets for a WANIP>

Blowing my mind here as trying to assess what to put in for
a. masquerade rule (if applicable assuming this for static IPs so probably doesnt apply)!
b. Srcnat src-nat rule. out-interface=wan to-address=???
c. dstnat dst-nat rule. In-interface=WAN or dest-address=public IP???

What about IP Routes…

10

I can setup ddns service for mikrotik router noip for example.
On web server at internet, I can set up the script to use the ddns addresses and port instead public ip and port.
Actually I tried this before but script didn’t connect to my router.
I may just needed a nat/dns setup?
I need this only for the script on website and script on router could connect to each other.
Some how the script on router using public ip which settled on web server on internet (routers own public ip) to connect itself.
This is a Hotspot sign in script which has auth. server on website.

11

@anav: Really? Do I end my strike for RouterOS v7 (*) and come back to this? :smiley: Didn’t you get your guru handbook? You can’t ask questions like this anymore. You can’t be perplexed by simple double NAT or basic routing and firewalling. You need to make a new incognito account for such questions (no, don’t, it was a joke).

About the “complexity of hairpin NAT”: link (also check the author of post above this one)

And on top of that, you don’t need to worry about additional filter rules, because any connection via public address between your internal subnets (client in one and server in another) will be allowed by same old trusty “allow all dstnatted connections” rule as every other dstnatted connection, no matter where it came from. There’s no complexity at all, in fact, it can’t be any simpler and more foolproof.

There’s only one downside of hairpin NAT when compared to DNS method. When both client and server are in same LAN subnet, DNS method is more efficient, because it means direct connection between them. Hairpin NAT requires all packets to unnecessarily go to router and back. But guess what, you can have both at the same time, hairpin NAT as basic always working solution and DNS override for selected services with lot of required bandwidth or something.

And since it seems that the DNS method may not be clear enough, it’s just:

/ip dns static
add address=192.168.<whatever your server has> name=www.websitehostedonyourserver.tld

So when client in same LAN (using this router as DNS resolver, this part is mandatory) asks for address of www.websitehostedonyourserver.tld, it gets 192.168. and simply makes direct connection. And yes, if it’s not in the same LAN subnet, but in another on same router and you block access between them by default, you’ll need to specifically allow these connections.

For the case of having the public address and not really having it at the same time, it’s simple 1:1 NAT. ISP keeps the real public address on their router and dstnats/netmaps all incoming traffic coming to this address to private address on customer’s router. And srcnats/netmaps anything coming from customer’s router to public address. This config works fine for all simple things and only gets annoying for something more complex like IPSec.

The configuration of customer’s router is exactly the same as any other, LAN, WAN, srcnat or masquerade for outgoing traffic, dstnat rules for incoming. Only difference is when you need hairpin NAT as OP wants, then you also need to work with public address (which is actually on ISP’s router) on your router, e.g:

/ip firewall nat
add chain=dstnat dst-address=192.168.47.9 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.x comment="port forward for outside clients"
add chain=dstnat dst-address=90.46.65.88 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.x comment="port forward for inside clients"
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade comment="hairpin rule"

Or you can change the last one to:

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=src-nat to-addresses=90.46.65.88

and it will make all connections from LAN to server via public address look as if they came from the same public address. Completely optional, it will make no difference in functionality, it just may look better in logs than 192.168.88.1.


(*) Nah, not really, but sounds as good reason for not being here for a while, doesn’t it? Also, if that would have been the case, notifying someone in advance would have been better choice than saying it only now, but hey… :wink:

12

Sniff Sniff, Sob Sob that explanation brings a tear to my eye. Merci, Je comprend tous!
My incognito speaks French :wink:
By the way I have had a huge breakthrough, I managed to get my RB260GS up and working!!

13

You’re ahead of me, I’ve seen that device only on pictures so far.

And one small clarification of my previous post, for the record, because it may sound wrong and possibly confuse someone, with your two LAN subnets and client and server in different ones connecting via public address, it’s not hairpin NAT at all, just regular dstnat (it would work even without srcnat rule).