NAT Configuration Problems

RouterOS General
1

Hi,

i have following Network:

2022-10-07 20_42_55-nw.md Preview — C__Users_mg_Desktop — Atom.png
2022-10-07 20_42_55-nw.md Preview — C__Users_mg_Desktop — Atom.png1120×595 28.5 KB

My Domain resolves to the dynamic WAN-IP of my router. And get dstnat'ed to a server in VLAN2.

From VLAN2 the Server is reachable because i have Split-DNS and the domain resolves to the internal IP.

On the other VLANs there is no Split-DNS and i cant get a client from e.g. VLAN40 to connect to the Server.
The IP is resolvable to the external IP.

Does anyone knows where my problem is?

Thanks in advance.

Config:

[admin@rb5009] /ip/firewall/filter> export 
# oct/07/2022 20:46:41 by RouterOS 7.6beta6
# software id = 5XXXXXXXF
#
# model = RB5009UG+S+
# serial number = EXXXXXXA
/ip firewall filter
add action=accept chain=input connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=input connection-state=invalid log-prefix="Drop invalid:"
add action=accept chain=input dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(UDP): " protocol=udp src-address-list=dns_access
add action=accept chain=input dst-port=161,162 in-interface=vlan2 log-prefix="Allow SNMP: " protocol=udp src-address-list=snmp_server
add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " protocol=icmp
add action=accept chain=input dst-port=13231 in-interface-list=WAN log-prefix="Allow Wireguard(13231): " protocol=udp
add action=accept chain=input dst-port=22,8291 in-interface-list=!WAN log-prefix="Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
add action=accept chain=input dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(TCP): " protocol=tcp src-address-list=dns_access
add action=accept chain=input dst-port=123 in-interface=vlan2 log-prefix="Allow NTP(UDP): " protocol=udp src-address-list=subnet2
add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix="Allow OSPF:" protocol=ospf
add action=accept chain=input dst-port=13232 in-interface-list=WAN log-prefix="Allow Wireguard(13232): " protocol=udp
add action=accept chain=input dst-port=123 in-interface=vlan2 log-prefix="Allow NTP(TCP): " protocol=tcp src-address-list=subnet2
add action=accept chain=input disabled=yes dst-address-list=wan_ip log=yes log-prefix="Allow VLANs to WAN-IP: " src-address=192.168.0.0/16
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes log-prefix="FastTrack Connection: "
add action=accept chain=forward connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=forward connection-state=invalid log-prefix="Drop invalid:"
add action=reject chain=forward dst-address-list=DOH-Server dst-port=443 in-interface=vlan2 log-prefix="Drop DoH: " protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Test InterVLAN-Routing" in-interface=vlan2 out-interface=vlan10
add action=accept chain=forward comment="Test InterVLAN-Routing" in-interface=vlan20 out-interface=vlan10
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> WAN: " out-interface-list=WAN
add action=accept chain=forward comment="fuer WebGUI" dst-address=192.168.5.1 in-interface=vlan2 log-prefix="Allow VLAN2 -> Fritzbox: " out-interface=ether4
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> VLAN40" out-interface=vlan40
add action=accept chain=forward in-interface=vlan10 log-prefix="Allow VLAN10 -> WAN: " out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.2.43 in-interface=vlan10 log-prefix="Allow VLAN10 -> Traefik" src-address-list=subnet10
add action=accept chain=forward in-interface=vlan40 log-prefix="Allow VLAN40 -> WAN: " out-interface-list=WAN
add action=accept chain=forward in-interface=vlan40 log-prefix="Allow VLAN40 -> VLAN2" out-interface=vlan2
add action=accept chain=forward dst-address-list=subnet3 log-prefix="Allow Access -> SN3: " src-address-list=subnet3_access
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN log-prefix="Allow dstnat aka Portfreigabe: "
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients -> Internet: " out-interface-list=WAN
add action=drop chain=forward log=yes log-prefix="FORWARD: Drop anything not allowed: "


[admin@rb5009] /ip/firewall/nat> export 
# oct/07/2022 20:47:31 by RouterOS 7.6beta6
# software id = 5XXXXXXF
#
# model = RB5009UG+S+
# serial number = EXXXXXXXXA
/ip firewall nat
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address-list=wan_ip log=yes log-prefix="NAT: Hairpin-NAT: " out-interface-list=WAN protocol=tcp
add action=masquerade chain=srcnat log-prefix="NAT: masquerade WAN" out-interface-list=WAN
add action=masquerade chain=srcnat log-prefix="NAT: masquerade hex" out-interface=wireguard_s2s_hex
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log-prefix="NAT: dstnat: Traefik(https)" protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log-prefix="NAT: dstnat: Traefik(http)" protocol=tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-port=2222 log-prefix="NAT: dstnat: Traefik(ssh)" protocol=tcp to-addresses=192.168.2.50 to-ports=2222
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=53 in-interface=vlan2 log-prefix="NAT: DNS-Redirect(UDP): " protocol=udp to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=53 in-interface=vlan2 log-prefix="NAT: DNS-Redirect(TCP): " protocol=tcp to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=123 in-interface=vlan2 log-prefix="NAT: NTP-Redirect(TCP): " protocol=tcp src-address-list=subnet2 to-addresses=192.168.2.1 \
    to-ports=123
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=123 in-interface=vlan2 log-prefix="NAT: NTP-Redirect(UDP): " protocol=udp src-address-list=subnet2 to-addresses=192.168.2.1 \
    to-ports=123
2

Dstnat, replace in-interface-list=WAN with dst-address-list=wan_ip. Also remove in-interface-list=WAN from "Allow dstnat aka Portfreigabe: " rule. And if you want hairpin NAT (to get rid of split-DNS), then your supposed hairpin NAT rule is wrong, see https://forum.mikrotik.com/viewtopic.php?t=179343.

3

Thank you very much Sob, that worked!

For anyone interested:

[admin@rb5009] > ip/firewall/filter/
[admin@rb5009] /ip/firewall/filter> export 
# oct/07/2022 21:20:41 by RouterOS 7.6beta6
# software id = 5XXXXXF
#
# model = RB5009UG+S+
# serial number = EXXXXXA
/ip firewall filter
add action=accept chain=input connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=input connection-state=invalid log-prefix="Drop invalid:"
add action=accept chain=input dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(UDP): " protocol=udp src-address-list=dns_access
add action=accept chain=input dst-port=161,162 in-interface=vlan2 log-prefix="Allow SNMP: " protocol=udp src-address-list=snmp_server
add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " protocol=icmp
add action=accept chain=input dst-port=13231 in-interface-list=WAN log-prefix="Allow Wireguard(13231): " protocol=udp
add action=accept chain=input dst-port=22,8291 in-interface-list=!WAN log-prefix="Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
add action=accept chain=input dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(TCP): " protocol=tcp src-address-list=dns_access
add action=accept chain=input dst-port=123 in-interface=vlan2 log-prefix="Allow NTP(UDP): " protocol=udp src-address-list=subnet2
add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix="Allow OSPF:" protocol=ospf
add action=accept chain=input dst-port=13232 in-interface-list=WAN log-prefix="Allow Wireguard(13232): " protocol=udp
add action=accept chain=input dst-port=123 in-interface=vlan2 log-prefix="Allow NTP(TCP): " protocol=tcp src-address-list=subnet2
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes log-prefix="FastTrack Connection: "
add action=accept chain=forward connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=forward connection-state=invalid log-prefix="Drop invalid:"
add action=reject chain=forward dst-address-list=DOH-Server dst-port=443 in-interface=vlan2 log-prefix="Drop DoH: " protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Test InterVLAN-Routing" disabled=yes in-interface=vlan2 out-interface=vlan10
add action=accept chain=forward comment="Test InterVLAN-Routing" disabled=yes in-interface=vlan20 out-interface=vlan10
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> WAN: " out-interface-list=WAN
add action=accept chain=forward comment="fuer WebGUI" dst-address=192.168.5.1 in-interface=vlan2 log-prefix="Allow VLAN2 -> Fritzbox: " out-interface=ether4
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> VLAN40" out-interface=vlan40
add action=accept chain=forward in-interface=vlan10 log-prefix="Allow VLAN10 -> WAN: " out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.2.43 in-interface=vlan10 log-prefix="Allow VLAN10 -> Traefik" src-address-list=subnet10
add action=accept chain=forward in-interface=vlan40 log-prefix="Allow VLAN40 -> WAN: " out-interface-list=WAN
add action=accept chain=forward in-interface=vlan40 log-prefix="Allow VLAN40 -> VLAN2" out-interface=vlan2
add action=accept chain=forward dst-address-list=subnet3 log-prefix="Allow Access -> SN3: " src-address-list=subnet3_access
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN log-prefix="Allow dstnat aka Portfreigabe: "
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients -> Internet: " out-interface-list=WAN
add action=drop chain=forward log=yes log-prefix="FORWARD: Drop anything not allowed: "
[admin@rb5009] /ip/firewall/filter> ..
[admin@rb5009] /ip/firewall> nat/
[admin@rb5009] /ip/firewall/nat> export 
# oct/07/2022 21:20:41 by RouterOS 7.6beta6
# software id = 5XXXXXF
#
# model = RB5009UG+S+
# serial number = EXXXXXA
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.0/16 log=yes log-prefix="NAT: Hairpin-NAT: " src-address=192.168.0.0/16
add action=masquerade chain=srcnat log-prefix="NAT: masquerade WAN" out-interface-list=WAN
add action=masquerade chain=srcnat log-prefix="NAT: masquerade hex" out-interface=wireguard_s2s_hex
add action=dst-nat chain=dstnat comment="http/https als extra Regeln da sonst beide Protokolle auf 44e umgeleitet werden; Redirect findet in traefik statt" dst-address-list=wan_ip dst-port=\
    443 log-prefix="NAT: dstnat: Traefik(https)" protocol=tcp to-addresses=192.168.2.43 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=wan_ip dst-port=80 log-prefix="NAT: dstnat: Traefik(http)" protocol=tcp to-addresses=192.168.2.43 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=wan_ip dst-port=2222 log-prefix="NAT: dstnat: Traefik(ssh)" protocol=tcp to-addresses=192.168.2.50 to-ports=2222
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=53 in-interface=vlan2 log-prefix="NAT: DNS-Redirect(UDP): " protocol=udp to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=53 in-interface=vlan2 log-prefix="NAT: DNS-Redirect(TCP): " protocol=tcp to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=123 in-interface=vlan2 log-prefix="NAT: NTP-Redirect(TCP): " protocol=tcp src-address-list=subnet2 to-addresses=192.168.2.1 \
    to-ports=123
add action=dst-nat chain=dstnat dst-address=!192.168.2.1 dst-port=123 in-interface=vlan2 log-prefix="NAT: NTP-Redirect(UDP): " protocol=udp src-address-list=subnet2 to-addresses=192.168.2.1 \
    to-ports=123