NAT: going out and coming back in

joey · December 18, 2013, 2:55am

Hi,

I’m stuck on building a correct NAT rule and hope someone smarter than I am can provide some guidance.

I have a service (several actually) that runs on my internal network and is accessed both from my internal network and the internet using my FQDN and some port. e.g. my.cooldomain.com:8080

If I do this, it routes all traffic on port 8080 regardless of destination to the same place:

add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=10.10.10.90 to-ports=8080

but if I want to access something like google.com:8080 it redirects internally instead of passing me to google.com. I’ve tried putting an input specifier there such as:

add action=dst-nat chain=dstnat in-interface=ether1-gateway dst-port=8080 protocol=tcp to-addresses=10.10.10.90 to-ports=8080

but then I lose the ability to have internal sites going to my.cooldomain.com:8080 properly reach it.

I’m trying to find a way to build this ability into one NAT rule vs having a special one. My external IP changes so I can’t hardcode an IP in there. If I could put a FQDN in there it would be easy but I can’t see how to do that.

Ideas?

Thanks.

Caci99 · December 18, 2013, 6:42pm

How often does the IP change? You might want to have a look at these links:
http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Resolve_host-name
http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

joey · December 19, 2013, 7:01pm

Not that often. Thanks for the link to those scripts. I think I can make those scripts work although I was hoping for something easier like pre-routing. I’ll take what I can get.

Rudios · December 20, 2013, 5:16am

What you need is a hairpin NAT rule.
Make use of the second NAT rule you suggested, that will work for outside initiated connections.
Additionally create a NAT rule like
/ip firewall nat
add chain=srcnat action=masquerade dst-address=10.10.10.90 dst-port=8080 protocol=tcp src-address= out-interface=<your bridge/interface>

joey · December 20, 2013, 5:59am

Yes! Thank you! That’s the info I needed.

I went around looking at the various hairpin rules and they all need WAN IPs. That is, until I found this post:

http://forum.mikrotik.com/t/hairpin-nat/68482/1

Which gave me what I needed without the WAN IP. Thanks!

I may have 3 rules (one to send them in, one to alter the destination, and one to masquerade) but it works without having to resolve the IP.