nat to local network

olivier56 · December 16, 2019, 7:58pm

Hello,
here is my configuration:
a router an interfca lan1 a wan interface a lan2 interface and a lan 3 interface;
lan1: 192.168.2.0/24
lan 2: 172.16.0.1/16
lan 3: 192.168.88.0/24
wan: 192.168.1.0.
on lan 2 I have a server in 172.16.01 which has port 443 open but for security reasons I put a port in 5051 on the nat.this port is used for the workfolder of MS. so everything that happens on the wan in 0.0.0.0 5051 and redirect to 172.16.0.1:443.
My pc on lan 3 has a working folder which points to the server via my.address.com:5051.
I want my pc not to go out on the internet to synchronize the working folder but to communicate directly with the lan2 server.
But I don’t see how to do it and if it’s possible. I hope that everything that is part of one of my lan can go and seek sync workfolder without leaving the lan.
https: //www.robinhobo.com/how-to-deploy-work-folders-with-windows-server-2019/link for the workfolder principle:

thank you

olivier56 · December 16, 2019, 8:06pm

re,
i forget:
gateway 192.168.1.254
wan interface adresse 192.168.1.2

anav · December 17, 2019, 3:30am

Normally people recommend Hairpin Nat when attempting to reach ones server from within the network but have to use the WANIP of the device vice the direct LANIP of the server.
I believe there is another way to accomplish this without using hairpin nat (not pointing outside the router) but forget the special config (could be routing somehow??)

Sob · December 17, 2019, 4:57am

With server in lan2 and PC in lan3, you don’t even need hairpin NAT (srcnat rule), because those are different subnets. If you have 192.168.1.2 on WAN, it means that the real public address is on another router and you forward ports from there to your router. You can keep using my.address.com:5051, there’s no problem with that, you just need to configure dstnat correctly:

/ip firewall address-list
add address=my.address.com list=portfwd
/ip firewall nat
add chain=dstnat dst-address-list=portfwd protocol=tcp dst-port=5051 action=dst-nat to-addresses=172.16.0.1 to-ports=443

This covers your connections from lan3. The rest depends on whether you have NAT also on your router or not. And if you do, which router changes ports from 5051 to 443.

olivier56 · December 17, 2019, 8:36pm

Hello,
thank you for the response.
I searched and I used this:
add action = dst-nat chain = dstnat comment = “workfolder to home server” dst-address = 172.16.0.1 dst-port = 5051 in-interface-list = LAN log = yes log-prefix = “work folder” protocol = tcp to-addresses = 172.16.0.1 to-ports = 443

and it works. In the log I have
:
192.168.88.20-> 172.16.0.1:5051

Sob · December 18, 2019, 12:43am

Not exactly what I had in mind (I assumed you wanted to use same my.address.com:5051 everywhere), but it’s fine if you’re happy with it. Well, you can still use my.address.com:5051 with this, if you add static dns record for my.address.com pointing to 172.16.0.1. But then you have to make sure that devices use your router as resolver, which is something you can’t really guarantee under all circumstances.