One of lans' machine cant access itself via wans' connection

zippel · July 7, 2017, 8:35pm

Hallo. I’ve configured my router with WAN PPPOE connection and DHCP Server for LAN zone. Added to the firewall rules some exeptions for my local server. And I can see these ports from WAN hosts but can’t see from LAN machine where these service(ports) opened. I think all LAN area hasn’t access too. I’m not a guru in network administration, so I need to help me.

For example you can see realtime setting on this excelent screenshots, where you can see all my configuration and tell wehre I can missed some params. Thanks a lot guys. MikroTik the best!!!

zippel · July 7, 2017, 8:37pm

Good stuff

zippel · July 7, 2017, 8:38pm

tracert

Sob · July 10, 2017, 1:10am

You mean that you have a public address, forwarded some ports to internal server, can access them fine from outside, but it doesn’t work when you connect to your public address from same LAN where server is? If so, you’re looking for hairpin NAT.

Btw, rather then posting screenshots, it’s better to open Terminal and post output of:

/export hide-sensitive

zippel · July 10, 2017, 10:37am

I make many variants of rules and filters but in not works. Not works as you recommended too.
Maybe I can’t correctly configure this router or something else. example as routs..

I’ve a LAN via DHPC 192.168.88/24, have WAN via PPPOE as INEN, shared some ports by port forwarding, it’s works great but I can’t access to this shared services from srcnat(from 192.168.88.251) to dstnat (192.168.88.251) via INET(WAN connection)

I’ve configured as you say previosly, but nothing happened
[東京@東京] > /export hide-sensitive

jul/10/2017 18:33:53 by RouterOS 6.37

software id = XS6M-UI97

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf mtu=1500 name=BRIDGE
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia distance=indoors frequency=auto
max-station-count=2 mode=ap-bridge name=WLAN rx-chains=0,1 ssid=“Nuclear War” tx-chains=0,1 wireless-protocol=802.11
wmm-support=enabled
/interface ethernet
set [ find default-name=ether2 ] name=LAN-MASTER
set [ find default-name=ether3 ] master-port=LAN-MASTER name=LAN-SLAVE
set [ find default-name=ether1 ] name=WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN name=INET service-name=inet user=tokio228
/interface pptp-client
add connect-to=myio.ru name=IRK_ALEXEY user=al
/ip neighbor discovery
set LAN-MASTER discover=no
set LAN-SLAVE discover=no
set WAN discover=no
set WLAN discover=no
set BRIDGE comment=defconf
set INET discover=no
set IRK_ALEXEY discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“” interim-update=5m management-protection=
allowed mode=dynamic-keys radius-mac-accounting=yes radius-mac-authentication=yes radius-mac-mode=
as-username-and-password supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=BRIDGE name=defconf
/queue simple
add burst-limit=3M/5M burst-threshold=800k/800k burst-time=7s/7s max-limit=1M/1M name=notebook target=192.168.88.249/32
/user group
add name=full2 policy=
local,read,write,test,winbox,password,web,sniff,api,romon,dude,!telnet,!ssh,!ftp,!reboot,!policy,!sensitive
/interface bridge port
add bridge=BRIDGE comment=defconf interface=LAN-MASTER
add bridge=BRIDGE comment=defconf interface=WLAN
/interface wireless access-list
add interface=WLAN mac-address=28:56:5A:7E:46:C9 vlan-mode=no-tag
add interface=WLAN mac-address=00:08:22:78:F1:19 vlan-mode=no-tag
/ip address
add address=192.168.88.1/24 comment=defconf interface=BRIDGE network=192.168.88.0
add address=133.242.227.126 comment=
“https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT\r\
\n\r
\nDestination NAT\r
\nForward all traffic to internal host” interface=INET network=133.242.227.126
/ip arp
add address=192.168.88.253 interface=BRIDGE mac-address=68:05:CA:35:E6:E9
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN use-peer-dns=no
use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.252 client-id=1:0:8:22:78:f1:19 comment=static mac-address=00:08:22:78:F1:19 server=defconf
add address=192.168.88.251 client-id=1:68:5:ca:35:e6:e9 comment=static mac-address=68:05:CA:35:E6:E9 server=defconf
add address=192.168.88.250 client-id=1:74:27:ea:0:9:be comment=static mac-address=74:27:EA:00:09:BE server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
add address=127.0.0.1 name=counter.yadro.ru ttl=1m
add address=127.0.0.1 name=tns.counter.ru ttl=1m
add address=127.0.0.1 name=mc.yandex.ru ttl=1m
add address=127.0.0.1 name=www-google-analytics.l.google.com ttl=1m
add address=127.0.0.1 name=www.google-analytics.com ttl=1m
add address=127.0.0.1 name=stats.l.doubleclick.net ttl=1m
add address=127.0.0.1 name=stats.g.doubleclick.net ttl=1m
add address=127.0.0.1 name=www.tns-counter.ru ttl=1m
add address=127.0.0.1 name=wide-plus.l.google.com ttl=1m
add address=127.0.0.1 name=www.searchengines.ru ttl=1m
add address=127.0.0.1 name=ksn-file.geo.kaspersky.com ttl=1m
add address=127.0.0.1 name=ksn-crypto-stat.geo.kaspersky.com ttl=1m
add address=127.0.0.1 name=searchenginesru.zendesk.com ttl=1m
add address=127.0.0.1 name=mc.webvisor.org ttl=1m
add address=127.0.0.1 name=searchengines.guru ttl=1m
add address=127.0.0.1 name=event.shelljacket.us ttl=1m
add address=127.0.0.1 name=ssl-google-analytics.l.google.com
add address=127.0.0.1 name=sb.l.google.com ttl=1m
add address=127.0.0.1 name=portal-xiva.yandex.net ttl=1m
add address=127.0.0.1 name=anycast-europe.quantserve.com.akadns.net ttl=1m
add address=127.0.0.2 disabled=yes regexp=“^(search|stats)$” ttl=1m
add address=127.0.0.1 name=farm-hetzner.plista.com
add address=127.0.0.1 name=tools.google.com ttl=1m
add address=127.0.0.1 name=www.facebook.com ttl=1m
add address=127.0.0.1 name=stat.pladform.ru ttl=1m
add address=192.168.88.251 name=tokinizer.org
add address=192.168.88.251 regexp=“^(xcache|shop|l2|test)\.tokinizer.org$”
add address=192.168.88.250 name=csgo.tokinizer.org
/ip firewall address-list
add address=myio.ru disabled=yes list=dov
add address=192.168.88.251 comment=“my pc” list=main
add address=192.168.88.250 comment=“miner, srscds-public” list=station1
add address=192.168.88.250/31 comment=“my homenet” list=nat
/ip firewall filter
add action=accept chain=input comment=“defconf accept ICMP” protocol=icmp
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“drop all from WAN” in-interface=WAN log=yes
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related disabled=
yes
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid log=yes
add action=accept chain=input comment=“to winbox access from wan connection” dst-port=8291 protocol=tcp src-address-list=
dov
add action=drop chain=forward comment=“defconf: drop all from INET not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=WAN log=yes
add action=drop chain=forward comment=“view to dns flood” dst-port=53 in-interface=INET log=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” log-prefix=masq-1st out-interface=INET
add action=masquerade chain=srcnat comment=masq-tried disabled=yes dst-address=192.168.88.250 log=yes log-prefix=masq-tried
out-interface=BRIDGE protocol=udp src-address=192.168.88.0/24 to-addresses=133.242.227.126
add action=dst-nat chain=dstnat disabled=yes dst-address=133.242.227.126 log=yes to-addresses=192.168.88.250
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=80 in-interface=INET protocol=tcp to-addresses=
192.168.88.251 to-ports=80
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=27032 in-interface=INET protocol=udp to-addresses=
192.168.88.251 to-ports=27032
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=26900-26901 in-interface=INET protocol=udp
to-addresses=192.168.88.250/31 to-ports=26900-26901
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=27015 in-interface=INET protocol=udp to-addresses=
192.168.88.250 to-ports=27015
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=27080 in-interface=INET protocol=udp to-addresses=
192.168.88.250 to-ports=27080
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=27400 in-interface=INET protocol=udp to-addresses=
192.168.88.250 to-ports=27400
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=27015 in-interface=INET protocol=tcp to-addresses=
192.168.88.250 to-ports=27015
add action=netmap chain=dstnat disabled=yes dst-address=133.242.227.126 dst-port=26900-26901 in-interface=INET protocol=udp
to-addresses=192.168.88.251 to-ports=26900-26901
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=50000 in-interface=INET protocol=tcp to-addresses=
192.168.88.251 to-ports=50000
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=50000 in-interface=INET protocol=udp to-addresses=
192.168.88.251 to-ports=50000
add action=netmap chain=dstnat dst-address=133.242.227.126 dst-port=5938,5939 in-interface=INET protocol=tcp
src-address-list=dov to-addresses=192.168.88.251 to-ports=5838-5839
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 dst-address=133.242.227.126/32 gateway=BRIDGE
add disabled=yes distance=1 dst-address=192.168.8.0/24 gateway=IRK_ALEXEY
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tokio
/system identity
set name=東京
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add disabled=yes interface=BRIDGE
add interface=LAN-MASTER
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add disabled=yes interface=BRIDGE
add interface=LAN-MASTER
[東京@東京] >

zippel · July 10, 2017, 1:07pm

I solved. I’ve typed an a mistake when forwarded my ports.
I used in-interface as PPPOE, so when I tried to forward traffic in bridge - have a problem, becouse dstnats’ rule dropped it