I have a RB4011 with a basic configuration that i have attached to this post.
I also have a webserver with Apache, Php 7 and MySQL behind it with a default configuration. A registered domain name resolves to my external IP address (also from my LAN).
I’ve put a simple html page as on the webserver, which i can see when i open http(s)://192.168.1.210 in my browser on a computer in my LAN. The issue is that if i open http(s)://myowndomain.pl on the same computer i get a connection refused error (ERR_CONNECTION_REFUSED in Firefox). If i open the same address on the same computer, but when using another Internet connection the web page opens without issues.
While there’s no problem with html, many PHP applications require the domain name in their configuration to render dynamic addresses, so they would not work if i used 192.168.1.210 to open the webpage.
Example:
This is what would need to be put in configuration file of Wordpress content management system:
Do you use your Mikrotik as DNS-server ? Then simply add some “static” entries that point “www.mydomain.pl” to “192.168.1.210”
Test it by doing “ping www.mydomain.pl” on your PC and see if reply comes from 192.168.1.210
Alternative is simply adapt your host file on your PC, on Linux box simply edit /etc/host and add 1 line. (then no need to adapt Mikrotik DNS)
On Windows box go to the C:\Windows\System32\drivers\etc\hosts and edit with admin privileges.
Actually ping <my_domain> works and already returns the correct external IP address.
I have a bunch of static IPs in my DNS configuration, but none of them points to my domain name nor external ip.
My LAN computers get network settings from Mikrotik, so DNS servers are in the following order:
192.168.1.1 - Mikrotik router
xxx.xxx.xxx.xxx - ISP’s DNS
8.8.8.8 - Google DNS
1.1.1.1 - Cloudflare DNS
My domain should be resolvable at the ISP’s level.
If you are on the inside of your network, where the server is, you need a DNS pointing to the internal address.
You can not use the external address on the inside network.
There are other ways to do it, but add a static DNS of your inside DNS server pointing to the inside IP, are the simplest way to solve this, if you have an internal DNS server.
Go for hairpin NAT, it’s also simple and unlike static DNS entries, you won’t need to touch it ever again, no matter how many hostnames you add/remove/change.
Not 100% true. If you add a Webcamera on another IP than your Web server, you need to make some changes.
You can as I do use a proxy server that handles all URL and send them to different server. Than you can hairpin the proxy server.
and it covers everything. Any number of internal servers and ports, even any number of public addresses if you have more than one. It works transparently for all hostnames, even numeric addresses. And you don’t need to care what DNS resolver client uses.
oh oh oh my turn. (jotne sounds like food that will give one a stomach ache, and Sob, well one feels pity welling forth)
Before starting down the road one has to determine if one is using a fixed static WANIP or a dynamic WANIP
Hairpin NAT is for when the user/device is in the same subnet of the server!
Note the one extra SOURCE NAT RULE of masquerade rule that Sob noted simply works, is required for both cases of WANIP.
DSTNat rules can be a tad more complicated…
Fixed, static wanip
There is no change to DSTNAT rules (except drop in-interface-list=WAN and replace that with – > dst-address=fixedwanip )
For Dynamic WANIP OptionA - Use the MT cloud service*** and slightly alter dstnat rules (works for internal and external users).
add action=dst-nat chain=dstnat dst-address-list=cloudDNS dst-port={tcplist}
protocol=tcp to-addresses=192.168.88.232 (sample server lanip)
*** Requires
a. Turn on mikrotik cloud service
b.Go to IP-> Firewall-> Address lists, create an entry with whatever name you wish e.g “cloudDNS” and at the address type the cloud DNS of your Mikrotik…
This will automatically resolve the name to your Public IP address…
c. If you have a dyndns name already or something similar I think you can simply point it at the clouddns.
OptionB - Modify Existing DST nat rules (and thus why easier to change two rules vice a gazilliion - list ports on one rule vice several if going to same server).
Pros:
Easy to setup
Add new server without any internal NAT Cons:
All packets going trough the router for devices on the same net. Gives more load on the router.
Local log on the Webserver sees packet coming from the Router in the log so you do not see who form internal net using the Webserver
Local DNS server
Pros:
Easy to setup
Traffic internal does not load the router.
IP are intact, so log show real internal user IP Cons:
Need an internal DNS server you can add DNS records to.
For every new internal server a DNS record needs to be entered.
If I do miss other pros/cons, please let me now, and I update the list.
TL;DR: Hairpin NAT does not require any maintenance and transparently handles everything, even things that can’t be done with DNS.
And about cons, it’s not too bad:
Packets going to router and back is disadvantage, but the idea is that you do not use it for services with huge traffic. You can, but router will have to work harder. The main advantage is simple compatibility, you add one rule and don’t worry about anything ever again. It’s a trade off. But it’s not hairpin NAT or static DNS, you can have both. So if you have one service with huge traffic, where increased load on router would be a problem, you can add static DNS just for that service. But still keep hairpin NAT for everything else.
Not being able to see addresses of individual local clients shouldn’t be a problem. Hairpin NAT allows local access to public service. When someone accesses same service from internet, you see only their public address, not their private address in remote LAN. You get same behaviour with local clients, so why should you suddenly care about the difference?
Steves method is cool. ( real hairpin not the faux poor mans dns kludge ;-p )
But how do you point an existing ddns type account to the Microtik one??
I dont think I can in dyndns as it accepts IP address inputs and I dont think URL names??
Is it even possible to not like it? Yes, it’s a hack. But it’s so simple, effective, almost foolproof (except nothing really is, because fools are very creative). If you are big company with proper DNS infrastructure, you have enough professional admins who can take care of things, you hate hacks out of principle, then stick with DNS. But otherwise the choice is very simple, hairpin NAT is unbeatable.
@anav: I’m not sure if that’s what you’re asking, but you may be looking for CNAME records, it’s a way to point www.yourcompany.tld to DDNS record.
Yup, thanks, done, signed up to dynu, found out they can create Cnames and attached to my MT cloud DDNS, and thus I could get rid of scripts that update the dydns now…
