Well this is MT OS, so what you have to do is
a. pile and stack up 5 hard cover books
b. Do a handstand using the books as your base (without falling over)
c. then remove one hand.
Voila done!!!
Seriously, its a well known requirement which is basically, if your server is on the same subnet as a USER attempting to access the server via a dydns name (ie via the external WANIP of your router), then hairpin nat (or called loopback) is required. Since I am opinionated, I tend to say, WTF would one just not use the LANIP to access the server LOL. But I gave up that argument as it seems its a popular thang to do.
Borrowing from my bestest buddy SOB, a certifiable looney I mean expert!!!
(1) Add required ‘hairpin nat’ masquerade rule
(2) Modify dstnat rules if using dynamic WANIP (static WANIPs do not require a change to dsntat rule). One cannot use the usual ‘in-interface=WAN or in-interface-list=WAN’ dstnat rule because they miss the LAN attempts to access the server via WANIP. There are many methods, one is make a contorted rule, one is to use the ddns cloud service of the router itself in conjunction with a firewall address list entry, and lastly to use a dhcp client script with a similar firewall address technique.
- Masquerade Rule (substitute for your lan subnet)
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
…
2(a) Contorted Rule Method - dst-address-type=local for any address on router. Here you enter in the LANIP gateway of the subnet that the server is on for ! destination (local address but not the LANIP of the subnet which leaves the local WANIP on the router as the alternative).
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=!192.168.88.1 \
dst-address-type=local protocol=tcp dst-port=xxxx to-address=IPofServer to port= (if need translation)
…
2(b) MT Cloud DDNS method very popular, and made famous on youtube by stevo (our favourite git, or is that Brit). One creates a firewall address list and puts in the name of your IP Cloud DDNS server. The router will resolve the name to your WANIP. The only downside is a very slight delay in updating your IP when and if it changes. Reliance on outside source (MT service) could be another. On the plus side if your router does not have a public IP this is the better method.
(https://www.youtube.com/watch?v=_kw_bQyX-3U)
…
/ip firewall address-list
add list=external_wan address=<DDNS hostname>
/firewall nat
add chain=dstnat action=dst-nat dst-port=xxxx protocol=tcp dst-address-list=external_wan address \
to-addresses=IPofServer to-ports={only required if translating to a different port number}
In this method, one simply goes to one IP Cloud DDNS server and copies the name provided (after enabling service) into the firewall address list.
add address=name of cloud ddns list=external_wan address
2(c). This is Sobs favourite dish (mine is paella). If you are comfortable with scripts this is the best method, otherwise 2b is preferred.
The dstnat rule is similar to the DDNS cloud method as both access a firewall address list entry. The only difference in the firewall address list part is that you add comment of your choice (has to match script text) to the firewall address list entry and in the example below ‘wan1ip’ is used. The script entry basically says, check if the wan IP is bound and if so stick the address into the firewall address list.
…
/firewall nat
add chain=dst-nat action=dstnat dst-port=xxxx protocol=tcp dst-address-list=external_wan-address \
to-addresses=IPofServer to-ports={only required if translating to a different port number}
…
This is what one enters in the DHCP client
/ip dhcp-client
add interface= script=“”
2| :if ($bound=1) do={
3| /ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
4| } else={
5| /ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
6| }
and finally the firewall address list entry would look like
/ip firewall address-list
add address=x.x.x.x comment=“wan1ip” list=external_wan-address
(where x.x.x.x is the current valid wanip)
Seriously, good point!!! Local means any local address on the router, but the contorted rule ensures its not the same subnet as the server. The other local address available is usually the WANIP. If one had multiple local subnets in the mix since there would be choices not clearly delineated to the router - not good. So in that case the contorted rule should be modified I suppose like so…