Port forwarding

RouterOS Beginner Basics
1

Hi, all!

Set up port forwarding to some services on the LAN:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=9700-9800 in-interface=ether1-gateway action=dst-nat to-addresses=192.168.1.200 to-ports=9700-9800

Everything is fine when accessed from outside on the WAN-address (DDNS). But being inside is not possible to refer to the service at the same address (DDNS). How can I make access to this service at the same address (DDNS), both inside and outside?

Now I added a static DNS:

/ip dns static add name <ddns-domain> address=192.168.88.200

It works, but only if I have one service - 192.168.88.200, but I still have a NAS (192.168.88.201), which also need to access port forwarding (inside and outside) at the same address (DDNS).

Thanks in advance for your help!

2

Just an idea: add a second rule, adjust the in-interface to your local interface and add dst-address=.

3

As dst-address can only be specified ip, but I have it dynamic (DDNS).

4

You could probably make an addresslist similiar to this one:

http://wiki.mikrotik.com/wiki/Sync_Address_List_from_DNS_Lookup_Results_-_CNAME_and_A_Records

and use that in yourt firewall rule.

Best regards,

Jan

5

All you need is a Hairpin nat rule
htttp://wiki.mikrotik.com/wiki/Hairin_NAT

something like

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.2.0/24 dst-address=192.168.2.200 out-interface=

6

Here is the solution for your problem…

http://wiki.mikrotik.com/wiki/Hairpin_NAT

7

Here is the solution for your problem…

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Hi,

Customize everything as described in the article, but something does not want to work. Do not tell me what I’m doing wrong? These are the rules I have:

add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=9700-9800 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=9700-9800
add action=masquerade chain=srcnat dst-address=192.168.88.200 dst-port=9700-9800 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=4443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.100 to-ports=4443
add action=masquerade chain=srcnat dst-address=192.168.88.100 dst-port=4443 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24

Thanks!

8

This should be your entire NAT code:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=bridge-local src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=9700-9800 protocol=tcp dst-address-type=local to-addresses=192.168.88.200
add action=dst-nat chain=dstnat dst-port=4443 protocol=tcp dst-address-type=local to-addresses=192.168.88.100

dst-address-type=local means “any IP of the Mikrotik itself”
This gets what you want - it’s a little broader than specifying dst-address=wan.ip.of.router, but that’s not a bad thing, especially if the wan IP is dynamic. Normally, with no hairpin support, you just specify dst-port and in-interface=ether1-gateway, but a hairpin connection would not be coming in on that interface… so using dst-address-type=local covers all your bases.

The other half of the magic is the second srcnat rule - which makes the server see the Mikrotik’s lan IP as the source whenever a connection is a hairpin access. This is important. If the actual inside host’s IP were shown to the server, then the server would just respond directly to the other client. The client will then see the reply from the server’s private IP when it tried to reach the server’s public IP, so it will drop the packets. This is what gets fixed by the second masquerade rule.

9

Btw in the 6.x ros mikrotik isn;t doing hairpin nat by default?

10

Nope - I just built a pinhole on my Mikrotik running 6.27, and the connection wouldn’t work until I added the masquerade rule.