Hi, I have mi router 951G-2HnD with settings for have Nat Loopback to can use my domain name with noip host from my internal network and all ports are workging except the port 80. I need this to can work with my wordpress blog and other services running in the NAS in my network with dinamique ip.
I have the settings with masquerade but if I put the rule for the port 80 then the Nat Loopback fort port 80 work but then not work internet. If I enable that rule and I write in chrome this page for fourm then I see my webserver page not found or my internal webserver
This is the settings that I have:
/ip firewall nat
add action=masquerade chain=srcnat comment="Es el masquerade para peticiones internas a mi host de noip y que lo redirija a mi red interna." out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=masquerade chain=srcnat comment="Es el masquerade para poder usar desde dentro los host noip" dst-address=192.168.47.0/24 src-address=192.168.47.0/24
add action=dst-nat chain=dstnat comment="ESTA SI QUITO in-interface=pppoe-out1 EL SERVIDOR WEB POR EL PUERTO 80 FUNCIONA PERO LAS PÁGINAS WEB DESDE EL EXPLORADOR NO" dst-port=80,443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.47.11
No sé si el masquerade para el NAT Loopback está bien puesto, en principio funciona, pero tengo el problema para el puerto 80 ¿alguien sabe si se puede hacer y qué tendría que cambiar?
I can quit in-interface=pppoe-out1 to have nat loopback for port 80, but then I cant navigate for internet to see eb pages.
When forwarding a port, you need some way to limit the scope of dstnat rule. Otherwise it will try to match any packet, no matter where from or to it goes. That’s why when you had only “protocol=tcp dst-port=80,443”, it catched all packets, including those coming from LAN to web servers on internet.
The best way is to use dst-address=, if you have static public address. But if not, it does not work with dynamic addresses easily (it can be done using scripting, but it’s not practical).
Using in-interface= is popular too, but it breaks stuff in cases like yours. And strictly speaking, it’s wrong, because it will forward packets destined not only for your public address, but to any address, if they somehow happen to get to your router from WAN interface. But usually it’s not a problem.
Last, dst-address-type=local is very nice solution too, because it matches any address owned by router. But it can also break something, because it will match even router’s internal address. So you might want to also add dst-address=!192.168.47.1 (assuming 192.168.47.1 is router’s internal address; also don’t miss the “!”, which means “not”).
Thanks for the detailed explanations certainly help me to learn.
I have a server with more image and video service that works each for a given port. I had configured as the last rule that I wrote at first but I not know any problem with that.
As the port 80 is a special case becouse is used for many things not like other ports, the question is if all rules that have services that I have to put the no-ip hostname from my network, if also I have to add in all these rules the “dst-address-type=local” and “dst-address=!192.168.47.1” so I suppose this will be more effective as in the case of port 80.
Hi, Nat Loopback Is working, but the access to the wordpress blog that I have in my network is very slow if I connect from my network and more fast out of my net by internet.