Problem with redirect to www from LAN

dadag90 · September 25, 2017, 6:59am

Hey,
I have problem with redirect www server to port 80. From WAN it work fine, but from LAN I see mikrotik web page. I don’t have idea what change in config.
Mikrotik CCR1009-7g-1c-1s+

first try NAT

add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-port=80 in-interface=WAN protocol=tcp to-addresses=10.1.1.1 to-ports=80

second try:

add action=dst-nat chain=dstnat comment="HTTP 80" dst-address=78.11.111.114 dst-port=80 protocol=tcp to-addresses=10.1.1.1 to-ports=80

BartoszP · September 25, 2017, 9:17am

https://wiki.mikrotik.com/wiki/Hairpin_NAT

dadag90 · September 26, 2017, 4:39am

it’s still not working. I try:

/ip firewall nat
add chain=dstnat dst-address=78.11.111.114 protocol=tcp dst-port=80 action=dst-nat to-address=10.1.1.1
add chain=srcnat out-interface=WAN action=masquerade
add chain=srcnat src-address=10.1.0.0/16 dst-address=10.1.1.1 protocol=tcp dst-port=80 out-interface=LAN action=masquerade

moreover I cant access to any other device via www interface

@Edit
What I doing wrong?

dadag90 · October 2, 2017, 2:31pm

Help?

nightcom · October 2, 2017, 5:00pm

Maybe other way around. Do you use MikroTik as DNS server? or do you have internal DNS server? If yes why not add static address to cache and problem resolved. If you don’t have internal DNS server try create rule without src-address just port and destination IP of server, I have that way and it works fine.

dadag90 · October 3, 2017, 5:54am

I dont have DNS server, use google. Rule without src-address was first try, doesnt work… Any idea?

chain=dstnat action=dst-nat to-addresses=10.1.1.1 to-ports=80 protocol=tcp in-interface=WAN dst-port=80

dadag90 · October 9, 2017, 9:20am

bump

evince · October 9, 2017, 10:41am

Hello,

Your hairpin nat rule should look like this :

add action=dst-nat chain=dstnat comment=“hairpin nat” dst-address=!10.1.0.0/16 dst-address-type=local log=yes log-prefix=hairpin to-addresses=10.1.1.1

Regards,

dadag90 · October 10, 2017, 6:24am

Now I have:

/ip firewall nat
add chain=dstnat dst-address=78.11.111.114 protocol=tcp dst-port=80 action=dst-nat to-address=10.1.1.1
add chain=srcnat out-interface=WAN action=masquerade
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address=!10.1.0.0/16 dst-address-type=local log=yes log-prefix=hairpin to-addresses=10.1.1.1

I can view www from wan but from local network web page is not reachalbe, its some change but still not what I want. I try to disable masqarade but no result.

evince · October 10, 2017, 10:35am

Hello,

Disable the first rule : add chain=dstnat dst-address=78.11.111.114 protocol=tcp dst-port=80 action=dst-nat to-address=10.1.1.1

Ant try from WAN and LAN.

dadag90 · October 11, 2017, 7:35am

I try only this:

add chain=srcnat out-interface=WAN action=masquerade
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address=!10.1.0.0/16 dst-address-type=local log=yes log-prefix=hairpin to-addresses=10.1.1.1

I can’t reach from WAN and LAN