We have servers behind Mikrotik router. For instance, we have webserver behind fireall, which responds to IP a.b.c.d, port 80. If we connect to that server from public network, everything works as a charm. But, if we try to connect to a.b.c.d:80 from internal network, we get back routeros’es web page. Are there any special rules to apply for this to work?
P.S. RouterOS v2.8.22
–
Kaspars
hello kaspars,
u can try like this at ip firewall submenu:
1 chain=dstnat dst-address=[your_ip_addres/32] protocol=tcp dst-port=80 action=dst-nat to-addresses=[your_ip_local_one] to-ports=0-65535
thanks
Balimore DOT com
Probably i did not make myself clear 
I have successfully set up snat and dnat. But, the problem occures only when I try to access web server’s public IP from local network.
Following is simplified configuration. Router, of course, has much more sofisticated rules. But, as the same thing is happening on brand new 2.9.19, with a lot simplier set-up, which I installed at office. We cannot access mailserver by Public IP from Local network: connection gets refused, because Mikrotik router thinks, that we are requesting routers’ 25th port, not the one address and port, which dnats to mailserver on Local network. So, after that I decided to write this post
So, back to configuration. Suppose, router has two Public IP adreses and one Local:
> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.1/24 10.0.0.0 10.0.0.255 Local
1 x.x.x.66/28 x.x.x.64 x.x.x.79 Public
2 x.x.x.69/28 x.x.x.64 x.x.x.79 Public
x.x.x.66 is used to access router. x.x.x.69 is our webserver.
Source NAT and destination NAT rules are like this:
> /ip firewall src-nat print
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=10.0.0.12/32 out-interface=Public action=nat to-src-address=x.x.x.69
> /ip firewall dst-nat print
Flags: X - disabled, I - invalid, D - dynamic
0 in-interface=Public dst-address=x.x.x.69/32:80 protocol=tcp action=nat to-dst-address=10.0.0.12
Routes are default (wasn’t sure, if this info is required for this issue):
> /ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 S 0.0.0.0/0 r x.x.x.65 1 Public
1 DC x.x.x.64/28 r 0.0.0.0 0 Public
2 DC 10.0.0.0/24 r 0.0.0.0 0 Local
So, when I am on Local network and fire Lynx or telnet to x.x.x.66:80, in return I get back router’s web page. That’s perferctly normal, because this address has no translations.
Now, when I am on Public network and browse to x.x.x.69:80, I have web server’s (10.0.0.12) reply. That is exactly, what I was intended to do.
But now, let’s try to browse to x.x.x.69 from Local network (for instance, 10.0.0.12 or any other host). What do we get? Mikrotik router’s web page. Instead of what seemed to be the most normal answer - 10.0.0.12:80.
Look here:
http://forum.mikrotik.com//viewtopic.php?t=5509&highlight=
Try to write down packet path through router when you are trying to access your internal web server through public IP…
Unfortunately, none of these helped. In fact, I even cannot access web server via public IP from itself. DNS server is not a solution, because then we would have to keep two zone copies - one for local use, another for Public internet. That’s just not the right way to go.
It is quite impossible, because I do not know - how to do that. I would like to quote from that thread:
I’m just confused. I suppose, I will mail to support.