public access

edys · March 19, 2019, 9:18pm

Hello ,
I’m new to mikrotik devices, I’m using hap ac. So I’m have this:
pppoe connection is setup on router and my provide also provide me DNS .

192.168.0.1 router ip

192.168.0.5 nas with openvpn

I just Wana access from internet the openvpn server. I figured out i made on firewall nat rule . here it’s the problem , on nat rule at dst. address I put my DNS , was transformed to public IP. if my power goes down my IP change , but on nat rule no because read the IP not the DNS . how can I make this? . I just Wana something auto, to assing my public IP on that nat rule everytime when my power goes down.

kiaunel · March 19, 2019, 9:20pm

Post your dst nat rule

/ip firewall nat add action=dst-nat chain=dstnat dst-port=9000 in-interface=ether1 protocol=tcp to-addresses=172.16.0.233 to-ports=9000

You can see here you can use incoming interface instead of destination ip

edys · March 19, 2019, 9:27pm

with this setup it works, but i just wana something auto

kiaunel · March 19, 2019, 9:29pm

First of all do not post your public address,
second : try export instead of screen capture,
third: use incoming interface instead of ip address

edys · March 19, 2019, 9:32pm

tnx, merge

edys · April 21, 2019, 9:12pm

can explain me how to make harpip ? i just set the pppoe connection , but when i just wana access my external ip from local network all the time shows me the router page. on my phone on public ip redirects to my site,its fine.

Sob · April 22, 2019, 2:03am

If you want hairpin NAT, you can’t do this:

It’s because connections from LAN of course have LAN as incoming interface and it won’t match in-interface=. But you need to match destination somehow. You can’t easily use IP address if it’s dynamic. But you can use dst-address-type=local, which matches any address assigned to router. Next problem can be that it matches all local addresses. It doesn’t matter for some “exotic” ports, but if it would be e.g. port 80, which you’d want to forward to internal server, but at the same time you’d like to have WebFig also on port 80, that would not be accessible, because dstnat would forward all connections to internal server. The way around that is to exclude router’s internal address from dstnat rule.

Example config:

/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.0.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.x
add chain=srnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade comment="hairpin NAT"

Kronyx · May 4, 2019, 12:35am

ok thanks, If my network is 192.168.88.x how can i change those rules ?

Sob · May 4, 2019, 12:46am

192.168.0.1 → 192.168.88.1 (probably, it’s the address on router)
192.168.0.x → 192.168.88.x (address of internal server)
192.168.0.0/24 → 192.168.88.0/24