As for now I am really happy with my mikrotik routerboard running RouterOS v6.29.1
I have a modem router from my ISP which is set to DMZ towards the mikrotik.
I have a NAT rule to masquerade srcnat to outinterface e1WAN which is connected to the ISP router which has DMZ.
I also have a couple of NAT rules allowing me to access my raspberry pi and PC from outside the network.
When I am in my own network, and I use the DDNS hostname, I am able to connect to the router.
However, when I use the https:DDNS hostname I am not getting to my raspberry pi (when inside the network). This does work from outside though.
What should I change in my NAT ruling? Hope somebody can guide me in the right direction.
Thank you, I read the wiki about the hairpin NAT and it is exactly what I am missing. Although I think I am trying to implement this wrongly
This is my NAT configuration:
First NAT rule is for outgoing traffic.
NAT rule 1,2,3 are an attempt at the hairpin NAT (My guess is I only need the one for 443)
0 chain=srcnat action=masquerade out-interface=e1WAN log=no log-prefix=""
1 chain=srcnat action=masquerade protocol=tcp src-address=10.10.1.0/24 dst-address=10.10.1.106 out-interface=br-lan dst-port=80 log=no log-prefix=""
2 chain=srcnat action=masquerade protocol=tcp src-address=10.10.1.0/24 dst-address=10.10.1.106 out-interface=br-lan dst-port=443 log=no log-prefix=""
3 chain=srcnat action=masquerade protocol=tcp src-address=10.10.1.0/24 dst-address=10.10.1.106 out-interface=br-lan dst-port=8123 log=no log-prefix=""
4 X ;;; Used for letsencrypt home assistant
chain=dstnat action=dst-nat to-addresses=10.10.1.106 to-ports=80 protocol=tcp dst-address=192.168.0.2 dst-port=80 log=no log-prefix=""
5 ;;; SSL encrypted port for HA
chain=dstnat action=dst-nat to-addresses=10.10.1.106 to-ports=8123 protocol=tcp dst-address=192.168.0.2 dst-port=443 log=no log-prefix=""
6 ;;; MQTT access from outside
chain=dstnat action=dst-nat to-addresses=10.10.1.106 to-ports=1883 protocol=tcp dst-address=192.168.0.2 dst-port=1883 log=no log-prefix=""
7 ;;; SSH access to HA
chain=dstnat action=dst-nat to-addresses=10.10.1.106 to-ports=22 protocol=tcp dst-address=192.168.0.2 dst-port=8122 log=no log-prefix=""
8 X chain=dstnat action=dst-nat to-addresses=10.10.1.100 to-ports=80 protocol=tcp dst-address=192.168.0.2 dst-port=8124 log=no log-prefix=""
9 X chain=dstnat action=dst-nat to-addresses=10.10.1.106 to-ports=21 protocol=tcp dst-address=192.168.0.2 dst-port=8125 log=no log-prefix=""
10 X chain=dstnat action=dst-nat to-addresses=10.10.1.116 to-ports=80 protocol=tcp dst-address=192.168.0.2 dst-port=8120 log=no log-prefix=""
11 X ;;; Redirect for the ChromeCast
chain=dstnat action=dst-nat to-addresses=208.122.23.23 dst-address=8.8.8.8 log=no log-prefix=""
12 X chain=dstnat action=dst-nat to-addresses=208.122.23.22 dst-address=8.8.4.4 log=no log-prefix=""
13 X ;;; Forward to IP-cam
chain=dstnat action=dst-nat to-addresses=10.10.1.100 to-ports=8999 protocol=tcp dst-address=192.168.0.2 dst-port=8999 log=no log-prefix=""
14 X ;;; PS4 COD
chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=tcp in-interface=e1WAN dst-port=3074 log=no log-prefix=""
15 X chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=udp in-interface=e1WAN dst-port=3074 log=no log-prefix=""
16 X chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=udp in-interface=e1WAN dst-port=3478 log=no log-prefix=""
17 X chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=tcp in-interface=e1WAN port=27014-27050 log=no log-prefix=""
18 X chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=udp in-interface=e1WAN port=4379-4380 log=no log-prefix=""
19 X chain=dstnat action=dst-nat to-addresses=10.10.1.155 protocol=udp in-interface=e1WAN port=27000-27030 log=no log-prefix=""
20 X chain=dstnat action=dst-nat to-addresses=10.10.1.115 in-interface=e1WAN log=no log-prefix=""
21 ;;; RFB port VNC
chain=dstnat action=dst-nat to-addresses=10.10.1.107 to-ports=5900 protocol=tcp dst-address=192.168.0.2 dst-port=5900 log=no log-prefix=""
22 ;;; HTTP for VNC
chain=dstnat action=dst-nat to-addresses=10.10.1.107 to-ports=5800 protocol=tcp dst-address=192.168.0.2 dst-port=5800 log=no log-prefix=""
Maybe some more more specific details
My WAN IP is xxx.xxx.xxx.xxx
My ISP Modem/router is located on 192.168.0.1 it gives DMZ to 192.168.0.2
My Mikrotik has outside address of 192.168.0.2 via interface e1WAN (10.10.1.1) , which is the first ethernet port
All other interfaces are linked via a bridge called br-lan and are in the 10.10.1.xxx range
My raspberry pi is hosting an instance of home assistant on port 8123, which has SSL encryption, that is why also port 443 from outside is pushed to 8123 internally.
Hope that someone can give me a steer in the right direction again
I am using homePC in this instance.
When I use 10.10.1.1 I get to my mikrotik login page => OK
When I use xxxxxx.mynetname.net, I get to the mikrotik login page => OK
This concludes that the DocSIS modem is working correctly
When I use https:10.10.1.106:8123, I get to my raspberry pi webserver (with SSL error) => sort of OK
When I use https://xxx.mynetname.net, I do not get anywhere.
I tried setting up the hairpin NAT as above. This did not work. I even excluded the port, so it would masquerade all internal addresses to any ports. Still no success.
