First post here, just started using MikroTik hEX (RouterOS v6.44.6 (long-term))
yesterday I’m very pleased with the product, but there’s one thing I cannot configure properly, so I’m asking for a little help here. Here’s the setup:
-1Gbps fibre, Alcatel fibre modem/terminal (5 ports), 91.155.104.1
-Debian server running in port 8772 connected directly to the Alcatel, using dynamic dns for xxxx.dyndns.org, 91.155.104.139
-MikroTik hEX connected directly to the Alcatel. Using Router mode with Automatic address Acquisition, NAT and DHCP on, 91.155.104.47
-All computers and gadgets etc. are behind MikroTik.
I previously had a Zyxel USG20 where the MikroTik is now. I could access the server with my browser using the xxxx.dyndns.org. Now after I replaced the Zyxel with the MikroTik, I can’t. I guess this is some kind of “reverse NAT” or something like that, which is needed. The reason, why i don’t know what the actual problem is, is that with the poor old Zyxel I did not have to do any special configuration for being able to connect to the server.
The server works, as I can connect to the server with the dynamic address with my phone.
If I ping, I get:
C:\Users\olli>ping xxxx.dyndns.org
Pinging xxxx.dyndns.org [91.155.104.139] with 32 bytes of data:
Reply from 91.155.104.47: Destination host unreachable.
Reply from 91.155.104.47: Destination host unreachable.
Reply from 91.155.104.47: Destination host unreachable.
How could I access the server like it was before? Thanks in advance
Realized, I most probably need a hairpin NAT to make this work. I looked at the documentation in the Wiki, but could not make anything useful out of it Could someone give me an example how to setup a hairpin NAT with the IP addresses above?
Hairpin nat is only required when users are on the same subnet as the server they are trying to reach, by using the routers WANIP or dydns name/url.
For dynamic ISP connections there are two methods one can use, with a fancy dst nat rule and the alternate uses the IP cloud and the routers own dydns name that MT gives thru the cloud.
For fixed static WANIPs, the only change is the addition of the sourcenat rule below.
Regardless, if isp is static or dynamic, you need to add the following masquerade (sourcenat rule)
add action=masquerade chain=srcnat comment=“Mikrotik Hairpin NAT” dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24
(or whatever the subnet is).
Since you have a fixed static wanip… the current dstnat rule you have in place should suffice.
(standard dstnat forwarding rule - no change)
add chain=dstnat action=dst-nat dst-address=FIXED WANIP
protocol=tcp dst-port=9000 to-address=192.168.88.50
There is also a firewall forward filter rule required that is included in the default firewall rules that come with the router.
@olliraa, your server does have an internal IP, isn’t it?
Then just use that IP when connecting from intern (LAN), and use the DDNS name when connecting from extern (ie. WAN/Internet).
And: your current setup uses a DMZ method. But IMO your server should better be attached to the hEX router, for higher security seasons.
I’m very pleased with the product, but there’s one thing I cannot configure properly, so I’m asking for a little help here. Here’s the setup:
Could someone give me an example how to setup a hairpin NAT with the IP addresses above?