Routing requests from LAN back into LAN

RouterOS Beginner Basics
1

Hello, I am still learning the basics, everything is set up for a home configuration, now I have one single trouble I cannot solve myself.
I have a RB751G-2HnD, Internet connection is set through PPTP client on router itself. External IP is dynamically assigned to pptp interface.
I have a dyndns script which works just fine and correctly updates my dyndns third-level domain name.
Port 80 is forwarded to internal web server, everything works fine if I access it from Internet (tried web proxy and Tor for that).

Now, I want requests to external IP from LAN to be routed back to my web server, as if they came from Internet.
Like this - http request comes from LAN (bridge-local) and it’s destination IP is assigned to router’s external interface. I want this packet to be passed back to IP located inside LAN.
External IP (destination) is dynamic so I can’t use it in any firewall rules.

I understand I can just add a local IP of web server into static dns hosts and access it by domain name but I’d like to use external IP (for uniformity).

2

Hello
i think if you use dst-nat for you local clients to access your wan ip address you problem will be solved.check it..

3

This has two problems -

  1. add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.2 (the same as port forwarding rule but without in-interface) doesn’t work. Browser fails to fetch the page, and apache logs do not show any requests.
  2. If this rule would work, I’d need to add a filter so my usual outgoing browsing requests to Internet would be ignored. This filtering rule is what’s bothering me (my external IP is dynamic)
4

send your network diagram and say what you want exactly then i can help you better

5

Pptp connection is my internet source. Ext lan in only a medium to provide path to ISP’s pptp server.
myserv.dyndns.org domain address is assigned to ip on this pptp interface (updated via dyndns script).
On RB715G there is a ‘/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp in-interface=pptp-out1 dst-port=80’ rule for port forwarding.
This rule works fine, but only if connection request comes from pptp interface (straight from internet).

Now, I want my web server machine (or any client inside internal LAN 192.168.1.0) to be able to access the same website (myserv.dyndns.org).
And perform this feat without static hosts or dns record, by connecting to the exact external IP.

Something like -

  1. client requests myserv.dyndns.org
  2. connection request comes to router, it notices that the request is for IP assigned to it’s own local interface
  3. connection is transparently forwarded to forward rule destination (internal web server, according to rule).
    Client thinks it is accessing some external IP, not 192.168.1.2.

p.s. physically this IS possible, since my old ASUS router was acting this way right after I set port 80 forwarding on it.

6

You cannot forward back to the same interface connection came into router.

But you create separate local network for server, with different IP range and connected to separate interface, and then forward there.

7

Why not? Windows’ RRAS could do it, my old asus router could do it.
RouterOS is much better then these and cannot perform the same task?

Well, even if I do it this way - which exact rule would filter requests to internal web server from requests to Internet web sites? My external IP is dynamic.

//update.
It is possible. Thinking logically, I made two rules -

  1. chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address= dst-port=80
  2. chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 out-interface=bridge-local dst-port=80
    Basically, I NATted all requests which are coming from internal ips and going to internal network.

Now, the only thing left is how to get rid of ‘dst-address=’ in the first rule.
I am thinking it would be possible to rewrite the rule using the same dyndns script I am using. It will update it with current external IP.
But maybe there’s a better solution, without scripts? Like setting 'dst-address = ‘any_local’ ? Is this kind of rule possible in ROS?
And it seems I can’t directly use global variables inside firewall rules. What a pity :frowning:

8

Good question.

Normally you just navigate a server using the local name or local server ip + port.
And if you want to test the connection only (No login) it’s ok to use external proxy, TOR or VPN.

But in your case the rule you set will have Mikrotik Os to resolve the dyndns ip…

For Solution Read and use small script from: http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

I have a Synology NAS like this. If you find another way without scripts, then let us know via this Post. :slight_smile:

Cheers!

9

@Andys
Follow this example:
http://wiki.mikrotik.com/wiki/Hairpin_NAT,
and use your DynDNS script to change ‘1.1.1.1’ from above example to resolved ‘myserv.dyndns.org’.

HTH,

10

Wiki article was written by user “Fewi”, and since I do not know for any other way to acknowledge his contribution I will do it here!

Fewi, excellent and very useful article!!

Thank You

11

Hi All,

I sincerely apologize to wake up an old thread but I am EXACTLY in the same boat and non of the solution scripts I have tried works for me. This is my current scenario.

  1. My modem is on pppoe and set to bridge
  2. MT router is configured correctly to dial in pppoe connection. (The Internet is working)
  3. I managed to set port fw for my NAS and was able to access it via DDNS from The INTERNET only (at first)
  4. googled more and came to this thread and with the help provided here managed to set Routing from LAN back to LAN and now I CAN access my NAS via DDNS from within the LAN as well.
  5. Next was to update the public IP since under Firewall-NAT the dst-Address is my public dynamic IP and I want to make sure that if it changes, DDNS keep on working correctly.

6, This is where I am stuck and have spent 3-4 hours to get the script run to achieve the desired result.

As per this thread, I followed the tut written @ https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

a. Step one :: /ip firewall address-list add address=0.0.0.0 comment=sam9s.synology.me list=host_synology
this adds the entry under firewall->adress list

b. step two :: /ip firewall filter add chain=ouput dst-address-list=host_synology action=accept
this added an entry under firewall->filter

Now when I run the script posted there … NOTHING happens … the Address under Firewall->Address Lists still just stays at 0.0.0.0, Correct me if I am wrong when the scripts run this 0.0.0.0 should change to my public IP right. It does not.

I have tried other scripts but nothing works, maybe I am missing something.

Can the gurus PLEASE assist me here, and I am running in circles for the past couple of hours without success

Regards
Sammy

12

You don’t need a script, you can simply do:

/ip firewall address-list
add address=sam9s.synology.me list=host_synology

Unless you have some very old RouterOS version, in that case upgrade.

And don’t dig up such old threads. You know how many people will open it, start reading it from beginning, think about the problem … only to realize several minutes later that it’s all just history? If you think the old thread is relevant, it’s better to just link to it from yours.

13

OK Done.

Can you explain how is this step helping, when my public IP changes, under NAT - > Dst Address, where I have done LAN back to LAN config, would that reflect the changed public IP automatically.
If yes whats is the script for? (The one I shared?)

ROS is latest I believe Winbox v6.39.2

And don’t dig up such old threads. You know how many people will open it, start reading it from the beginning, think about the problem … only to realize several minutes later that it’s all just history? If you think the old thread is relevant, it’s better to just link to it from yours.

Understood. Would open a new thread from here on and link it to any relevant old one if needed. Apologies for this time.

14

You should add address list entry exactly as said, using DNS name not IP address

/ip firewall address-list
add address=sam9s.synology.me list=host_synology

If router have correct DNS entries (IP → DNS), it will resolve IP address and add them to this entry.
Then address_list will work correctly.

15

OK and what constitues to correct DNS. I have not changed anything there so whatever entry is there is there by default …
below is what I have currently. Not sure why 192.168.1.1 is there, that not my router IP. Router ip is 192.168.88.1

16

Hello,

Is there a specific reason you want to approach this with a hairpin NAT?

Personally, I have entries in my local DNS servers to resolve the respective FQDN to their LAN address.

17

No there was no specific reason, if there was another way to do it, which someone had suggested before I ran in this thread I would have opted the same, none the less, that issue was resolved. However that was part one of the entire problem. (if you read my posts)

Now part two was to be able to update Firewall-NAT the dst-Address by my public IP if it changes and I thought script was the solution, but as per SOB “”“”/ip firewall address-list
add address=sam9s.synology.me list=host_synology"“”“” running this will solve the issue, which I have done.

BUT I just wanted to understand HOW this is helping, and when my public IP changes, under NAT - > Dst Address, where I have done LAN back to LAN config, would that reflect the changed public IP automatically.??? IF YES then what was/is the role of script that I mentioned, what does that do

Then came the reply that if I have correct DNS the command"“”“”“”“”“”“” “ip firewall address-list
add address=sam9s.synology.me list=host_synology”“”“”“”“”“”’ will work correctly … BUT I am not sure what constitues to correct DNS, as you can even use google DNS to achieve the result. I share my DNS screen shot.

I am waiting for any reply from any one who posted to my query in the previous page , to understand the working better … But havent recieved any response .. :frowning:

18

So apologies if I was a little brief.

When I said why don’t you just look at using local DNS, I meant this in place of everything on the hairpin NAT side of things.

Right now I’m unsure if you have things operational from the hairpin NAT side of things and would just like a detailed explanation, or are still trying to get things to work for your use case.

Focusing on your scenario and getting things working (apologies if the next bit is redundant);

Your Synology can see your public IP by querying Synology’s servers, they then update their name servers for synology.me to record the relevant IP for sam9s.synology.me and boom, WAN access resolving sam9s.synology.me to your WAN ip.
On the LAN side of things, if you add a static entry to your DNServer to resolve sam9s.synology.me to your Synology’s LAN address, your devices will talk directly to the Synology when on the LAN.
It is important to note in this scenario that you should have the relevant entry for sam9s.synology.me on all DNservers that serve your network, or that if the Mikrotik is the only DNServer on your network, your not telling your PC’s to also use Google via your DHCP server, or a local static entry.

If you would like me to go into detail on how a Hairpin NAT actually works, and why it’s needed, PM me as IMO using DNS is the beginner and most straight forward approach

19

I read it again and I got a little mislead by the resolving script before. What I suggested would replace only this part. But in fact, you don’t need any DNS resolving at all (well, possibly, see below).

You have two options:

a) Stick with hairpin NAT. The example assumes that your LAN network is 192.168.88.0/24, router has 192.168.88.1, internal server has 192.168.88.100 and your want to forward tcp port 80. Change it to your numbers. First add dstnat rule:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.88.1 dst-port=80 protocol=tcp to-addresses=192.168.88.100

It will match connections to port 80 and any address owned by router, except its internal one (so you can still access WebFig on http://192.168.88.1 if you use it). Then add srcnat rule for hairpin NAT:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 out-interface=<LAN> src-address=192.168.88.0/24

It’s universal one and will work with all ports you forward. And finally allow forwarded ports through router’s firewall:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

b) Use DNS as w177f suggests:

/ip dns static
add address=192.168.88.100 name=sam9s.synology.me

Your devices in LAN need to use router as their DNS resolver, and thanks to this, when going to http://sam9s.synology.me, they will connect directly to internal address.

Each way has advantages and disadvantages:

Using static DNS seems simpler at first. It’s also better for performance, because packets don’t need to go to router and back, they go to server directly. But there are some limitations, e.g. connect a device with statically configured DNS resolver to something else than your router and it won’t work. If you point more hostnames to you, static record will be required for each. And you have to keep up with changes (if you add or remove hostnames). But it’s probably safe to assume that it shouldn’t be a problem in your case. It also doesn’t allow connections to numeric address, because you can’t redirect it with DNS.

Hairpin NAT is “set it & forget it”, it will automatically work with any hostname pointed to your current WAN address. But it’s less effective, as mentioned previously. But it’s a problem only when you have a lot of traffic.

20

Ok Looks like I have made my posts overly complicated. My Apologies SOB and other. Let me make it simple.

  1. Hairpin NAT IS working (so I am sticking with it rather taking the static DNS Route) : I CAN access sam9s.synology.me from LAN and WAN both. (Earlier I was only able to fo this from WAN, after port fw rules and all.) then after setting Hairpin NAT I was able to access my NAS via FQDN from both LAN and WAN. Issue resolved.
    SOB your assumption that you posted are correct. Also as your said Hairpin NAT is set and forget and I am comfortable with it now that I understand how it works.

  2. Now coming to the ISSUE : While setting up Hairpin NAT when I applied the rule below entry was created in the Firewal->NAT table. (Which was expected). Refer the below screenshot.

Now as you can see there is my public IP (don’t worry that’s not the current public IP) under IP->Firewal->NAT->Dst Address. My issue is when public IP changes, the IP under Dst Address also should change. Check out another snap

If you can see under ip->CLOUD I can see my CURRENT public IP Address, (I have masked it). It’s NOT the same under IP->Firewal->NAT->Dst Address, where I have configured the HairPIN NAT.

Unless that gets Auto updated HairPIN NAT will not work, and this is what is happening … I need a solution to update my public IP @ IP->Firewal->NAT->Dst Address Automatically when it changes.

and I thought the script that I initially shared in this thread is supposed to do that. But I must be wrong as it did not work …

Hope now I was able to make you and other understand what exactly is my problem here.

I apologize again for making this sound more complicated that it may actually be …

Regards
Sammy