Hi,
I have a couple of domains hosted behind my mikrotik.
When I access these domains from the WAN they work well and are correctly routed to the web server.
When I access them from within my local network I end up on the Mikrotik’s Web configuration utility.
I would like to 80 and 443 directed to the web server (unless I override this with a specific IP address).
Thanks and stay safe
Search for the word “hairpin”…yes really.
https://wiki.mikrotik.com/wiki/Hairpin_NAT
The WIKI is less than useful for the person that doesnt understand Mikrotik hieroglyphics…
Okay PF needs
As per paragraph 4 above, Hairpin nat is required when people IN THE SAME SUBNET as the server are trying to access the server via the WANIP of the router.
Its much easier to access the server directly by its LANIP address but apparently is not always the case.
What one needs to know is if your WAN connection is dynamic or static?
(1) Regardless of that there is one extra source nat rule for the hairpin functionality that we have to include that works in both cases.
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 (replace with the subnet your server and users are on)
(2) For the default or regular source nat rule (use a. masquerade for dynamic wanip, use b. srcnat for static/fixed wanip)
a. add chain=srcnat action=masquerade out-interface-list=WAN ( I think for ppp0e connection one has to use the out-interface=pppoe-out interface. )
b. add chain=srcnet action=src-nat out-interface-list=WAN to-address=WANIP
(3) For the required destination nat rule the simple case is for the fixed WANIP since we know its IP.
add chain=dstnat action=dst-nat dst-address=FIXEDWANIP dst-port=80 protocol=tcp
to-addresses=192.168.88.2
(4) For the required destination rule in the complex case wanip dynamic we have to be tricky. Since we don’t know how to identify directly the incoming WANIP, we get around that with the dst-address-type ‘local’ entry, which says the destination address is on the router. We also state that the destination address is not the subnet (which leaves the router interface and thus the wanip).
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp d st-address=!192.168.88.1
dst-address-type=local to-addresses=192.168.88.2
Thanks. I will try it and report back
Hi,
I am trying to execute the following (I have a fixed public IP address)
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.16.0/24 dst-address=192.168.16.0/24
add chain=srcnat action=src-nat out-interface=WAN to-address=WANIP
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.180 dst-port=80 protocol=tcp to-addresses=192.168.16.5
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.180 dst-port=443 protocol=tcp to-addresses=192.168.16.5
When the line
add chain=srcnat action=src-nat out-interface=WAN to-address=WANIP
executes I receive the error “input does not match any value of interface” I tried both WANIP as well as my fixed IP address (xxx.xxx.xxx.180)
Thanks
Not seeing the complete config its hard to say…
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.16.0/24 dst-address=192.168.16.0/24
add chain=srcnat action=src-nat out-interface-list=WAN to-address=WANIP
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.180 dst-port=80 protocol=tcp to-addresses=192.168.16.5
add chain=dstnat action=dst-nat dst-address=xxx.xxx.xxx.180 dst-port=443 protocol=tcp to-addresses=192.168.16.5
to
add chain=srcnat action=src-nat out-interface=WAN to-address=xxx.xxx.xxx [/color]
Below is an export of the config. Any suggestions to improve greatly apprecaited.
# mar/30/2020 22:27:45 by RouterOS 6.45.8
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805xxxxx
/interface bridge
add admin-mac=E4:8D:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=italy disabled=no distance=indoors frequency=auto mode=ap-bridge \
ssid=HOMENET-AP wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=italy disabled=no distance=indoors frequency=\
auto mode=ap-bridge ssid=HOMENET-AP wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=<<password>> \
wpa2-pre-shared-key=<<password>>
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=guest supplicant-identity=MikroTik \
wpa2-pre-shared-key=<<password>>
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
"Guest Wifi" security-profile=guest ssid=HomeNet-Guest \
wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.16.20-192.168.16.99
add name=dhcp_vpn ranges=10.8.2.10-10.8.2.49
add name=dhcp_guest ranges=10.10.10.2-10.10.10.128
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=23h59m59s name=\
local
add address-pool=dhcp_guest disabled=no interface=bridge-guest lease-time=59m \
name=dhcp-guest
/ppp profile
add dns-server=10.8.2.250 local-address=10.8.2.250 name=vpn-profile \
remote-address=dhcp_vpn use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-guest interface="Guest Wifi"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
default-profile=vpn-profile enabled=yes require-client-certificate=yes
/ip address
add address=192.168.16.1/24 comment=defconf interface=ether2 network=\
192.168.16.0
add address=213.165.177.180/27 interface=ether1 network=<<fixed WAP IP>>
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,9.9.9.9 gateway=10.10.10.1
add address=192.168.16.0/24 comment=defconf gateway=192.168.16.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip dns static
add address=192.168.16.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses=192.168.16.4 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.4 to-ports=443
add action=dst-nat chain=dstnat comment="RSB SFTP port" dst-port=5552 \
in-interface=ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=masquerade chain=srcnat dst-address=192.168.16.0/24 src-address=\
192.168.16.0/24
/ip route
add distance=1 gateway=xxx.xxx.xxx.161
/ip service
set www disabled=yes
set www-ssl certificate=Webfig disabled=no
/ppp secret
add name=<<user>> password=<<password>> profile=vpn-profile
/system clock
set time-zone-name=Europe/Italy
/system identity
set name=onn.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Regards and Thanks
It should be out-interface-list=WAN
Thank you - worked
What is the difference between out-interface=Wan, and out-interface-list=WAN in the general case? (when one only has one wan).
When having multiple WANs, or some funky pppoe setup, I can see the need…
If “wan” is name of interface list, even if it only has one member, then one has to use in-interface-list. If, OTOH, “wan” is name of interface, then one has to use in-interface.
Essentially if interface list has a single member, then there’s no difference in functionality. However, use of interface list (and hence in-interface-list) offers versatility … if one changes wan interface, then in case of using interface list it is enough to adjust interface list membership. Uf one uses interface directly, then many changes are needed (every firewall rule referencing now ex- wan interface).
I expect that performance-wise there’s no big difference (if any).