Hi, I’ve been using some scripts created by others to update DynDNS as well as take the current WAN address and update my port forward rules for hairpin NATing, it puts this address in Dst. Address. This is all fine except using the Mikrotik cloud address seems to be better for my needs since it is updated much more frequently and doesn’t require a script. Now what I need is someway to update the Dst. Address in the NAT rules when my WAN address changes. Some automatic way of updating when the WAN changes would be great or I can have a script run every 10 or 20 minutes that compares the cloud address to the last update and if they are different then it will update the NAT stuff.
I’m testing it now with no IP address. The tutorials I’ve followed in the past made it seem like we had to have the IP address there for this to work both inside and outside of the house. Can’t remember if I specified or not but what I need to do is connect to a device or devices in the house and outside of the house by using mysite.mycompany.com (and the appropriate forwarded port). mysite.mycompany.com is through DDNS but in lieu of using the DDNS script I want to setup CName record at DDNS to point to the mikrotik cloud address.
where:
x = the public interface’s port number
z = port the internal server listens on
y.y.y.y = internal IP of server
The reason there’s dst-address=!192.168.0.0/16 is to keep this rule from conflicting with LAN interfaces.
Suppose you’re mapping port 80 through to an inside device…
If you’re on the LAN side and want to access the http server of the Mikrotik itself, you can enter 192.168.88.1 in your browser (if that’s the LAN IP) and you’ll get the Mikrotik’s webfig page. If you enter the Mikrotik’s WAN address in your browser, though, it will get matched by this new rule, and get redirected to the LAN server’s web interface.
Thanks I’ll check this out as time permits. We generally need to do several ports for different devices, i.e. home automation system, camera DVR, etc. I generally handle any mikrotik access through winbox with a filter rule in the firewall.
You would either add one rule like this to the dstnat chain for each port mapping you’re doing, or, you could speed things up a tad by doing it like this:
chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
chain=pinholes protocol=tcp dst-port=80 action=dst-nat to-addresses=a.a.a.a to-ports=a
chain=pinholes protocol=udp dst-port=53 action=dst-nat to-addresses=b.b.b.b to-ports=b
chain=pinholes protocol=tcp dst-port=1001 action=dst-nat to-addresses=c.c.c.c to-ports=c
etc...
chain=pinholes action=return
[code]
This keeps all of your pinholes in their own chain, and it keeps the logic for each rule much simpler so you don't make a mistake copying rules or if you need to make some other change to the master criteria.
Of course this has nothing to do with the filter rules allowing / blocking access to the pinholes, so if you want security on the pinholes, add appropriate filter rules in the forwarding chain.