SOLVED: NAT and internal Webserver access from internal IP with Domainname

gipfelgoas · September 13, 2016, 6:54pm

Hello,

I have my NAS attached to my RB and made nat and forwarding so I can access it from https://home.mydomain.com:4003. Everything works fine. But if I want to access it from my LAN with the domain name (not the internal IP) I got error not reachable.. See image.

Anyone has a solution?

my firewall and nat:

[admin@router.dh] /ip firewall> export
# sep/13/2016 20:44:58 by RouterOS 6.36.3
# software id = VLNN-FZWU
#

/ip firewall filter
add action=jump chain=forward comment="DDoS detection" connection-state=new \
    jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m \
    chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m \
    chain=detect-ddos
add action=drop chain=forward comment="DDoS detection" connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=accept chain=input comment="Accept established and related packets" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge_lan
add action=accept chain=input comment="Remote Access to WebInterface" dst-port=\
    4000,4001 in-interface=Eolo_eth1 protocol=tcp
add action=accept chain=input comment="Remote Access to WinBox" dst-port=\
    8291,8729,8728 protocol=tcp
add action=accept chain=forward comment=\
    "Forward all established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment="forward Internet traffic http&https" \
    dst-address=!192.168.0.0/24 dst-port=80,443 in-interface=bridge_lan \
    protocol=tcp
add action=accept chain=forward comment=\
    "Forward various ports 995 (POP3), 465, 25,587 SMTP, 8443 nperf.com" \
    dst-address=!192.168.0.0/24 dst-port=995,465,25,587,8443 in-interface=\
    bridge_lan protocol=tcp
add action=accept chain=forward comment=\
    "Forward various ports 123 (ntp), 3544,3074 Microsoft" dst-address=\
    !192.168.0.0/24 dst-port=123,3544,3074 in-interface=bridge_lan protocol=udp
add action=accept chain=forward comment=PING dst-address=!192.168.0.0/24 \
    in-interface=bridge_lan protocol=icmp
add action=accept chain=forward comment="Mikrotik service port" dst-address=\
    !192.168.0.0/24 dst-port=15252 in-interface=bridge_lan protocol=udp
add action=accept chain=forward comment=Speedtest-pingtest dst-address=\
    !192.168.0.0/24 dst-port=8080,110,5060 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment=TeamViewer dst-address=!192.168.0.0/24 \
    dst-port=5938 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment=uTorrent dst-address=!192.168.0.0/24 \
    in-interface=bridge_lan protocol=udp src-port=38517
add action=accept chain=forward comment="forward home.mydomain.com" \
    dst-port=4000,4001,4002,4003,4004 out-interface=bridge_lan protocol=tcp \
    src-address=!192.168.0.0/24
add action=drop chain=input log=yes
add action=drop chain=forward log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.0.0/24 out-interface=\
    Eolo_eth1
add action=dst-nat chain=dstnat comment="Webaccess for Nas" dst-port=4003 \
    in-interface=Eolo_eth1 protocol=tcp to-addresses=192.168.0.192 to-ports=\
    4003

Thanks and greetings from South Tyrol
Daniel

schnitzelchen · September 13, 2016, 7:35pm

Have a look at http://wiki.mikrotik.com/wiki/Hairpin_NAT

IntrusDave · September 13, 2016, 8:19pm

simplest approche would be to add a static entry in the DNS for the NAS.

gipfelgoas · September 14, 2016, 11:30am

already tried…
not working (or bad configured)

[admin@router.dh] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Webaccess for Nas
      chain=dstnat action=dst-nat to-addresses=192.168.0.192 protocol=tcp 
      in-interface=Eolo_eth1 dst-port=4003 log=no log-prefix="" 

 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
      dst-address=192.168.0.192 out-interface=bridge_lan dst-port=4003 log=yes 
      log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=Eolo_eth1 log=no log-prefix="" 
[admin@router.dh] /ip firewall nat>

not possible, would use home.mydomain.com for various ip services and selection must be on port… eg. home.mydomain.com:4000 points to 192.168.0.1:4000, home.mydomain.com:4003 points to 192.168.0.192:4003 and so one…

gipfelgoas · September 14, 2016, 6:39pm

got it working.

solution for me:

[admin@router.dh] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=Eolo_eth1 

 1    chain=srcnat action=masquerade out-interface=bridge_lan  

 2    chain=srcnat action=masquerade src-address=192.168.0.0/24 
      dst-address=192.168.0.0/24 
      
3    chain=dstnat action=dst-nat to-addresses=192.168.0.192 protocol=tcp 
      dst-address-type=local dst-port=443,4003 
      
4    chain=dstnat action=dst-nat to-addresses=192.168.0.1 protocol=tcp 
      dst-address-type=local dst-port=4001

IntrusDave · September 14, 2016, 6:44pm

Nice work!
Thanks for posting back. I’m sure this will help someone else in the future