Unable to connect

Sked · September 10, 2018, 3:44pm

Hello
I am new in Mikrotik forum. I have buy new great router Mikrotik 3011, but have one problem if anyone can give me hand and help me.
Well lets describe my problem.
I am using WinBox and i know how to open ports. Well i open port 443 to my web server. Lety say that this is 192.168.88.100.
Then i open port (5000) to anothere server lets call it 192.168.88.101. All this work great. But then problems starts.
My second server 192.168.88.101 is unable to contact to first server 192.168.88.100. All aplications whitch run on it work and i
have setup this on ordinary TP-Link router. So server work only problem is how to setup this one.
Well my second server 192.168.88.101 must conect trou port 8000 to first server 192.168.88.100 to web page: https://mydomain.com/components/com_test/index.php
Everytime and everything i do i get message that second server 192.168.88.101 is unable to conect to first server.
But if i put “https://mydomain.com/components/com_test/index.php” in web browser i can open good and show me, from inside or outside the internet.

Please help me how to configure this.
And if you need any my settings now i can send it to you on private.
Sked

Sob · September 10, 2018, 9:15pm

You’re probably looking for this:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Sked · September 11, 2018, 6:43am

Thank you Sob for your help , but i go trou all this and port 80 is open. I can see it on web browser.
From outside and inside . I am more thinking if there is any rule to add.
Sked

solar77 · September 11, 2018, 8:16am

your problem is not about opening ports but likely to be your NAT rule. try add your wan interface to be the in-interface in your NAT rule. Or dst-address to be your public ip / router’s wan IP.
if not working, post your NAT rule here

Sked · September 11, 2018, 12:15pm

Ok i have put some sentances i hope i wrote right:

/ip firewall nat
add chain=dstnat dst-address=“static ip” protocol=tcp dst-port=80
action=dst-nat to-address=192.168.88.100
add chain=srcnat out-interface-list=WAN action=masquerade

add chain=srcnat src-address=192.168.88.0/24
dst-address=192.168.88.0/24 protocol=tcp dst-port=80
out-interface=bridge action=masquerade

add chain=dstnat dst-address=192.168.88.0/24 dst-address=not protocol=tcp dst-port=80
dst-address-type=local action=dst-nat to-addresses=192.168.88.100 to-ports=80

Sob · September 11, 2018, 7:17pm

If it’s open from inside and outside, and by inside you mean another device in 192.168.88.x, then it’s what you want and it should work from server too. You can also check rules in “/ip firewall filter”, but I assume you’d know id you’d have blocked something there.

You can also do “/export hide-sensitive” and post the output here (mask public address if you want). What you posted so far, the last rule looks strange, but whatever it is, it should not be needed at all, first dstnat rule is fine.

Sked · September 11, 2018, 7:35pm

Yes i wrote this manual now this is from export:

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN src-address-list=192.168.88.0/24

add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.88.100
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80
in-interface=ether1_WAN protocol=udp to-addresses=192.168.88.100 to-ports=
80

add action=masquerade chain=srcnat dst-address=192.168.88.0/24
dst-address-type=local dst-port=80 out-interface=bridge protocol=tcp
src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.0/24
dst-address-type=local dst-port=80 out-interface=bridge protocol=udp
src-address=192.168.88.0/24

add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-address-type=
local dst-port=80 protocol=tcp to-addresses=192.168.88.100 to-ports=80
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 dst-address-type=
“” dst-port=80 protocol=udp to-addresses=192.168.88.100 to-ports=80

Sob · September 11, 2018, 7:52pm

Remove in-interface=ether1_WAN from first two dstnat rules, dst-address=1.1.1.1 is enough. With in-interface=ether1_WAN, these rules can’t work for connections from inside.

Remove dst-address-type=local from hairpin rules. The “local” here means addresses assigned to router, but you need these rules to work for connections to server.

Last two dstnat rules are not needed at all.

Sked · September 12, 2018, 8:37am

Well i have notice that i have two srcnat :

add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN src-address-list=192.168.88.0/24

and

add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=ether1_WAN src-address-list=192.168.88.0/24

Is this good or no. Because if i disable second one all stop working.
But first one was in when i run first time router.

And if i do the same as you told me don’t work as before.
I am more thinking that is problem in Filter Rules.

Sked

Sob · September 12, 2018, 2:06pm

Router comes with default config. You should either remove it completely and replace it with yours (if you know what you’re doing), or take it as starting point, understand it and build up on it. One srcnat rule for main NAT is enough, so either update your “WAN” interface list to include ether1_WAN and keep the first rule, or keep the other one, it’s up to you.

And yes, problem could be in filter rules, but so far you’re the only one who can see them…