Why adding In Interface List from NAT rule break my NAT Loopback ?

RouterOS General
1

Hi
sorry if this is a dumb question…
let say i create this rule:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=192.168.11.42

Now, packets coming from WAN to ip xxx.xxx.xxx.xxx are dstnated to my local server
now i add a nat loopback like this:

/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.11.42 out-interface=bridge protocol=tcp src-address=192.168.11.0/24

my nat loopback does not work
to get it working, i need to remove the

in-interface-list=WAN

from my nat rule.
why ? i mean, even from inside, if i try to open the webpage on my server using domain name, the request come from my WAN right ? so why putting WAN break it ?

2

no

3

thanks for this very short answer.
so , let say i need to put a in interface (which is not the case i suppose for me currently), how to make nat loopback works ?

4

add the same (as with in-interface from WAN) rule but with bridge as in-interface, it should do the trick

5

you mean like this ? (3 rules)

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=192.168.11.42
/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=80,443 in-interface=bridge protocol=tcp to-addresses=192.168.11.42
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.11.42 out-interface=bridge protocol=tcp src-address=192.168.11.0/24
6

works for me

add action=masquerade chain=srcnat comment=hairpin dst-port=80,443,5000,5001 protocol=tcp src-address=172.16.8.0/24
add action=dst-nat chain=dstnat comment="ds918+ web" dst-address=9x.xx4.x7x.1xx dst-port=80,443,5000,5001 in-interface=pppoe-wan protocol=tcp to-addresses=172.16.8.11
add action=dst-nat chain=dstnat comment="ds918+ web" dst-address=9x.xx4.x7x.1xx dst-port=80,443,5000,5001 in-interface=bridge protocol=tcp to-addresses=172.16.8.11
7

Interesting, you don’t set a dst-address as you srcnat rule.
all example si see put the local server ip address in this rule. i suppose your rule is then valid for the whole network ?

in my case, your solution works fine with 1 server, not with the other

i have 3 WAN access
and i have these routes:

[admin@RouterOS] > ip route print 
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, v, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY            DISTANCE
  D v 0.0.0.0/0         pppoe-orange              3
  DAd 0.0.0.0/0         xxx.xxx.xxx.xxx              2
0   s 0.0.0.0/0         10.0.0.1                 10
  DAc 10.0.0.0/24       ether3 Backup_4G          0
  DAc 10.10.10.0/24     bridge                    0
  DAc xxx.xxx.xxx.xxx/24     ether2 Fibre_Free         0
  DAc 192.168.11.0/24   bridge                    0
  DAc yyy.yyy.yyy.yyy/32  pppoe-orange              0
1  As 0.0.0.0/0         pppoe-orange              1
2  As 0.0.0.0/0         ether2 Fibre_Free         1
3  As 0.0.0.0/0         ether3 Backup_4G          1

routes with metric 1 are used by some specific rules in the routing rule settings.
so by default, everything go though route with metric 2.
but 1 server as a specific rule, so the route used is the pppoe-orange with metric 1.

[admin@RouterOS] > routing/rule/print 
Flags: X - disabled, I - inactive 
 0   src-address=192.168.11.100/32 action=lookup table=VersOrange

for this server, the hairpinning rule does not work. i don’t understand why.

8

unfortunately I have only one WAN link and unable to help with your nuances.

9

no problem
you already helped a lot.

10

https://forum.mikrotik.com/viewtopic.php?t=179343

11

Nice topic, i’ll read it