Page 1 of 1

Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 12:46 pm
by bjornekelund
I have a problem that I do not really know how to solve.

I have some ports forwarded through my router for remote control purposes.
With my previous router I could access those ports using my public address from inside my network, either "mydomain.com" or the actual public IP address.
Using the internal adress (e.g. 192.168.1.8 ) to access the ports of course works fine but for testing purposes I want my dynamic DNS to be part of the test.

I have a feeling it is because my rules refer to my fiber transceiver on SFP1 but I'm not knowledgable enough to determine the exact remedy.

Any help would be greatly appreciated.

My firewall setup is quite straightforward:

# may/07/2017 11:42:14 by RouterOS 6.39.1
# software id = 2R0E-UH51
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Accept ping from WAN" disabled=yes in-interface=sfp1 protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=sfp1
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=sfp1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=sfp1
add action=dst-nat chain=dstnat comment="ICOM RS-BA1 on Sergil" dst-port=50001-50003 in-interface=sfp1 protocol=udp to-addresses=192.168.1.8 to-ports=50001-50003
add action=dst-nat chain=dstnat comment="com2tcp on Sergil" dst-port=5555 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.8 to-ports=5555

Re: Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 3:15 pm
by Sob
Everything you need is nicely explained here.

Re: Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 4:20 pm
by bjornekelund
Thank you!

Re: Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 5:32 pm
by bjornekelund
I read, understood and added the the suggested hairpin NAT rule (but of course with different addresses etc.). Doesn't work. I will have to dig further into this...

Re: Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 6:37 pm
by Sob
Did you change your dstnat rules? If not, connections from inside won't match in-interface=sfp1. But if you remove it, you need to add some specification of original destination address. Either dst-address=<address> (if you have static one) or dst-address-type=local (for dynamic).

Re: Accessing forwarded ports "from inside" using public address

Posted: Sun May 07, 2017 7:47 pm
by bjornekelund
Oh, I didn't. As I mentioned, I'm a beginner at this.

I will try later. Thank you for your help.