Community discussions

 
jamesa
just joined
Topic Author
Posts: 4
Joined: Sat May 27, 2017 7:11 pm

Accessing Local Server with a domain

Sat May 27, 2017 7:25 pm

Hi,
I recently changed ISP. I used to have a modem, now I am using PPPoE. I had to add the PPPoE interface, and change Filter and NAT rules to use the new PPPoE interface instead of the WAN ethernet-1 gateway I was using before (I hope that is correct). Internet and everything seems to be working fine. GRC's Shields Up says my firewall is safe.

I have a NAS and a couple other services on my network. I also have DDNS setup and working. I have setup the appropriate port forwarding and everything seems to be working fine from outside my network. However, if I use the DDNS domain xxxxxxx.com:XXXX from within my network, it doesn't work.

Any ideas how I can make this work?
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Accessing Local Server with a domain

Sun May 28, 2017 12:10 am

I used to run an internal DNS server to revolve My domains to private (internal) IP adresses. The other option is (I think it is called) hairpin NAT.
 
jamesa
just joined
Topic Author
Posts: 4
Joined: Sat May 27, 2017 7:11 pm

Re: Accessing Local Server with a domain

Sun May 28, 2017 2:21 pm

thank, I tried following these instructions.
https://wiki.mikrotik.com/wiki/File:Hairpin_nat_4.png

I added this, adapted for my network.
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 \
  dst-address=192.168.88.200 protocol=tcp dst-port=5025 \
  out-interface=ether2-master-local action=masquerade
Still doesn't seem to work. How do I chose the out-interface? What else could I be missing? What position in the NAT should this masq be in? Beginning, end?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Accessing Local Server with a domain

Sun May 28, 2017 4:25 pm

Follow all steps from
https://wiki.mikrotik.com/wiki/Hairpin_NAT

Do you have the first rule added ? This one tailored with your settings:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2
What IP do you use ?
The problem is that this rule have to follow DDNS address. How ?
Instead of dst-address use dst-address-list which list should have your ddns address added as follow:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=DDNS_DST_LIST dst-port=80 protocol=tcp to-addresses=192.168.1.2
/ip firewall address-list
add address=myddns.name list=DDNS_DST_LIST
Real admins use real keyboards.
 
jamesa
just joined
Topic Author
Posts: 4
Joined: Sat May 27, 2017 7:11 pm

Re: Accessing Local Server with a domain

Sun May 28, 2017 6:12 pm

Yes, I had the first rule added, but without a dst-address and with a random port for my NAS admin panel, not port 80. Access from the outside worked. I added my temp dynamic IP address for testing, and it still works accessing from outside.

I do have DDNS but for now I'm trying to get to work assuming I have fixed IP.

My masquerade/hairpin NAT still doesn't seem to work. I also tried with scr-address the IP address of my current computer, instead of 192.168.88.0/24. Could it be the out-interface?
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Accessing Local Server with a domain

Mon May 29, 2017 2:13 am

What about your dstnat rule? Based on this:
... change Filter and NAT rules to use the new PPPoE interface ...
... does it perhaps have in-interface=<PPPoE>? That would be problem, because when connecting from LAN, in-interface is - no surprise - LAN. So you need either dst-address=<public address> or dst-address-type=local (= any address owned by router). For the latter, if you want to use some port that you also need to access on router (e.g. 80 for WebFig), add dst-address=!<router's internal address>.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
jamesa
just joined
Topic Author
Posts: 4
Joined: Sat May 27, 2017 7:11 pm

Re: Accessing Local Server with a domain

Mon May 29, 2017 8:49 am

... does it perhaps have in-interface=<PPPoE>? That would be problem,
Sob, you are correct, my dstnat had my new PPPoE as in the in-interface. Good catch! It looks like BartoszP also had the solution, but I hadn't noticed that he didn't have an in interface in his solution. As I have DDNS, I had to create a dst address list with my DDNS domain. It seems to be working now.

Not quite sure I understand why I didn't need a masquerade when I had an external modem on my WAN, but need one with a PPPoE internet.

Thanks everyone!

Who is online

Users browsing this forum: No registered users and 42 guests