Community discussions

MUM Europe 2020
 
edys
just joined
Topic Author
Posts: 15
Joined: Mon Dec 31, 2018 12:52 pm

public access

Tue Mar 19, 2019 11:18 pm

Hello ,
I'm new to mikrotik devices, I'm using hap ac. So I'm have this:
pppoe connection is setup on router and my provide also provide me DNS .

192.168.0.1 router ip

192.168.0.5 nas with openvpn

I just Wana access from internet the openvpn server. I figured out i made on firewall nat rule . here it's the problem , on nat rule at dst. address I put my DNS , was transformed to public IP. if my power goes down my IP change , but on nat rule no because read the IP not the DNS . how can I make this? . I just Wana something auto, to assing my public IP on that nat rule everytime when my power goes down.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: public access

Tue Mar 19, 2019 11:20 pm

Post your dst nat rule
/ip firewall nat add action=dst-nat chain=dstnat dst-port=9000 in-interface=ether1 protocol=tcp to-addresses=172.16.0.233 to-ports=9000
You can see here you can use incoming interface instead of destination ip
Last edited by kiaunel on Tue Mar 19, 2019 11:27 pm, edited 1 time in total.
 
edys
just joined
Topic Author
Posts: 15
Joined: Mon Dec 31, 2018 12:52 pm

Re: public access

Tue Mar 19, 2019 11:27 pm

with this setup it works, but i just wana something auto
Last edited by edys on Tue Mar 19, 2019 11:32 pm, edited 1 time in total.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: public access

Tue Mar 19, 2019 11:29 pm

First of all do not post your public address,
second : try export instead of screen capture,
third: use incoming interface instead of ip address
 
edys
just joined
Topic Author
Posts: 15
Joined: Mon Dec 31, 2018 12:52 pm

Re: public access

Tue Mar 19, 2019 11:32 pm

tnx, merge :)
 
edys
just joined
Topic Author
Posts: 15
Joined: Mon Dec 31, 2018 12:52 pm

Re: public access

Mon Apr 22, 2019 12:12 am

tnx, merge :)
can explain me how to make harpip ? i just set the pppoe connection , but when i just wana access my external ip from local network all the time shows me the router page. on my phone on public ip redirects to my site,its fine.
 
Sob
Forum Guru
Forum Guru
Posts: 4890
Joined: Mon Apr 20, 2009 9:11 pm

Re: public access

Mon Apr 22, 2019 5:03 am

If you want hairpin NAT, you can't do this:
third: use incoming interface instead of ip address
It's because connections from LAN of course have LAN as incoming interface and it won't match in-interface=<WAN>. But you need to match destination somehow. You can't easily use IP address if it's dynamic. But you can use dst-address-type=local, which matches any address assigned to router. Next problem can be that it matches all local addresses. It doesn't matter for some "exotic" ports, but if it would be e.g. port 80, which you'd want to forward to internal server, but at the same time you'd like to have WebFig also on port 80, that would not be accessible, because dstnat would forward all connections to internal server. The way around that is to exclude router's internal address from dstnat rule.

Example config:
/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.0.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.x
add chain=srnat src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=masquerade comment="hairpin NAT"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kronyx
just joined
Posts: 19
Joined: Thu Apr 25, 2019 6:45 pm
Location: Sainte-Catherine, QC

Re: public access

Sat May 04, 2019 3:35 am

ok thanks, If my network is 192.168.88.x how can i change those rules ?
 
Sob
Forum Guru
Forum Guru
Posts: 4890
Joined: Mon Apr 20, 2009 9:11 pm

Re: public access

Sat May 04, 2019 3:46 am

192.168.0.1 -> 192.168.88.1 (probably, it's the address on router)
192.168.0.x -> 192.168.88.x (address of internal server)
192.168.0.0/24 -> 192.168.88.0/24
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 14 guests