I'm using Mikrotik 750GL and I have such a problem:
I have subnet 10.0.0.0/16
Router has local ip 10.0.0.1 and external ip (e.g. 1.1.1.1)
I forward some ports to my local hosts (e.g. firewal nat dst-nat 1.1.1.1:444 -> 10.0.0.2:80)
When I go to 1.1.1.1:444 from internet, I can get access to my web server on 10.0.0.2, but when I go to 1.1.1.1:444 mywegmansconnect from LAN (e.g. 10.0.0.3), I stuck at loading page.
I understand, that 10.0.0.2 can answer to 10.0.0.3 only by switch routing and I tied to fix it by using new src-nat rule like 10.0.0.0/16 -> 2.2.2.2, but nothing goes well
Where I did mistake?
mikrotik nat redirect to local from local
Last edited by weseiki on Thu Mar 12, 2020 3:21 pm, edited 1 time in total.
Re: mikrotik nat redirect to local from local
The short story.......
We need a sourcenat rule that lets the router know to handle NAT type requests from LAN to router back to same LAN.
The second rule is the standard source nat route for lan traffic heading out the router and depends on type of WANIP.
/ip firewall nat {source nat]
(1) add action=masquerade chain=srcnat src-address=10.0.0.0/16 dst-address=10.0.0.0/16 comment="HairpinNAT"
(2a) add action=masquerade chain=srcnat out-interface=WAN comment="dynamicWanIp"
(2b) add action=src-nat chain=srcnat out-interface=WAN(or etherport) to-address=1.1.1.1 comment="staticWanIp"
For the destination nat rule, here is where we identify the key components: the incoming port, the translated port if necessary, the protocol and the server IP. In addition, if one can limit the allowed incoming WANIPs to access the server, one would use/define a firewall address list and then use that defined name as a 'source-address-list' entry in the rule
The first line (3a) shows what the typical dst-nat rule looks like in port forwarding with a dynamic WANIP and (3b) for a static WANIP.
/ip firewall nat {destination nat}
(3a) add action=dst-nat chain=dstnat in-interface=WAN dst-port=444 protocol=tcp to-addresses=10.0.0.2 to-ports=80 (add to-ports if port translation is required)
(3b) add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=444 protocol=tcp to-addresses=10.0.0.2 to-ports=80
For Hairpin NAT to work however the following destination nat rule is used.............
Dynamic WANIP is trickier because we dont know what the WANIP is.......
/ip firewall nat {destination nat}
add action=dst-nat chain=dstnat dst-port=444 protocol=tcp dst-address=!10.0.0.1 \
dst-address-type=local to-addresses=10.0.0.2 to-ports=80
In effect we are saying apply destination nat where the destination address is NOT the LANIP but IS a local router interface.
Since the router wan interface is considered (local) then it will be matched for any incoming external traffic for that port(444). There is another reason for doing it this way, something about not interfering with services from the lan to the router but cant rap my head around it.
Of course if you have Static WANIP, the rule is pretty straightforward, its 3B above
We need a sourcenat rule that lets the router know to handle NAT type requests from LAN to router back to same LAN.
The second rule is the standard source nat route for lan traffic heading out the router and depends on type of WANIP.
/ip firewall nat {source nat]
(1) add action=masquerade chain=srcnat src-address=10.0.0.0/16 dst-address=10.0.0.0/16 comment="HairpinNAT"
(2a) add action=masquerade chain=srcnat out-interface=WAN comment="dynamicWanIp"
(2b) add action=src-nat chain=srcnat out-interface=WAN(or etherport) to-address=1.1.1.1 comment="staticWanIp"
For the destination nat rule, here is where we identify the key components: the incoming port, the translated port if necessary, the protocol and the server IP. In addition, if one can limit the allowed incoming WANIPs to access the server, one would use/define a firewall address list and then use that defined name as a 'source-address-list' entry in the rule
The first line (3a) shows what the typical dst-nat rule looks like in port forwarding with a dynamic WANIP and (3b) for a static WANIP.
/ip firewall nat {destination nat}
(3a) add action=dst-nat chain=dstnat in-interface=WAN dst-port=444 protocol=tcp to-addresses=10.0.0.2 to-ports=80 (add to-ports if port translation is required)
(3b) add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=444 protocol=tcp to-addresses=10.0.0.2 to-ports=80
For Hairpin NAT to work however the following destination nat rule is used.............
Dynamic WANIP is trickier because we dont know what the WANIP is.......
/ip firewall nat {destination nat}
add action=dst-nat chain=dstnat dst-port=444 protocol=tcp dst-address=!10.0.0.1 \
dst-address-type=local to-addresses=10.0.0.2 to-ports=80
In effect we are saying apply destination nat where the destination address is NOT the LANIP but IS a local router interface.
Since the router wan interface is considered (local) then it will be matched for any incoming external traffic for that port(444). There is another reason for doing it this way, something about not interfering with services from the lan to the router but cant rap my head around it.
Of course if you have Static WANIP, the rule is pretty straightforward, its 3B above