I host some servers behind my Mikrotik router using NAT. My ISP gives out a private IPv4 to every customer (for me let’s say 10.20.2.12) and an optional public IP (let’s say 92.62.3.13). The WAN interface on my router is configured with the private IP (this is required by the ISP) and when someone accesses the public IP, the ISP does NAT from 92.62.3.13 to 10.20.2.12 and then my router from 10.20.2.12 to the appropriate server in my internal network.
However, with this setup, I’m not able to access my servers using my public IP from my own network – when I ping 92.62.3.13, it doesn’t work (it works from other networks). I read the wiki entry about Hairpin NAT, but was unable to get it working (my ISP actually told me that this is not possible with their setup and I would have to lease an entire IPv4 subnet to be able to do this).
Then I realized I could solve it by routing packets with destination IP of 92.62.3.13 directly to the Mikrotik router. So I added IP 92.62.3.13 to the bridge (then a dynamic route was automatically created) and reconfigured destination NAT to translate packets with destination address of not only 10.20.2.12 but also 92.62.3.13.
Code: Select all
/ip address print
# ADDRESS NETWORK INTERFACE
5 10.20.2.12/30 10.20.2.10 ether6
6 92.62.3.13/32 92.62.3.13 bridge
/ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.20.2.11 1
8 ADC 92.62.3.13/32 92.62.3.13 bridge 0
/ip firewall address-list print
# LIST ADDRESS
0 nat-public 92.62.3.13
1 nat-public 10.20.2.12
/ip firewall nat print
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=192.168.20.20 protocol=tcp dst-address-list=nat-public dst-port=80
Thanks in advance to everyone!