Community discussions

MikroTik App
 
hettonkgb
just joined
Topic Author
Posts: 4
Joined: Fri Jun 04, 2021 3:29 am

Access Webserver inside Lan - Hairpin NAT

Fri Jun 04, 2021 3:40 am

Hello!

I've recently purchased a mikrotik routerboar and i've stumbled upon a problem - I cannot access my webserver while connected to my LAN.

Everything works fine when I'm outside the local network.

When browsing the forum it pointed me to Hairpin NAT, but i can't get it to work -

Im managing my router through Winbox.

Mikrotik Router: 192.168.88.1
IIS Server: 192.168.88.21
Public IP: 1.1.1.1
Domain: domain.com

I've tried with theese firewall rules, but nothing changes..


/ip firewall nat add chain=dstnat action=dst-nat \
dst-address=1.1.1.1 to-address=192.168.88.21 \
protocol=tcp dst-port=80

/ip firewall nat add chain=srcnat action=masquerade out-interface=lan \
dst-address=192.168.88.21 src-address=1.1.1.0/24 \
protocol=tcp dst-port=80

# jun/04/2021 02:44:46 by RouterOS 6.48.1
# software id = YPIT-CMBH
#
# model = 1100AHx2
# serial number = 45AA02CA2931
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
    remote-address=vpn
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.11 comment="Asus Laptop" mac-address=
    server=dhcp1
add address=192.168.88.20 client-id=1:d8:9d:67:79:52:e8 comment=\
    "Proliant DL380E" mac-address=server=dhcp1
add address=192.168.88.21 client-id=1:0:c:29:3e:75:ae comment=HTTP/MAIL \
    mac-address= server=dhcp1
add address=192.168.88.25 client-id=1:0:22:64:97:33:c4 comment=TrueNAS \
    mac-address= server=dhcp1
add address=192.168.88.26 client-id=1:78:45:c4:3f:5d:87 mac-address=\
     server=dhcp1
add address=192.168.88.27 client-id=1:e0:d5:5e:3f:aa:f9 mac-address=\
    server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.21 dst-port=80 \
    out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 \
    protocol=tcp to-addresses=192.168.88.21
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=25 protocol=\
    tcp to-addresses=192.168.88.21 to-ports=25
add action=dst-nat chain=dstnat comment="VPN Server" dst-port=1337 protocol=\
    udp to-addresses=192.168.88.26 to-ports=1337
add action=dst-nat chain=dstnat comment="VPN Server" dst-port=5555 protocol=\
    tcp to-addresses=192.168.88.26 to-ports=5555
add action=dst-nat chain=dstnat comment="Rust Server" dst-port=28015-28016 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.22 to-ports=\
    28015-28016
add action=dst-nat chain=dstnat comment="Emby Server" dst-port=8096 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.26 to-ports=8096
add action=dst-nat chain=dstnat comment=HTTP/MAIL in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.21 to-ports=80
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=110 port="" \
    protocol=tcp to-addresses=192.168.88.21 to-ports=110
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=143 port="" \
    protocol=tcp to-addresses=192.168.88.21 to-ports=143
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=587 port="" \
    protocol=tcp to-addresses=192.168.88.21 to-ports=587
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=993 port="" \
    protocol=tcp to-addresses=192.168.88.21 to-ports=993
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set www port=20080
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Stockholm

Thanks in Advance for any inputs, solutions / ideas.
I'm a total beginner with RouterOS, if you do have a solution, please try to explain as througly as possible.. thanks!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11447
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access Webserver inside Lan - Hairpin NAT  [SOLVED]

Fri Jun 04, 2021 12:27 pm

Assuming your whole LAN is behind ether2 ... you'll have to add ether2 to interface list LAN:
/interface list
add interface=ether2 list=LAN

BTW, current entry to LAN interface list (add list=LAN) does nothing and would best be removed not to offer base for any wrong assumptions.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access Webserver inside Lan - Hairpin NAT

Fri Jun 04, 2021 2:17 pm

Read through this post and see if it helps.................
viewtopic.php?f=13&t=175064&p=856786&hi ... at#p856786
 
hettonkgb
just joined
Topic Author
Posts: 4
Joined: Fri Jun 04, 2021 3:29 am

Re: Access Webserver inside Lan - Hairpin NAT

Fri Jun 04, 2021 10:19 pm

Assuming your whole LAN is behind ether2 ... you'll have to add ether2 to interface list LAN:
/interface list
add interface=ether2 list=LAN

BTW, current entry to LAN interface list (add list=LAN) does nothing and would best be removed not to offer base for any wrong assumptions.
Thank you kindly for your expertise, Changed current entry to LAN in interface list to ether2, this solved the issue. :-)

Who is online

Users browsing this forum: cesarfernandez63 and 45 guests