I've recently purchased a mikrotik routerboar and i've stumbled upon a problem - I cannot access my webserver while connected to my LAN.
Everything works fine when I'm outside the local network.
When browsing the forum it pointed me to Hairpin NAT, but i can't get it to work -
Im managing my router through Winbox.
Mikrotik Router: 192.168.88.1
IIS Server: 192.168.88.21
Public IP: 1.1.1.1
Domain: domain.com
I've tried with theese firewall rules, but nothing changes..
/ip firewall nat add chain=dstnat action=dst-nat \
dst-address=1.1.1.1 to-address=192.168.88.21 \
protocol=tcp dst-port=80
/ip firewall nat add chain=srcnat action=masquerade out-interface=lan \
dst-address=192.168.88.21 src-address=1.1.1.0/24 \
protocol=tcp dst-port=80
Code: Select all
# jun/04/2021 02:44:46 by RouterOS 6.48.1
# software id = YPIT-CMBH
#
# model = 1100AHx2
# serial number = 45AA02CA2931
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
remote-address=vpn
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.11 comment="Asus Laptop" mac-address=
server=dhcp1
add address=192.168.88.20 client-id=1:d8:9d:67:79:52:e8 comment=\
"Proliant DL380E" mac-address=server=dhcp1
add address=192.168.88.21 client-id=1:0:c:29:3e:75:ae comment=HTTP/MAIL \
mac-address= server=dhcp1
add address=192.168.88.25 client-id=1:0:22:64:97:33:c4 comment=TrueNAS \
mac-address= server=dhcp1
add address=192.168.88.26 client-id=1:78:45:c4:3f:5d:87 mac-address=\
server=dhcp1
add address=192.168.88.27 client-id=1:e0:d5:5e:3f:aa:f9 mac-address=\
server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.21 dst-port=80 \
out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 \
protocol=tcp to-addresses=192.168.88.21
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=25 protocol=\
tcp to-addresses=192.168.88.21 to-ports=25
add action=dst-nat chain=dstnat comment="VPN Server" dst-port=1337 protocol=\
udp to-addresses=192.168.88.26 to-ports=1337
add action=dst-nat chain=dstnat comment="VPN Server" dst-port=5555 protocol=\
tcp to-addresses=192.168.88.26 to-ports=5555
add action=dst-nat chain=dstnat comment="Rust Server" dst-port=28015-28016 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.22 to-ports=\
28015-28016
add action=dst-nat chain=dstnat comment="Emby Server" dst-port=8096 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.26 to-ports=8096
add action=dst-nat chain=dstnat comment=HTTP/MAIL in-interface=ether1 \
protocol=tcp to-addresses=192.168.88.21 to-ports=80
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=110 port="" \
protocol=tcp to-addresses=192.168.88.21 to-ports=110
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=143 port="" \
protocol=tcp to-addresses=192.168.88.21 to-ports=143
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=587 port="" \
protocol=tcp to-addresses=192.168.88.21 to-ports=587
add action=dst-nat chain=dstnat comment="Mail Server" dst-port=993 port="" \
protocol=tcp to-addresses=192.168.88.21 to-ports=993
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set www port=20080
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Stockholm
Thanks in Advance for any inputs, solutions / ideas.
I'm a total beginner with RouterOS, if you do have a solution, please try to explain as througly as possible.. thanks!