I have a webserver behind router B. It was on the same subnet as the rest of my house, and I had a hairpin on router A which worked fine to provide secure access from both inside and outside the network using my domain name. Because I'm a sucker for punishment / like to tinker, it's now on a separate subnet, but still behind router B. I would like to be able to access it using it's domain name from a different subnet behind router B, not the private IP address.
From everything I have read, this would be almost trivial if router B was directly connected to the internet, however...
I can access the server (192.168.110.10) using my domain name from outside my network - ssl cert valid etc. I can also access it from behind router B using the private IP address from 192.168.100.0/24, but obviously then the cert isn't valid. I understand that this is no longer a hairpin situation - that has been removed from router A. I am hoping that it's something to do on router B, as that's at my house. Getting to router A requires a journey - neither router can be manged from the other's network.
/export hide-sensitive for router B is shown below - it's very simple, as router A does the firewall etc for both locations.
Hints / suggestions / examples to read all greatly appreciated.
Thanks.
Code: Select all
# aug/28/2021 22:01:55 by RouterOS 6.48.4
# software id = XNUF-D3YG
#
# model = RB4011iGS+
# serial number = D44A0D3F03F5
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.110.200-192.168.110.254
add name=dhcp_pool4 ranges=192.168.100.200-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip address
add address=192.168.120.1/24 interface=ether10 network=192.168.120.0
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=192.168.110.1/24 interface=ether4 network=192.168.110.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.100 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=1.1.1.1 gateway=192.168.110.1
/ip firewall address-list
add address=192.168.120.0/24 list=Allowed_Internet
add address=192.168.100.0/24 list=Allowed_Internet
add address=192.168.110.0/24 list=Allowed_Internet
/ip firewall filter
add action=accept chain=forward comment="Our Networks <-> Our Networks" dst-address-list=Allowed_Internet src-address-list=Allowed_Internet
add action=accept chain=forward comment="Our Networks -> Internet" out-interface=ether10 src-address-list=Allowed_Internet
add action=accept chain=forward comment="Internet -> Our Networks" dst-address-list=Allowed_Internet in-interface=ether10
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.120.0/24
add action=masquerade chain=srcnat dst-address=192.168.120.0/24 src-address=192.168.100.0/24
/ip route
add distance=1 gateway=192.168.120.6
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.120.6
/system clock
set time-zone-name=Pacific/Auckland