Hi. My company has LAN with domain mydomain.LOCAL. We have 2 servers (SERVER1 and SERVER2) My users wants to use single name mail.mydomain.ru (external internet address) for external access to the mail server SERVER1 (https) and RDP to terminal server SERVER2 because I configured 2 NAT rules:
1. from any to mail.mydomain.ru with https -> internal server SERVER1 with https
2. from any to mail.mydomain.ru with rdp -> internal server SERVER2 with rdp
but, when my users are localy (connects throug the LAN) they cannot reach internal servers (NAT doesn't work). How to solve this problem with Mikrotik. Netgear solved this problem easy (but we changed it).
Re: NAT and internal link
Too much generic (and without export compact) to find the problem.
But you can set RouterBoard as Primary DNS server and add static entry like mail.mydomain.ru 192.168.0.anyfreeip (or in any Primary DNS server inside yur LAN)
and on NAT:
dst 192.168.0.anyfreeip https -> 192.168.0.server1 port https
dst 192.168.0.anyfreeip rdp -> 192.168.0.server2 port rdp
But you can set RouterBoard as Primary DNS server and add static entry like mail.mydomain.ru 192.168.0.anyfreeip (or in any Primary DNS server inside yur LAN)
and on NAT:
dst 192.168.0.anyfreeip https -> 192.168.0.server1 port https
dst 192.168.0.anyfreeip rdp -> 192.168.0.server2 port rdp
Re: NAT and internal link
ok. Try to minimise words quantity...
Internal DNS.
DNS Zone: mydomain.local
SERVER1 = 192.168.30.1
SERVER2 = 192.168.30.2
DNS Zone: mydomain.ru
MAIL = 192.168.30.1
others records copied from external DNS-server (that hosts mydomain.ru)
For external users (all right!)
For SERVER1:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=443 in-interface=bridge-inet protocol=tcp to-addresses=192.168.30.1 to-ports=443
For SERVER2
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=3389 in-interface=bridge-inet protocol=tcp to-addresses=192.168.30.2 to-ports=3389
But! When you try to use mail.mydomain.ru from LAN you cannot divide rdp and https! You are allways connect to the one of the server (SERVER1)
So I can't use copy of the DNS-zone mydomain.ru in the LAN. I just need NAT rule.
Internal DNS.
DNS Zone: mydomain.local
SERVER1 = 192.168.30.1
SERVER2 = 192.168.30.2
DNS Zone: mydomain.ru
MAIL = 192.168.30.1
others records copied from external DNS-server (that hosts mydomain.ru)
For external users (all right!)
For SERVER1:
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=443 in-interface=bridge-inet protocol=tcp to-addresses=192.168.30.1 to-ports=443
For SERVER2
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=3389 in-interface=bridge-inet protocol=tcp to-addresses=192.168.30.2 to-ports=3389
But! When you try to use mail.mydomain.ru from LAN you cannot divide rdp and https! You are allways connect to the one of the server (SERVER1)
So I can't use copy of the DNS-zone mydomain.ru in the LAN. I just need NAT rule.
Re: NAT and internal link
I tried to add
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=443 protocol=tcp src-address=192.168.30.0/24 to-addresses=192.168.30.1 to-ports=443
at the top of NAT rules, not working...
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.110 dst-port=443 protocol=tcp src-address=192.168.30.0/24 to-addresses=192.168.30.1 to-ports=443
at the top of NAT rules, not working...
Re: NAT and internal link
You need a Hairpin NAT rule.
Check here
So something like
Check here
So something like
ros code
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.30.0/24 protocol=tcp port=443 dst-address=192.168.30.1 out-interface=<your lan bridge> add chain=srcnat action=masquerade src-address=192.168.30.0/24 protocol=tcp port=3389 dst-address=192.168.30.2 out-interface=<your lan bridge>
Re: NAT and internal link
I got this to work with port 80, but not with the rdp port 3389.
Rdp works perfect external.
Rdp works perfect external.
Who is online
Users browsing this forum: No registered users and 12 guests