Community discussions

 
isaacgrover
just joined
Topic Author
Posts: 24
Joined: Wed Nov 25, 2015 2:54 pm

Client wants to access NAT'd web server from inside LAN using WAN IP

Mon Oct 29, 2018 5:06 pm

Good morning from Wisconsin,

One of our MSP clients wants to access his company's website, which is hosted on a VM in the same LAN, using the WAN IP address. To be clear, the website is accessible externally from the WAN IP address on port 80, and we have been unable to convince him to use the FQDN instead, which resolves correctly to the LAN IP address when in the LAN and the WAN IP address when outside the LAN.

Would this somehow be possible via filter and dst-nat rules in the nat table?

Thank you in advance,
Isaac Grover
 
Omar007
just joined
Posts: 4
Joined: Fri Oct 26, 2018 11:50 pm

Re: Client wants to access NAT'd web server from inside LAN using WAN IP

Mon Oct 29, 2018 5:09 pm

I'm fairly sure this is exactly the case you'd set up a Hairpin NAT for.
https://wiki.mikrotik.com/wiki/Hairpin_NAT
 
User avatar
xvo
Long time Member
Long time Member
Posts: 567
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Client wants to access NAT'd web server from inside LAN using WAN IP

Mon Oct 29, 2018 5:13 pm

Try googling “hairpin nat” :)
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Client wants to access NAT'd web server from inside LAN using WAN IP  [SOLVED]

Mon Oct 29, 2018 5:16 pm

Take what you need from this. Explains how to hairpin NAT, create the correct port forwards and can be adapted for dynamic or static WAN IP (plus some comedy phrases);
https://www.youtube.com/watch?v=_kw_bQyX-3U
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
isaacgrover
just joined
Topic Author
Posts: 24
Joined: Wed Nov 25, 2015 2:54 pm

Re: Client wants to access NAT'd web server from inside LAN using WAN IP

Mon Oct 29, 2018 8:58 pm

Hi steveocee,

The Youtube video nailed the solution for me. If Youtube ever yanks it though, here's the solution for future visitors:
- In /ip firewall nat, you need to create a rule in the srcnat chain that masquerades traffic from the internal LAN subnet to the same internal LAN subnet.
- Then in /ip firewall filter, change/create the appropriate port forward rule and instead of forwarding based on in-interface, forward based on dst-address.

Dear future visitor, if the Youtube video exists at the time you're reading this post, please go watch it - and don't do anything that will make your network go batshitcrazy! LOL

Make your day great,
Isaac

Who is online

Users browsing this forum: No registered users and 45 guests