Community discussions

 
huntymikro
just joined
Topic Author
Posts: 12
Joined: Sat Jan 26, 2019 11:45 pm

Nat address from public ip to router adress

Wed Feb 06, 2019 2:38 pm

Hello,
My home routers Wan IP is 192.168.47.9
Isp Gateaway is on 192.168. 47.1
My public static IP is 90.46.65.88
My router lan ip is 192.168.88.1

I can not connect to a port forwarded local IP from my public ip with my isp connection. All devices connected to home router.
But I can connect from my phone 4g int. Or other isps.
Also all port test results are closed when I test in same network. With other isps my public ip ports are open. And can establish connection.

I think a nat address setup can solve this problem. I have script that try to connect router from public ip.
May be can set up rule to redirect public ip calls to router IP address.??
If it is possible can any one write me the right settings? I'm trying and reading guides but not understanding.
Thanks!
 
mkx
Forum Guru
Forum Guru
Posts: 3210
Joined: Thu Mar 03, 2016 10:23 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 3:08 pm

Search for "hair-pin nat" and implement it.
BR,
Metod
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 3:13 pm

I prefer to solve these problems with DNS, just have the service resolved to your internal IP address on your network (and your public IP address for the rest of the world).
 
mkx
Forum Guru
Forum Guru
Posts: 3210
Joined: Thu Mar 03, 2016 10:23 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 3:18 pm

I prefer to solve these problems with DNS, just have the service resolved to your internal IP address on your network (and your public IP address for the rest of the world).

I can only agree with this. And it's doable without having "split" DNS on some extra LAN gadget, one only needs a few static DNS entries in RB's DNS config.

But ... some users just insist on searching for pins in haystacks...
BR,
Metod
 
huntymikro
just joined
Topic Author
Posts: 12
Joined: Sat Jan 26, 2019 11:45 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 4:21 pm

Yes I heard about hairpin. I checked it several times but couldn't understand which one of the 3 scripts my situation and where to put dest. Source ips. I'm just a user with mikrotik router '(
Sorry, If I ask please is it possible to write an example with IP addresses I wrote?
About That dns setting also I didn't get what to do.
May be someone else also can benefit from this.
Thank you.
 
anav
Forum Guru
Forum Guru
Posts: 3129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 7:35 pm

I'm still stuck on how your wanip does not equal your public IP??

Are you saying that the IP for the router is your WANIP and a separate wanip (public) is for one to one mapping to the server??

As for using DNS to ensure LAN personnel can reach a server through ones public IP vice LanIP, well I am all ears as this sounds infinitely less complex than hairpin nat.

Thus mkx, please explain to someone with a standard router setup how to accomplish this feat?
For example many of us have the following setup.
input chain - allow DNS from lan to port 53, udp,tcp

/ip DNS
allow external entries
1.1.1.1,8.8.8.8 etc.

/ip dhcp-server network
(lan1) dns=192.168.1.1 gateway=192.168.1.1
(vlan20) dns=192.168.20.1 gateway=192.168.20.1

+++++++++++++++++++++++++++++++++++++++++++++++++++

Now what?????????????????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3210
Joined: Thu Mar 03, 2016 10:23 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 9:25 pm

If one is using IP address to connect back home to connect to surveilance camera or whatever ... then sorry, he needs either hair-pin NAT or new brains.

If, however, one uses deadbeef0000.sn.mynetname.net to connect (or whatever DNS FQDN), then one can enter this:
/ip dns static
add name=deadbeef0000.sn.mynetname.net address=192.168.88.42

Surely this doesn't work nicely with gazillion devices hidden behind single WAN IP ... for that one would need some proper DNS service (so one could construct any number of CNAME records on WAN side and the same number of static entries on RB for LAN hosts). But then ... if one runs gazillion of devices, why not another one (e.g. rPI with proper DNS server) and run own domain with split DNS (external vs. internal). Doesn't cost a fortune ...


Regarding WAN IP not being the same as public IP ... ever heard of netmap? Some kiddos are doing it so why not ISP?
BR,
Metod
 
huntymikro
just joined
Topic Author
Posts: 12
Joined: Sat Jan 26, 2019 11:45 pm

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 10:58 pm

Hello thanks for reply's :-D
Before i have phone called Isp and told my ip address on Router wan is an internal grey ip not a public ip which is i am paying 1 euro extra for public ip :D
They told me as usual i can check my public ip from some website. And my all ports are open. If any port is closed thats my fault i am not capable of port forwarding bla bla bla...
Even i mailed them but same result. I locate at Estonia. Isp is russian/estonian speaking.
Im like behind something like a isp Dhcp .May be they are placing one router to every building.I am not sure.Fact is, There is an internal network connects me to my static external public ip .
Image
 
anav
Forum Guru
Forum Guru
Posts: 3129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Nat address from public ip to router adress

Wed Feb 06, 2019 11:04 pm

If one is using IP address to connect back home to connect to surveilance camera or whatever ... then sorry, he needs either hair-pin NAT or new brains.

If, however, one uses deadbeef0000.sn.mynetname.net to connect (or whatever DNS FQDN), then one can enter this:
/ip dns static
add name=deadbeef0000.sn.mynetname.net address=192.168.88.42

Surely this doesn't work nicely with gazillion devices hidden behind single WAN IP ... for that one would need some proper DNS service (so one could construct any number of CNAME records on WAN side and the same number of static entries on RB for LAN hosts). But then ... if one runs gazillion of devices, why not another one (e.g. rPI with proper DNS server) and run own domain with split DNS (external vs. internal). Doesn't cost a fortune ...


Regarding WAN IP not being the same as public IP ... ever heard of netmap? Some kiddos are doing it so why not ISP?
Well we have two parter LOL
First,
Okay so if external users use the same DNS name, then they will get to the server via DSTnat rules while internal folks putting in the same name will simply get redirected to the internal server without even going out of the router?? How does this work if for example lan1 where the people are, and lan2 where the server is located, and they are not L2 connected. In other words not on same bridge etc.. Would one need a filter rule accept lan1 to lan2(specific lanip) to allow that redirected traffic to be forwarded ????

As for public and wanip, can I assume
PUBLIC is what is visible to the internet (what DYDNS NAME would point to)?
WANIP is what the router actually gets for a WANIP>

Blowing my mind here as trying to assess what to put in for
a. masquerade rule (if applicable assuming this for static IPs so probably doesnt apply)!
b. Srcnat src-nat rule. out-interface=wan to-address=?????
c. dstnat dst-nat rule. In-interface=WAN or dest-address=public IP????

What about IP Routes........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
huntymikro
just joined
Topic Author
Posts: 12
Joined: Sat Jan 26, 2019 11:45 pm

Re: Nat address from public ip to router adress

Thu Feb 07, 2019 12:08 am

I can setup ddns service for mikrotik router noip for example.
On web server at internet, I can set up the script to use the ddns addresses and port instead public ip and port.
Actually I tried this before but script didn't connect to my router.
I may just needed a nat/dns setup?
I need this only for the script on website and script on router could connect to each other.
Some how the script on router using public ip which settled on web server on internet (routers own public ip) to connect itself.
This is a Hotspot sign in script which has auth. server on website.
 
Sob
Forum Guru
Forum Guru
Posts: 4809
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nat address from public ip to router adress

Thu Feb 07, 2019 5:13 am

@anav: Really? Do I end my strike for RouterOS v7 (*) and come back to this? :D Didn't you get your guru handbook? You can't ask questions like this anymore. You can't be perplexed by simple double NAT or basic routing and firewalling. You need to make a new incognito account for such questions (no, don't, it was a joke).

About the "complexity of hairpin NAT": link (also check the author of post above this one)

And on top of that, you don't need to worry about additional filter rules, because any connection via public address between your internal subnets (client in one and server in another) will be allowed by same old trusty "allow all dstnatted connections" rule as every other dstnatted connection, no matter where it came from. There's no complexity at all, in fact, it can't be any simpler and more foolproof.

There's only one downside of hairpin NAT when compared to DNS method. When both client and server are in same LAN subnet, DNS method is more efficient, because it means direct connection between them. Hairpin NAT requires all packets to unnecessarily go to router and back. But guess what, you can have both at the same time, hairpin NAT as basic always working solution and DNS override for selected services with lot of required bandwidth or something.

And since it seems that the DNS method may not be clear enough, it's just:
/ip dns static
add address=192.168.<whatever your server has> name=www.websitehostedonyourserver.tld
So when client in same LAN (using this router as DNS resolver, this part is mandatory) asks for address of www.websitehostedonyourserver.tld, it gets 192.168.<whatever your server has> and simply makes direct connection. And yes, if it's not in the same LAN subnet, but in another on same router and you block access between them by default, you'll need to specifically allow these connections.

For the case of having the public address and not really having it at the same time, it's simple 1:1 NAT. ISP keeps the real public address on their router and dstnats/netmaps all incoming traffic coming to this address to private address on customer's router. And srcnats/netmaps anything coming from customer's router to public address. This config works fine for all simple things and only gets annoying for something more complex like IPSec.

The configuration of customer's router is exactly the same as any other, LAN, WAN, srcnat or masquerade for outgoing traffic, dstnat rules for incoming. Only difference is when you need hairpin NAT as OP wants, then you also need to work with public address (which is actually on ISP's router) on your router, e.g:
/ip firewall nat
add chain=dstnat dst-address=192.168.47.9 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.x comment="port forward for outside clients"
add chain=dstnat dst-address=90.46.65.88 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.x comment="port forward for inside clients"
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade comment="hairpin rule"
Or you can change the last one to:
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=src-nat to-addresses=90.46.65.88
and it will make all connections from LAN to server via public address look as if they came from the same public address. Completely optional, it will make no difference in functionality, it just may look better in logs than 192.168.88.1.

--
(*) Nah, not really, but sounds as good reason for not being here for a while, doesn't it? Also, if that would have been the case, notifying someone in advance would have been better choice than saying it only now, but hey... ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Nat address from public ip to router adress

Thu Feb 07, 2019 5:40 am

Sniff Sniff, Sob Sob that explanation brings a tear to my eye. Merci, Je comprend tous!
My incognito speaks French ;-)
By the way I have had a huge breakthrough, I managed to get my RB260GS up and working!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4809
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nat address from public ip to router adress

Thu Feb 07, 2019 6:37 am

You're ahead of me, I've seen that device only on pictures so far.

And one small clarification of my previous post, for the record, because it may sound wrong and possibly confuse someone, with your two LAN subnets and client and server in different ones connecting via public address, it's not hairpin NAT at all, just regular dstnat (it would work even without srcnat rule).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 99 guests