Community discussions

MikroTik App
 
sukyno
just joined
Topic Author
Posts: 2
Joined: Thu Mar 11, 2021 9:34 pm

Enable port 80 in lan

Wed Mar 31, 2021 2:22 am

Hi,
I am a complete beginner in microtics and I would need your help: /

I managed to open port 80 from the WAN connection, so people will connect to the xxx.sk website.
Can someone please advise me how to do this so that I can connect to the xxx.sk website also from the LAN network?
I tried
/ip firewall nat
chain=dstnat in.interface=LAN protocol=tcp dst.port=80 action=dst-nat to-addresses=WEBIP
but it redirected all websites to my IP ... I would like to make it possible to connect to every website normally, including my website xxx.sk

Thank you for any advice :)
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: Enable port 80 in lan

Wed Mar 31, 2021 3:54 am

Need further clarification

I'm guessing that you are running your own website on a server thats in the LAN? is that correct?
And so your existing firewall rule would just be a port forward
i.e.
/ip firewall nat chain=dstnet in-interface=WAN protocol=tcp dst-port=80 action=dst-nat to-addresses=[SERVER-IP]

the problem is anything inside your LAN won't work properly because of 2 things
1) in-interface doesn't match. Hence you've tried in-interface=LAN as another rule, that doesn't work, it matches everything as you've said. Instead you need to adjust this to include dst-address=[WAN IP] in your rule. Now traffic specifically going to i.e. 1.2.3.4 (or whatever your WAN address is) matches that rule, but traffic to any other website i.e. 5.6.7.8 does not

But now you have another problem....

2) The rule will work, and traffic will get redirected to the server. But the 'source' IP address is not changed. You have a dst-nat rule, not a src-nat rule. So traffic will indeed flow from a PC on i.e. 192.168.1.100 to the server on 192.168.1.200
The problem however is your server will get the packet and see that it needs to send the response back to 192.168.1.100 which is on the same subnet. And the PC will go "hand on, whats this garbage? I asked for a webpage from 1.2.3.4 and now i'm receiving something from 192.168.1.200? who are you? go away" and ignore it completely
So you need to add what is known as a 'hairpin-NAT' rule. So that your traffic goes to the router, the router sends it to the server however instructs the server to send traffic back to the router (and not the PC) so that the router when receiving the reply, can then send it back to the PC and everything looks like traffic is flowing as expected. In reality the router is 'masquerading' on behalf of the PC

So simply add this....
/ip firewall nat chain=srcnat src-address=[LAN SUBNET] dst-address=[SERVER LAN IP] protocol=tcp dst-port=80 action=masquerade
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Enable port 80 in lan

Wed Mar 31, 2021 3:02 pm

Here is the short explanation. You have come across the need for loopback called in the MT world, Hairpin NAT.
This occurs when users on the same LAN as a server are mandated to use the public IP of the network the server is on, vice the much easier and direct LANIP of the server.

If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24


Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).

If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP

(2) Another gucci method, from Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP

The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!

(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=xx dst-port=yyyy to-addresses=LANIP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Enable port 80 in lan

Wed Mar 31, 2021 3:04 pm

Here is the short explanation. You have come across the need for loopback called in the MT world, Hairpin NAT.
This occurs when users on the same LAN as a server are mandated to use the public IP of the network the server is on, vice the much easier and direct LANIP of the server.

If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24


Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).

If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC ( https://www.bing.com/videos/search?q=yo ... &FORM=VIRE )
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP

(2) Another gucci method, from Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP

The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!

(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=xx dst-port=yyyy to-addresses=LANIP

Who is online

Users browsing this forum: Bing [Bot], JohnTRIVOLTA, marcelofares, patrikg and 84 guests