Community discussions

MikroTik App
  4. RouterOS
  5. General

Cannot access a server on LAN from LAN using its WAN IP address  [SOLVED]

Post Reply
 
wesson
just joined
Topic Author
Posts: 9
Joined: Wed Mar 20, 2019 2:41 pm

Cannot access a server on LAN from LAN using its WAN IP address

Wed Jan 12, 2022 6:20 pm

Hello,
I have in my local network a SVN server, answering on ip:port 192.168.5.244:3690
I am connected to the internet with a static IP, and reachable through a DNS record, so I can access from my svn client with svn://mysvn.mynetwork.sample (this is obviously not the real stuff but just to demonstrate the issue)

So to give this access I have configured a dst-nat rule, sending the port 3690 to the appropriate IP.

This is working fine, but only if I connect from OUTSIDE network, not from the LAN.

from LAN, if I use svn://192.168.5.244, it's working,
but if I use svn://mysvn.mynetwork.sample it's not, (server never answer)

trying to sniff the traffic this is what I have when I'm trying to access the repo from inside (not working):
Code: Select all
[admin@MikroTik] > /tool sniffer quick ip-protocol=tcp ip-address=192.168.5.244 port=3690
INTERFACE    TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
bridge       6.247      1 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51717                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge       7.247      2 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51717                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge       9.246      3 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51717                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      13.247      4 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51717                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      21.247      5 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51717                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      27.249      6 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51719                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      28.249      7 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51719                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      30.248      8 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51719                 192.168.5.244:3690                  ip:tcp       66   1 no 
bridge      34.249      9 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        192.168.5.250:51719                 192.168.5.244:3690                  ip:tcp       66   1 no
same, from outside (working, excerpt):
Code: Select all
eth5_LAN    11.221    667 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59653                 ip:tcp       97   0 n
bridge      11.221    668 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59653                 ip:tcp       97   0 n
bridge      11.235    669 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        37.165.87.244:59644                 192.168.5.244:3690                  ip:tcp      108   1 n
eth5_LAN    11.236    670 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59644                 ip:tcp      523   0 n
bridge      11.236    671 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59644                 ip:tcp      523   0 n
bridge      11.318    672 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        37.165.87.244:59644                 192.168.5.244:3690                  ip:tcp       54   1 n
eth5_LAN    11.319    673 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59644                 ip:tcp       60   0 n
bridge      11.319    674 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59644                 ip:tcp       60   0 n
bridge      11.319    675 ->  B8:69:F4:E8:23:1E 00:11:32:B0:EE:58        37.165.87.244:59653                 192.168.5.244:3690                  ip:tcp      143   1 n
eth5_LAN    11.322    676 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59653                 ip:tcp     1434   0 n
bridge      11.322    677 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59653                 ip:tcp     1434   0 n
eth5_LAN    11.322    678 <-  00:11:32:B0:EE:58 B8:69:F4:E8:23:1E        192.168.5.244:3690                  37.165.87.244:59653                 ip:tcp      214   0 n
Anyone having a clue on what could cause this behaviour ?

Here is the current config :
Code: Select all
# jan/12/2022 17:05:40 by RouterOS 6.49.2
# software id = UMPL-TUUI
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09AA07E0
/interface bridge
add admin-mac=B8:69:F4:E8:23:1E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1OVH speed=100Mbps
set [ find default-name=ether2 ] name=eth2BTF speed=100Mbps
set [ find default-name=ether3 ] name=eth3 speed=100Mbps
set [ find default-name=ether5 ] name=eth5_LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1OVH name=pppoe-OVH \
    use-peer-dns=yes user=xxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=eth5_LAN
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1OVH list=WAN
add interface=pppoe-OVH list=WAN
add interface=eth2BTF list=WAN
add interface=eth3 list=WAN
/ip address
add address=192.168.5.1/24 interface=bridge network=192.168.5.0
add address=yyy.yyy.yyy.182/29 interface=bridge network=yyy.yyy.yyy.176
/ip dhcp-client
add comment=defconf interface=eth1OVH
add disabled=no interface=eth2BTF
/ip dhcp-server lease
add address=192.168.5.248 mac-address=F4:6D:04:05:BD:A0 server=defconf
add address=192.168.5.250 client-id=1:68:5:ca:24:61:94 mac-address=\
    68:05:CA:24:61:94 server=defconf
add address=192.168.5.244 client-id=1:0:11:32:b0:ee:58 mac-address=\
    00:11:32:B0:EE:58 server=defconf
add address=192.168.5.242 client-id=\
    ff:54:a5:99:af:0:1:0:1:29:5b:6f:bb:0:23:54:a5:99:af mac-address=\
    00:23:54:A5:99:AF server=defconf
add address=192.168.5.241 client-id=\
    ff:85:9b:79:28:0:1:0:1:25:13:db:9a:0:21:85:9b:79:28 mac-address=\
    00:21:85:9B:79:28 server=defconf
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.0/24 list=Connected
add address=192.168.5.0/24 list=Connected
add address=xxx.xxx.xxx.246 list=Connected
add address=192.168.5.0/24 list=LAN
add address=yyy.yyy.yyy.176/29 list=Connected
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow Firewall access from LAN subnet" \
    src-address=192.168.5.0/24
add action=drop chain=input comment=\
    "Drop all attempt to FTP,SSH,Winbox from outside" dst-port=\
    8291,8728,21,22,161 protocol=tcp
add action=accept chain=input dst-port=31500-31600 log=yes log-prefix=RDP_ACC \
    protocol=tcp
add action=accept chain=input comment="accept Bloc /29" dst-address=\
    yyy.yyy.yyy.176/29 in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=DROP1
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=DROPWAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Forward packets to PUBLIC IP Range" \
    dst-address=yyy.yyy.yyy.176/29 in-interface=all-ppp
add action=accept chain=forward comment="Forward SVN port to TIGROU" \
    connection-state=new dst-address=192.168.5.244 in-interface=all-ppp port=\
    3690 protocol=tcp
add action=accept chain=forward connection-state=new disabled=yes \
    in-interface=bridge out-interface=pppoe-OVH
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=DROP_FWD_INVALID
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=DROP4
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected \
    src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    pppoe-OVH new-connection-mark=OVH->ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    eth2BTF new-connection-mark=BOUY->ROS passthrough=no
add action=mark-routing chain=output connection-mark=OVH->ROS \
    new-routing-mark=OVH_Route passthrough=no
add action=mark-routing chain=output connection-mark=BOUY->ROS \
    new-routing-mark=BOUY_Route passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=pppoe-OVH new-connection-mark=OVH->LANs
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=eth2BTF new-connection-mark=BOUY->LANs
add action=mark-routing chain=prerouting connection-mark=OVH->LANs \
    new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=BOUY->LANs \
    new-routing-mark=BOUY_Route src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!Connected dst-address-type=!local new-connection-mark=\
    LAN->WAN src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancing here" \
    connection-mark=LAN->WAN new-routing-mark=OVH_Route passthrough=yes \
    src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_OVH routing-mark=OVH_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_BOUY routing-mark=BOUY_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_OVH \
    new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_BOUY \
    new-routing-mark=BOUY_Route src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth2BTF
add action=masquerade chain=srcnat out-interface=pppoe-OVH
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=yyy.yyy.yyy.176/29
add action=dst-nat chain=dstnat dst-port=3690 protocol=tcp to-addresses=\
    192.168.5.244 to-ports=3690
add action=dst-nat chain=dstnat disabled=yes dst-port=9765 protocol=tcp \
    to-addresses=192.168.5.244 to-ports=8432
add action=dst-nat chain=dstnat dst-port=31500-31600 protocol=tcp \
    to-addresses=192.168.5.249 to-ports=31500-31600
/ip route
add distance=1 gateway=zzz.zzz.zzz.19 routing-mark=OVH_Route
add distance=1 gateway=192.168.1.254 routing-mark=BOUY_Route
add distance=1 gateway=zzz.zzz.zzz.19
add distance=2 gateway=192.168.1.254
add disabled=yes distance=1 dst-address=yyy.yyy.yyy.176/29 gateway=pppoe-OVH
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=eth5_LAN type=internal
add interface=pppoe-OVH type=external
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=pppoe-OVH name=LB1 on-event=":log warning \"LB Debug: OVH Overlo\
    aded, switching to BOUYGUES\";\r\
    \n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
    ng-mark=BOUY_Route" threshold=350288000 traffic=received
add interface=pppoe-OVH name=LB2 on-event=":log warning \"LB Debug: switching \
    back to OVH as it is less emcumbered now\";\r\
    \n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
    ng-mark=OVH_Route" threshold=100288000 traffic=received trigger=below
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cannot access a server on LAN from LAN using its WAN IP address  [SOLVED]

Wed Jan 12, 2022 6:40 pm

Please find one of many topics here dealing with "hairpin NAT" or move the server to its own dedicated subnet.
Top
 
wesson
just joined
Topic Author
Posts: 9
Joined: Wed Mar 20, 2019 2:41 pm

Re: Cannot access a server on LAN from LAN using its WAN IP address

Wed Jan 12, 2022 7:10 pm

Googling it in this forum made my day. I've added a mangle rule to mark the connection, and then a NAT rule to masquerade the marked connection.

Thank you.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Cannot access a server on LAN from LAN using its WAN IP address

Wed Jan 12, 2022 8:52 pm

Correction to Sindy's post! There can ONLY BE ONE........... viewtopic.php?t=179343

(1) Why is your WAN interface also a LAN interface (aka on the bridge)??

/ip address
add address=192.168.5.1/24 interface=bridge network=192.168.5.0
add address=yyy.yyy.yyy.182/29 interface=bridge network=yyy.yyy.yyy.176

/interface list member
add comment=defconf interface=bridge list=LAN

(2) where did this come from, connected too??
add address=192.168.1.0/24 list=Connected

(3) I am not aware that RDP is a service provided by the ROUTER???
add action=accept chain=input dst-port=31500-31600 log=yes log-prefix=RDP_ACC \
protocol=tcp

(4) Last comment,,,,,,,,
Why the first rule if already covered by the second rule highlighted? Seems inefficient!
add action=drop chain=input comment=\
"Drop all attempt to FTP,SSH,Winbox from outside" dst-port=\
8291,8728,21,22,161 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=DROPWAN

(5) Your WANIP structure is far too complex for me to read and discuss sadly.

(6) Dst nat rules seem to be missing the dst-address= OR in-interface-list= portions, but if it works for you.
Top
 
wesson
just joined
Topic Author
Posts: 9
Joined: Wed Mar 20, 2019 2:41 pm

Re: Cannot access a server on LAN from LAN using its WAN IP address

Thu Jan 13, 2022 11:20 am

(1) Why is your WAN interface also a LAN interface (aka on the bridge)??
Maybe a mistake. Just to explain and not to excuse, I am not a network specialist and I have a rather complex setting which has been achieved through many "tests" of the config.
The setup is
* 1 ISP providing 1 external IP + a completely independant /29 range through a PPPOE connection (OVH)
* Alternative ISP providing its own local network (BOUYGUES)
What I tried to achieve is a load balancing between the 2 ISP with a decent link sticking so to have
a switch between the 2 ISP depending on the bandwith used, but all the pending connection stay on the same ISP.

(2) where did this come from, connected too??
add address=192.168.1.0/24 list=Connected
It's the second ISP (bouygues) which is having its own router with DHCP server

(3) I am not aware that RDP is a service provided by the ROUTER???
add action=accept chain=input dst-port=31500-31600 log=yes log-prefix=RDP_ACC \
protocol=tcp
It think it has nothing to do with RDP protocol probably a copy/paste of another rule that was eventually removed. I think I put this because of the /29 range and one serveur requiring the ability to have the ports with high range accessible from the outside

(4) Last comment,,,,,,,,
Why the first rule if already covered by the second rule highlighted? Seems inefficient!
add action=drop chain=input comment=\
"Drop all attempt to FTP,SSH,Winbox from outside" dst-port=\
8291,8728,21,22,161 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=DROPWAN
I use to add some rules to log specific drops. For instance at this moment I am attacked by a range of IP coming from a VPN service. I made a specific rule to drop this IP range with a log entry. Once the packet counter no longer move it'll mean they have understood . Having a specific rule for them allow me to know when the attack is over.

(5) Your WANIP structure is far too complex for me to read and discuss sadly.

(6) Dst nat rules seem to be missing the dst-address= OR in-interface-list= portions, but if it works for you.
As said before I'm not a specialist and I have a fairly complex local network structure so it's obvious that there is many issues with my configuration. However as of today everything is working as I need it to operate so I can leave with it.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Cannot access a server on LAN from LAN using its WAN IP address

Thu Jan 13, 2022 1:59 pm

Okay, if it works for you, then dont touch anything LOL.
The config is more complex than I can understand and do not want to interfere with your working config.
Top
Post Reply

Who is online

Users browsing this forum: DanMos79, jb1204 and 39 guests
  4. RouterOS
  5. General