Community discussions

MikroTik App
just joined
Topic Author
Posts: 6
Joined: Fri Dec 01, 2023 2:03 am

Can't access locally hosted servers using domain.tld

Fri Dec 01, 2023 3:17 am

I'm still new to using mikrotik and some networking in general.
I have setup 3 different LANs on my mikrotik router to separate local home devices/traffic from publicly accessible Virtual Machines/traffic.
LAN1 = subnet (this has all my devices at home connected to it)
LAN2 = subnet (this is connected to couple of servers with a bunch of Virtual Machines, some of which have web servers that are publicly accessible)
LAN3 = subnet (this is also connected to another server with Virtual Machines with public access as well)

ex1: i got a simple web server on ip with a real registered domain1.tld, i have setup port forwarding, so i can access it publicly no problem at all, but trying to type domain1.tld from anywhere on any of my devices on any of the 3 LANs, i get this page can't be reached... domain1.tld refused to connect.

workaround to get it to work in the meantime. i had to add the domain and ip to my windows hosts file on my computer, but that wasn't enough to solve the issue, i had to also disable "Secure DNS" option in google chrome to be able to view the site, and it worked, but only works for couple of days then stops at random times, i go back to chrome settings i have to enable, then disable Secure DNS again, then it will work for another couple of days or so, etc... endless, and doesn't work on my mobile phone unless again i disconnect my wifi and connect to cellular data.

ex2: i got a chat server running on ip with a real registered domain2.tld. i have also setup port forwarding and works perfect when outside my network, however when i access it from my network, i wasn't able to and kept saying unable to connect to server, i end up disabling my wifi on my phone to connect to cellular data to be able to connect to my chat server.

workaround to get it to work in the meantime, adding it to hosts file on my computer worked, but this is still not practical solution as I'm still unable to use it on my phone or other mobile devices, and it's a pain to have to configure hosts file on each device i want to allow to connect.

there are other domains/servers which have the same problem as above, i just wanted to give 2 examples for clarity.

here is my router config:
/interface ethernet
set [ find default-name=ether7 ] disable-running-check=no name=ether1_LAN1
set [ find default-name=ether8 ] disable-running-check=no name=ether2_WAN1
set [ find default-name=ether1 ] disable-running-check=no name=ether3_LAN2
set [ find default-name=ether2 ] disable-running-check=no name=ether4_LAN3
set [ find default-name=ether3 ] disable-running-check=no name=ether5
set [ find default-name=ether4 ] disable-running-check=no name=ether6
set [ find default-name=ether5 ] disable-running-check=no name=ether7
set [ find default-name=ether6 ] disable-running-check=no name=ether8_LAN0
/interface wireguard
add comment="VPN" listen-port=9966 mtu=1420 name=wireguard_vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_LAN1 ranges=
add name=dhcp_pool_LAN2 ranges=
add name=dhcp_pool_LAN3 ranges=
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 interface=ether1_LAN1 name=dhcp1_LAN1
add address-pool=dhcp_pool_LAN2 interface=ether3_LAN2 name=dhcp1_LAN2
add address-pool=dhcp_pool_LAN3 interface=ether4_LAN3 name=dhcp1_LAN3
set 0 name=serial0
set 1 name=serial1
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1_LAN1 list=LAN
add interface=wireguard_vpn list=WAN
/interface wireguard peers
add allowed-address= comment="Client1" interface=\
    wireguard_vpn public-key=\
add allowed-address= comment="Client2" interface=\
    wireguard_vpn public-key=\
add allowed-address= comment="Client3" \
    interface=wireguard_vpn public-key=\
add allowed-address= comment="Client4" interface=wireguard_vpn \
/ip address
add address= interface=ether1_LAN1 network=
add address= interface=ether3_LAN2 network=
add address= interface=ether4_LAN3 network=
add address= comment="ip access for WireGuard" \
    interface=wireguard_vpn network=
add address= interface=ether3_LAN2 network=
/ip dhcp-client
add interface=ether2_WAN1
/ip dhcp-server network
add address= dns-server=, gateway=
add address= dns-server=, gateway=
add address= dns-server=, gateway=
/ip dns
set allow-remote-requests=yes servers=,
/ip dns static
add address= name=domain1.tld
add address= name=domain2.tld
add address= name=somelocal.domain1
/ip firewall address-list
add address= list=LAN
add address= list=LAN
add address= list=LAN
/ip firewall filter
add action=accept chain=input dst-address= src-address=\
add action=accept chain=input dst-address= src-address=\ src-address-list=""
add action=accept chain=input dst-address= src-address=\
add action=drop chain=input comment="drop ftp/ssh/telnet brute forcers" \
    dst-port=21-23 protocol=tcp src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1w3d chain=input comment="blacklist stage3 10 days" \
    connection-state=new dst-port=21-23 protocol=tcp src-address-list=stage3
add action=add-src-to-address-list address-list=stage3 address-list-timeout=\
    1m chain=input comment="blacklist stage2 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp src-address-list=stage2
add action=add-src-to-address-list address-list=stage2 address-list-timeout=\
    1m chain=input comment="blacklist stage1 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp src-address-list=stage1
add action=add-src-to-address-list address-list=stage1 address-list-timeout=\
    1m chain=input comment="blacklist stage0 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2_WAN1
add action=masquerade chain=srcnat src-address=
add action=dst-nat chain=dstnat comment="domain1.tld http" dst-port=80 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="domain1.tld relay" dst-port=8041 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses= to-ports=\
add action=dst-nat chain=dstnat comment="domain1.tld https" dst-port=443 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses= to-ports=\
add action=dst-nat chain=dstnat comment="VM1 RDP" dst-port=6684 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses= to-ports=\
add action=dst-nat chain=dstnat comment="VM2 RDP" dst-port=6685 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses= to-ports=\
add action=dst-nat chain=dstnat comment="VM3 TCP14121-14122" \
    dst-port=14121-14122 in-interface=ether2_WAN1 protocol=tcp to-addresses=\ to-ports=14121-14122
add action=dst-nat chain=dstnat comment="VM3 TCP14124" dst-port=\
    14124 in-interface=ether2_WAN1 protocol=tcp to-addresses= \
add action=dst-nat chain=dstnat comment="VM3 UDP14124" dst-port=\
    14124 in-interface=ether2_WAN1 protocol=udp to-addresses= \
add action=masquerade chain=srcnat comment="Masquerade for WireGuard" \
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4040
set ssh port=22
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers

this is the page that gets displayed when trying to view the page locally

User avatar
MikroTik Support
MikroTik Support
Posts: 26267
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can't access locally hosted servers using domain.tld

Fri Dec 01, 2023 7:27 am

just joined
Topic Author
Posts: 6
Joined: Fri Dec 01, 2023 2:03 am

Re: Can't access locally hosted servers using domain.tld

Fri Dec 01, 2023 9:45 pm

normis my friend, this was exactly it, thank you for both links, worked first try.
really appreciate your help :wink:

Who is online

Users browsing this forum: mike7, pe1chl and 36 guests