I've been reading a lot of posts and trying various solutions but just can't wrap my head around this. I'm no networking expert, but I have successfully used lots of consumer routers, EdgeOS, OPNsense, UniFi and Omada, so I have been excited to learn more about Mikrotik.
I'm able to reach my internal services if I use my (current) public IP but not with DDNS (Cloudflare). I have checked to be sure the a record is indeed the same as the public IP.
I have a feeling my issue is related to the way hairpin NAT is configured.
Code: Select all
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; back-to-home-vpn
chain=srcnat action=masquerade src-address=192.168.216.0/24
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix="" ipsec-policy=out,none
2 ;;; Seafile-1
chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=8000
protocol=tcp in-interface-list=WAN dst-port=8000 log=no log-prefix=""
3 ;;; Seafile-2
chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=8082
protocol=tcp in-interface-list=WAN dst-port=8082 log=no log-prefix=""
4 ;;; Plex
chain=dstnat action=dst-nat to-addresses=192.168.12.29 to-ports=32400
protocol=tcp in-interface-list=WAN dst-port=32400
5 ;;; WG-42
chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=51820
protocol=udp in-interface-list=WAN dst-port=51820
6 ;;; WG-60
chain=dstnat action=dst-nat to-addresses=192.168.12.60 to-ports=51888
protocol=udp in-interface-list=WAN dst-port=51888
7 ;;; WG-43
chain=dstnat action=dst-nat to-addresses=192.168.12.43 to-ports=51889
protocol=udp in-interface-list=WAN dst-port=51889
8 chain=srcnat action=masquerade src-address=192.168.12.0/24
dst-address=192.168.12.0/24 log=no log-prefix=""
Code: Select all
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; back-to-home-vpn
chain=forward action=drop
src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN
1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=9378
2 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
3 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN
14 chain=forward action=accept protocol=tcp dst-port=8043 log=no log-prefix=""
Thanks!