I read all available posts about hairpin DNS but I'm still not able to connect to my web server from LAN using WAN IP address.
Here's my configuration. The configuration is rather simple, no Vlans, no scripts. It should work flawlessly but it isn't. Please, help!
Code: Select all
# may/25/2022 20:20:22 by RouterOS 6.49.6
# software id = NC7Z-YYDY
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0CE0494D
/interface bridge
add admin-mac=48:8F:5A:29:BA:2C arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.250
add name=l2tp-vpn ranges=192.168.10.2-192.168.10.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge dns-server=8.8.8.8 local-address=l2tp-vpn name=l2tp-profile \
remote-address=l2tp-vpn
/system logging action
add email-to=daper@daper.pl name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes \
use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=1.2.3.4/30 interface=ether1-WAN network=83.3.240.96
/ip arp
add address=192.168.1.254 interface=bridge mac-address=D8:5D:4C:C5:80:3A
add address=192.168.1.251 interface=bridge mac-address=D0:67:E5:EB:C2:B8
add address=192.168.1.104 interface=bridge mac-address=\
B0:83:FE:B3:CB:8A
add address=192.168.1.240 interface=bridge mac-address=24:5E:BE:13:AB:17
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf disabled=yes name=router.lan
/ip firewall address-list
add address=216.218.206.0/24 list=blacklist
add address=45.83.0.0/16 list=blacklist
add address=65.49.20.0/24 list=blacklist
add address=45.79.82.0/24 list=blacklist
add address=184.105.0.0/16 list=blacklist
add address=45.128.110.122 list=allow_vpn
add address=91.240.107.209 list=allow_vpn
add address=74.82.0.0/16 list=blacklist
add address=27.115.0.0/16 list=blacklist
add address=64.62.0.0/16 list=blacklist
add address=1.2.3.4 list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="Drop blacklist" src-address-list=\
blacklist
add action=accept chain=input comment="Allow coming from LAN" \
in-interface-list=LAN
add action=accept chain=input comment="Accept VPN" dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop other inputs"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward connection-state=new in-interface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment="Allow DSTNATED from WAN" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp user acces WAN" \
in-interface=all-ppp in-interface-list=!WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp users access LAN" \
in-interface=all-ppp in-interface-list=!WAN out-interface=bridge
add action=drop chain=forward comment="Drop other forwards" connection-state=\
""
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=ether1-WAN
add action=src-nat chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.1.0/24 to-addresses=1.2.3.4
add action=dst-nat chain=dstnat comment="ALTI From WAN" dst-address=\
1.2.3.4 dst-port=2222 in-interface=ether1-WAN protocol=tcp \
to-addresses=192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-address-type=\
local dst-port=80,443,3050,81 protocol=tcp to-addresses=192.168.1.252
/ip route
add distance=1 gateway=1.2.3.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=88
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=tnt25 profile=l2tp-profile service=l2tp
add name=mtomaszewska profile=l2tp-profile service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=email topics=error
/system ntp client
set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.1.251/32
/tool graphing queue
add allow-address=192.168.1.251/32
/tool graphing resource
add allow-address=192.168.1.251/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no