Hello,
I'm hosting my own server.
I have hap ac3.

My domain lucasmanual (dot) com (dynamic ip) this hour forwards to my wan address 67.176.176....
- I already setup port forwarding on port 80 (if traffic is coming from outside)
chain: dstnat; protocol: 6(tcp); dst.port 80; in.inteface eth1 ; action: dst-nat; to-adddress :192.168.1.10; to port 80
This works for anyone that is not on a network, but If user within network tries to access our wan ip address
67.176.176....:80
They can't.
- I've already changed the web services microtik webfig port in services from 80 to 8080.

How can I make sure that if I setup port forwarding rule it doesn't matter if its local or external, that the port is forwarded to proper server, if I access our wan ip address.
(This normally is done by all customer grade routers, but having issue finding proper solution in microtik. I've searched for a week now).

Thanks
Lucas

You can setup a hairpin NAT for this.

Hello,
To clarify this is a home network and all I'm trying to accomplish is to fix the following:
- "Unable to access your server via the DOMAIN name from the LAN on dynamic wanip"
or
- Setup a rule that every other router you can buy (from off the shelf router from bestbuy) for home has built in and out of the box for last 15 years. (if I forward port 80), I can access it from lan using my domain name and dynamic wanip

Testing results 1:
@p3rad0x
/ip firewall nat chain=src-chain src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface=bridge action=masquerade
Doesn't seem to work. "when you say lan facing interface, that should include all of them eth2-4+wifi-lan". so I've selected bridge.
Still can't access lucasmanual dot com port 80

Testing Result 2:
@anav
The forum topic describes exactly the problem Thank you!; "unable to access my domain from lan", but it has a lot of background details and at the end confuses me on which part i need to apply to solve MY problem:
It appears that:
this suppose to work based on their example which is same rule as in test result 1, but it appears it comes with "the problem", which as a web developer I had once pleasure debugging. Needless to say I would like the client receiving response from correct dynamic wanip. This leads me to believe in addition to "HAIRPIN NAT Rule Test results 1" I need to add something else? _What_? (I did item 6 in that topic, and still doesn't work) :

quoting from article:
""
add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24

Courtesy of Sob, (the problem):
"- user client 192.168.88.5 wants to connect to www.myserver.net, resolves hostname, gets 47.123.12.89 and sends initial packet to it
- client doesn't have any idea where 47.123.12.89 is, as far as it knows, it can be on the other side of planet
- dstnat rule changes packet's destination address to 192.168.88.68 and sends it to server
- source address is not changed, it's still 192.168.88.5 <- the problem
- server gets the packet and sends response directly to 192.168.88.5, because it's in same subnet!!
- client throws it away, because it doesn't expect any response from 192.168.88.68
the client is expecting a response from 47.xx
""""

Test Result 3:
Re-Reading the article @anav
It appears that adding a masquerade rules
/ip firewall nat chain=src-chain src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface=bridge action=masquerade

HAS to be followed by modifying the firewall nat rule that we setup before to forward port#'s
Changing (although please correct me if this is not correct,or I'm doing it wrong)
to:
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=tcp dst-port=80 to-addresses=192.168.1.10

The easiest way is to
1. Make a static DNS entry lucasmanual (dot) com 192.168.1.10.
2. Set up the Mikrotik as a DNS server.
3. Configure the firewall Mikrotik to redirect all requests to port 53 on 192.168.1.1. If a device has its own DNS server, the requests will be redirected to the DNS Mikrotik.
As a result, all devices from the local network will reach the server, even if there is no internet on the router.

Thanks @Ca6ko but that is not how I asked it be solved.

Problem with your approach for web developers:
- no firewall rules for in-network traffic. This means if you made a mistake in sockets or firewall rules, you will not be able to discover it until in prod. All traffic from prod or cell network will go through proper channels that are configured, but traffic on lan would totally bypasses everything.



My last approach worked for all lan devices, but it doesn't seem to affect wifi users. So the search for proper setup continues.
Again I can't stress this enough. Asus, Netgear, Linksys home/or gaming routers have this routing working out of the box. All I want to do is make Mikrotik do the same.

Thanks
Lucas

Some routers are for home owners, plugNplay.
MT is for those who are willing to learn how traffic flows in devices and then have to program the router accordingly.
If you expect to read an article without any understanding of ROS and make complete sense of it, then you are mistaken
Its called experiment, make an effort, trial and error, get your feet wet, etc........................


In your case with a dynamic WANIP the requirements are crystal clear.

a. in firewall rules you need one forward chain rule.
add chain=forward action=accept connection-nat-state=dstnat

Note1: Get rid of any existing rule that talks about in-interface=WAN for destination nat.

b. in source nat rules yuou need a hairpin nat rule along with the standard rule.
/ip nat
add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add chain=srcnat action=masquerade out-interface-list=WAN

c. you need a method to direct your users to the router and the easiest one is simply making a firewall address list

/ip firewall address list
add address=lucasmanual.com list=MYWANIP

Note1: The MT router will resolve that to IP for you and you can check it at the firewall address list location.

d. formulate the destination nat rule.
add chain=dstnat action=dst-nat dst-address-list=MYWANIP dst-port=XX protocol=YYY to-addresses=serverIP

Note: To ports is not required if same as dst-port!

Highly recommend that all those using your server provide you with their fixed static WANIP or their WANIP via a dyndns name. No excuses there are plenty of free providers.
Then you make up an address list of those users.....................

add chain=dstnat action=dst-nat dst-address-list=MYWANIP dst-port=XX protocol=YYY to-addresses=ServerIP src-address-list=AuthorizedUsers

Note: When using a source address list, the port does not appear on a scan, otherwise the port will appear on a scan under the category of closed.

Again I can't stress this enough. Asus, Netgear, Linksys home/or gaming routers have this routing working out of the box. All I want to do is make Mikrotik do the same.

And you have been told the answer a number of times. Add a rule for "Hairpin NAT". It really is that simple.

Hello
For those on google who found this post..

The following instructions from @anav
by anav » Wed Mar 15, 2023 2:02 pm
Solves the Problem of
"Allowing internal LAN users access your server via domain name that points to your dynamic wan ip address"
aka
You are hosting your owner server, and you want to access the server's website and other services from internal network.
aka
You are using dyanmic ip address to host your website server, and you want to access that server from LAN or from all phones connected through mikrotik Wifi.
aka
You are running app on each phone that sync your photos(when plugged in and charging) to your internal server using your dynamically hosted domain. (ps. Msg me if you are interested in getting having your photos backed up to secure non-violating your privacy server).

Thank you!
Lucas

Hi Lucas, instead, of looking at the instructions, read the link they came from so that one LEARNS what one is configuring,

viewtopic.php?t=179343