Community discussions

MikroTik App
 
fionaellie
just joined
Topic Author
Posts: 5
Joined: Mon Jan 15, 2024 12:06 am

Yet another new user with ddns issues :?

Wed Jan 17, 2024 12:30 am

Hello,
I've been reading a lot of posts and trying various solutions but just can't wrap my head around this. I'm no networking expert, but I have successfully used lots of consumer routers, EdgeOS, OPNsense, UniFi and Omada, so I have been excited to learn more about Mikrotik.

I'm able to reach my internal services if I use my (current) public IP but not with DDNS (Cloudflare). I have checked to be sure the a record is indeed the same as the public IP.

I have a feeling my issue is related to the way hairpin NAT is configured.
[admin@MikroTik] > ip firewall nat print   
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=srcnat action=masquerade src-address=192.168.216.0/24 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no 
      log-prefix="" ipsec-policy=out,none 

 2    ;;; Seafile-1
      chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=8000 
      protocol=tcp in-interface-list=WAN dst-port=8000 log=no log-prefix="" 

 3    ;;; Seafile-2
      chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=8082 
      protocol=tcp in-interface-list=WAN dst-port=8082 log=no log-prefix="" 

 4    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.12.29 to-ports=32400 
      protocol=tcp in-interface-list=WAN dst-port=32400 

 5    ;;; WG-42
      chain=dstnat action=dst-nat to-addresses=192.168.12.42 to-ports=51820 
      protocol=udp in-interface-list=WAN dst-port=51820 

 6    ;;; WG-60
      chain=dstnat action=dst-nat to-addresses=192.168.12.60 to-ports=51888 
      protocol=udp in-interface-list=WAN dst-port=51888 

 7    ;;; WG-43
      chain=dstnat action=dst-nat to-addresses=192.168.12.43 to-ports=51889 
      protocol=udp in-interface-list=WAN dst-port=51889 

 8    chain=srcnat action=masquerade src-address=192.168.12.0/24 
      dst-address=192.168.12.0/24 log=no log-prefix="" 

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=forward action=drop 
      src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN 

 1  D ;;; back-to-home-vpn
      chain=input action=accept protocol=udp dst-port=9378 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 6    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related 

11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN 

14    chain=forward action=accept protocol=tcp dst-port=8043 log=no log-prefix=""
8043 is the omada port (for APs) and I was testing with it, but I don't understand how it got in the filter rules list.
Thanks!

Who is online

Users browsing this forum: fedex03 and 26 guests