I have a NAS running Nextcloud in a Docker container (192.168.0.2). I also have a static IP from my ISP. To make the Nextcloud reachable from the outside, I forwarded port 80 and 443 to 192.168.0.2. So that the Nextcloud is also accessible in the LAN via the domain, I have set up a hairpin NAT. This all works so far. Except for the described I have not changed the rules by hand.
Now I have set up a Wireguard server (https://www.youtube.com/watch?v=vn9ky7p5ESM). With my Android phone I can establish the connection and can also connect to all devices in my network, except to the NAS (192.168.0.2). Probably there is a conflict with the port forwarding or the hairpin NAT. Can anyone help me?
Router config:
Code: Select all
# jun/08/2023 06:39:23 by RouterOS 7.9.2
# software id = W9AR-VJMJ
#
# model = RB750Gr3
# serial number = HDD08XXYYYXXX
/interface bridge
add admin-mac=18:FD:74:F4:93:DA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] name=ether5-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.240
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-lan
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3-lan
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4-lan
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5-lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment=Android interface=wireguard1 \
public-key="lEE4mpqhu37-hhhhhhhhhhhhhh"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1-wan
/ip dhcp-server lease
add address=192.168.0.21 comment=OpenDTU mac-address=B4:E6:2D:96:2B:75 \
server=defconf
add address=192.168.0.25 comment="Shelly 1PM Luftentfeuchter" mac-address=\
A8:03:2A:B7:7E:B0 server=defconf
add address=192.168.0.22 comment="Shelly 3EM" mac-address=24:4C:AB:41:A8:24 \
server=defconf
add address=192.168.0.23 comment=Gasmeter mac-address=94:B5:55:FC:47:F0 \
server=defconf
add address=192.168.0.24 comment=Watermeter mac-address=94:B5:55:FC:59:0C \
server=defconf
add address=192.168.0.26 comment="Shelly 1 PM Heizstab" mac-address=\
3C:61:05:79:D4:74 server=defconf
add address=192.168.0.20 comment=Roborock mac-address=50:EC:50:0E:1B:F3 \
server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.2 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input src-address=192.168.100.0/24
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.0.2 out-interface=bridge protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Nextcloud http" dst-address=\
xxx.xxx.x51.94 dst-port=80 protocol=tcp to-addresses=192.168.0.2 to-ports=\
80
add action=dst-nat chain=dstnat comment="Nextcloud https" dst-address=\
xxx.xxx.x51.94 dst-port=443 protocol=tcp to-addresses=192.168.0.2 \
to-ports=443
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
