Hello, I am still learning the basics, everything is set up for a home configuration, now I have one single trouble I cannot solve myself.
I have a RB751G-2HnD, Internet connection is set through PPTP client on router itself. External IP is dynamically assigned to pptp interface.
I have a dyndns script which works just fine and correctly updates my dyndns third-level domain name.
Port 80 is forwarded to internal web server, everything works fine if I access it from Internet (tried web proxy and Tor for that).

Now, I want requests to external IP from LAN to be routed back to my web server, as if they came from Internet.
Like this - http request comes from LAN (bridge-local) and it's destination IP is assigned to router's external interface. I want this packet to be passed back to IP located inside LAN.
External IP (destination) is dynamic so I can't use it in any firewall rules.

I understand I can just add a local IP of web server into static dns hosts and access it by domain name but I'd like to use external IP (for uniformity).

Hello
i think if you use dst-nat for you local clients to access your wan ip address you problem will be solved.check it..

Hello
i think if you use dst-nat for you local clients to access your wan ip address you problem will be solved.check it..

This has two problems -
1. add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.2 (the same as port forwarding rule but without in-interface) doesn't work. Browser fails to fetch the page, and apache logs do not show any requests.
2. If this rule would work, I'd need to add a filter so my usual outgoing browsing requests to Internet would be ignored. This filtering rule is what's bothering me (my external IP is dynamic)

send your network diagram and say what you want exactly then i can help you better

Pptp connection is my internet source. Ext lan in only a medium to provide path to ISP's pptp server.
myserv.dyndns.org domain address is assigned to ip on this pptp interface (updated via dyndns script).
On RB715G there is a '/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp in-interface=pptp-out1 dst-port=80' rule for port forwarding.
This rule works fine, but only if connection request comes from pptp interface (straight from internet).

Now, I want my web server machine (or any client inside internal LAN 192.168.1.0) to be able to access the same website (myserv.dyndns.org).
And perform this feat without static hosts or dns record, by connecting to the exact external IP.

Something like -
1. client requests myserv.dyndns.org
2. connection request comes to router, it notices that the request is for IP assigned to it's own local interface
3. connection is transparently forwarded to forward rule destination (internal web server, according to rule).
Client thinks it is accessing some external IP, not 192.168.1.2.

p.s. physically this IS possible, since my old ASUS router was acting this way right after I set port 80 forwarding on it.

You cannot forward back to the same interface connection came into router.

But you create separate local network for server, with different IP range and connected to separate interface, and then forward there.

You cannot forward back to the same interface connection came into router.

But you create separate local network for server, with different IP range and connected to separate interface, and then forward there.

Why not? Windows' RRAS could do it, my old asus router could do it.
RouterOS is much better then these and cannot perform the same task?

Well, even if I do it this way - which exact rule would filter requests to internal web server from requests to Internet web sites? My external IP is dynamic.

//update.
It is possible. Thinking logically, I made two rules -
1. chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address=<my current external ip> dst-port=80
2. chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 out-interface=bridge-local dst-port=80
Basically, I NATted all requests which are coming from internal ips and going to internal network.

Now, the only thing left is how to get rid of 'dst-address=<my current external ip>' in the first rule.
I am thinking it would be possible to rewrite the rule using the same dyndns script I am using. It will update it with current external IP.
But maybe there's a better solution, without scripts? Like setting 'dst-address = 'any_local' ? Is this kind of rule possible in ROS?
And it seems I can't directly use global variables inside firewall rules. What a pity

Good question.

Normally you just navigate a server using the local name or local server ip + port.
And if you want to test the connection only (No login) it's ok to use external proxy, TOR or VPN.

But in your case the rule you set will have Mikrotik Os to resolve the dyndns ip...

For Solution Read and use small script from: http://wiki.mikrotik.com/wiki/Use_host_ ... wall_rules

I have a Synology NAS like this. If you find another way without scripts, then let us know via this Post.

Cheers!

@Andys
Follow this example:
http://wiki.mikrotik.com/wiki/Hairpin_NAT,
and use your DynDNS script to change '1.1.1.1' from above example to resolved 'myserv.dyndns.org'.

HTH,

@Andys
Follow this example:
http://wiki.mikrotik.com/wiki/Hairpin_NAT,
and use your DynDNS script to change '1.1.1.1' from above example to resolved 'myserv.dyndns.org'.

HTH,

Wiki article was written by user "Fewi", and since I do not know for any other way to acknowledge his contribution I will do it here!

Fewi, excellent and very useful article!!

Thank You

Hi All,

I sincerely apologize to wake up an old thread but I am EXACTLY in the same boat and non of the solution scripts I have tried works for me. This is my current scenario.

1. My modem is on pppoe and set to bridge
2. MT router is configured correctly to dial in pppoe connection. (The Internet is working)
3. I managed to set port fw for my NAS and was able to access it via DDNS from The INTERNET only (at first)
4. googled more and came to this thread and with the help provided here managed to set Routing from LAN back to LAN and now I CAN access my NAS via DDNS from within the LAN as well.
5. Next was to update the public IP since under Firewall-NAT the dst-Address is my public dynamic IP and I want to make sure that if it changes, DDNS keep on working correctly.

6, This is where I am stuck and have spent 3-4 hours to get the script run to achieve the desired result.

As per this thread, I followed the tut written @ https://wiki.mikrotik.com/wiki/Use_host ... wall_rules

a. Step one :: /ip firewall address-list add address=0.0.0.0 comment=sam9s.synology.me list=host_synology
this adds the entry under firewall->adress list

b. step two :: /ip firewall filter add chain=ouput dst-address-list=host_synology action=accept
this added an entry under firewall->filter

Now when I run the script posted there ... NOTHING happens ..... the Address under Firewall->Address Lists still just stays at 0.0.0.0, Correct me if I am wrong when the scripts run this 0.0.0.0 should change to my public IP right. It does not.

I have tried other scripts but nothing works, maybe I am missing something.

Can the gurus PLEASE assist me here, and I am running in circles for the past couple of hours without success

Regards
Sammy

You don't need a script, you can simply do: Unless you have some very old RouterOS version, in that case upgrade.

And don't dig up such old threads. You know how many people will open it, start reading it from beginning, think about the problem ... only to realize several minutes later that it's all just history? If you think the old thread is relevant, it's better to just link to it from yours.

You don't need a script, you can simply do:

Code: Select all

/ip firewall address-list
add address=sam9s.synology.me list=host_synology

Unless you have some very old RouterOS version, in that case upgrade.

OK Done.

Can you explain how is this step helping, when my public IP changes, under NAT - > Dst Address, where I have done LAN back to LAN config, would that reflect the changed public IP automatically.
If yes whats is the script for? (The one I shared?)

ROS is latest I believe Winbox v6.39.2

And don't dig up such old threads. You know how many people will open it, start reading it from the beginning, think about the problem ... only to realize several minutes later that it's all just history? If you think the old thread is relevant, it's better to just link to it from yours.

Understood. Would open a new thread from here on and link it to any relevant old one if needed. Apologies for this time.

You should add address list entry exactly as said, using DNS name not IP address If router have correct DNS entries (IP -> DNS), it will resolve IP address and add them to this entry.
Then address_list will work correctly.

You should add address list entry exactly as said, using DNS name not IP address

Code: Select all

/ip firewall address-list
add address=sam9s.synology.me list=host_synology

If router have correct DNS entries (IP -> DNS), it will resolve IP address and add them to this entry.
Then address_list will work correctly.

OK and what constitues to correct DNS. I have not changed anything there so whatever entry is there is there by default ...
below is what I have currently. Not sure why 192.168.1.1 is there, that not my router IP. Router ip is 192.168.88.1

Hello,

Is there a specific reason you want to approach this with a hairpin NAT?

Personally, I have entries in my local DNS servers to resolve the respective FQDN to their LAN address.

Hello,

Is there a specific reason you want to approach this with a hairpin NAT?

Personally, I have entries in my local DNS servers to resolve the respective FQDN to their LAN address.

No there was no specific reason, if there was another way to do it, which someone had suggested before I ran in this thread I would have opted the same, none the less, that issue was resolved. However that was part one of the entire problem. (if you read my posts)

Now part two was to be able to update Firewall-NAT the dst-Address by my public IP if it changes and I thought script was the solution, but as per SOB """"/ip firewall address-list
add address=sam9s.synology.me list=host_synology""""" running this will solve the issue, which I have done.

BUT I just wanted to understand HOW this is helping, and when my public IP changes, under NAT - > Dst Address, where I have done LAN back to LAN config, would that reflect the changed public IP automatically.???? IF YES then what was/is the role of script that I mentioned, what does that do

Then came the reply that if I have correct DNS the command""""""""""""" "ip firewall address-list
add address=sam9s.synology.me list=host_synology"""""""""""' will work correctly ... BUT I am not sure what constitues to correct DNS, as you can even use google DNS to achieve the result. I share my DNS screen shot.

I am waiting for any reply from any one who posted to my query in the previous page , to understand the working better ... But havent recieved any response ..

So apologies if I was a little brief.

When I said why don't you just look at using local DNS, I meant this in place of everything on the hairpin NAT side of things.

Right now I'm unsure if you have things operational from the hairpin NAT side of things and would just like a detailed explanation, or are still trying to get things to work for your use case.

Focusing on your scenario and getting things working (apologies if the next bit is redundant);

Your Synology can see your public IP by querying Synology's servers, they then update their name servers for synology.me to record the relevant IP for sam9s.synology.me and boom, WAN access resolving sam9s.synology.me to your WAN ip.
On the LAN side of things, if you add a static entry to your DNServer to resolve sam9s.synology.me to your Synology's LAN address, your devices will talk directly to the Synology when on the LAN.
It is important to note in this scenario that you should have the relevant entry for sam9s.synology.me on all DNservers that serve your network, or that if the Mikrotik is the only DNServer on your network, your not telling your PC's to also use Google via your DHCP server, or a local static entry.

If you would like me to go into detail on how a Hairpin NAT actually works, and why it's needed, PM me as IMO using DNS is the beginner and most straight forward approach

I read it again and I got a little mislead by the resolving script before. What I suggested would replace only this part. But in fact, you don't need any DNS resolving at all (well, possibly, see below).

You have two options:

a) Stick with hairpin NAT. The example assumes that your LAN network is 192.168.88.0/24, router has 192.168.88.1, internal server has 192.168.88.100 and your want to forward tcp port 80. Change it to your numbers. First add dstnat rule: It will match connections to port 80 and any address owned by router, except its internal one (so you can still access WebFig on http://192.168.88.1 if you use it). Then add srcnat rule for hairpin NAT: It's universal one and will work with all ports you forward. And finally allow forwarded ports through router's firewall: b) Use DNS as w177f suggests: Your devices in LAN need to use router as their DNS resolver, and thanks to this, when going to http://sam9s.synology.me, they will connect directly to internal address.

Each way has advantages and disadvantages:

Using static DNS seems simpler at first. It's also better for performance, because packets don't need to go to router and back, they go to server directly. But there are some limitations, e.g. connect a device with statically configured DNS resolver to something else than your router and it won't work. If you point more hostnames to you, static record will be required for each. And you have to keep up with changes (if you add or remove hostnames). But it's probably safe to assume that it shouldn't be a problem in your case. It also doesn't allow connections to numeric address, because you can't redirect it with DNS.

Hairpin NAT is "set it & forget it", it will automatically work with any hostname pointed to your current WAN address. But it's less effective, as mentioned previously. But it's a problem only when you have a lot of traffic.

Ok Looks like I have made my posts overly complicated. My Apologies SOB and other. Let me make it simple.

1. Hairpin NAT IS working (so I am sticking with it rather taking the static DNS Route) : I CAN access sam9s.synology.me from LAN and WAN both. (Earlier I was only able to fo this from WAN, after port fw rules and all.) then after setting Hairpin NAT I was able to access my NAS via FQDN from both LAN and WAN. Issue resolved.
SOB your assumption that you posted are correct. Also as your said Hairpin NAT is set and forget and I am comfortable with it now that I understand how it works.

2. Now coming to the ISSUE : While setting up Hairpin NAT when I applied the rule below entry was created in the Firewal->NAT table. (Which was expected). Refer the below screenshot.



Now as you can see there is my public IP (don't worry that's not the current public IP) under IP->Firewal->NAT->Dst Address. My issue is when public IP changes, the IP under Dst Address also should change. Check out another snap



If you can see under ip->CLOUD I can see my CURRENT public IP Address, (I have masked it). It's NOT the same under IP->Firewal->NAT->Dst Address, where I have configured the HairPIN NAT.

Unless that gets Auto updated HairPIN NAT will not work, and this is what is happening ... I need a solution to update my public IP @ IP->Firewal->NAT->Dst Address Automatically when it changes.

and I thought the script that I initially shared in this thread is supposed to do that. But I must be wrong as it did not work ...

Hope now I was able to make you and other understand what exactly is my problem here.

I apologize again for making this sound more complicated that it may actually be ...

Regards
Sammy

Easy, read again what I wrote and focus on dst-address-type=local option:

local - if dst-address is assigned to one of router's interfaces

So if you don't enter dst-address=<WAN IP> at all, but instead use the above, the rule will always work, no matter how ofter will WAN address change.

The below script will update your firewall rules (1,4,6,8) to the Mikrotik Cloud public-address
It will also add it to your host_synology address list, as what was something you were looking to do earlier. You can remove bits and you see fit.

If you move the order of your NAT's, the script would have to be updated.
Also, I see you possibly have multiple rules for multiple ports, if the ports are the only difference, you can separate them by commas; 80,443,5000,5001

The below script will update your firewall rules (1,4,6,8) to the Mikrotik Cloud public-address
It will also add it to your host_synology address list, as what was something you were looking to do earlier. You can remove bits and you see fit.

If you move the order of your NAT's, the script would have to be updated.
Also, I see you possibly have multiple rules for multiple ports, if the ports are the only difference, you can separate them by commas; 80,443,5000,5001

Code: Select all

{
:local PublicIP [/ip cloud get public-address];
/ip firewall nat set 1,4,6,8 dst-address=$PublicIP
:log info "dst-address set to $PublicIP for NAT rules 1,4,6,8"
/ip firewall address-list add list=host_synology address=$PublicIP
:log info "Public address: $PublicIP added to host_synology list"
}

ok cool , are you sure it should be 1,4,6,8 and NOT 2,3,5,7, coz that where the dist-address needs to be updated to public IP, other than that, I get the script and might give it a try.

In the meantime I am also trying to understand SOB solution, his hairpin NATTING I am not able to understand as much as I was able to get from the article (https://wiki.mikrotik.com/wiki/Hairpin_NAT).

Apologies SOB not your fault, that's my poor intellect.

What exactly you don't understand?

It's almost the same, the only difference is that article's masquerade rule has: while mine has: So if you'd forward another port (e.g. 25 to 192.168.1.10:25), in first case you'd need to add another masquerade rule, because the first one is limited only to target 192.168.1.2:80. Mine covers everything in whole subnet.

Or if you mean dst-address-type=local vs. dst-address=WAN address in dstnat rule, I think it's simple and obvious. I'd gladly explain it better, but I'm not sure how.

What exactly you don't understand?

It's almost the same, the only difference is that article's masquerade rule has:

Code: Select all

dst-address=192.168.1.2 protocol=tcp dst-port=80

while mine has:

Code: Select all

dst-address=192.168.1.0/24

So if you'd forward another port (e.g. 25 to 192.168.1.10:25), in first case you'd need to add another masquerade rule, because the first one is limited only to target 192.168.1.2:80. Mine covers everything in whole subnet.

Or if you mean dst-address-type=local vs. dst-address=WAN address in dstnat rule, I think it's simple and obvious. I'd gladly explain it better, but I'm not sure how.

Ok first of all it works!! , disabled all my previous rules and applied the ones you suggested and I was able to open web page using sam9s.synology.me from both LAN and WAN.
Second, the only thing that was confusing me was dst-address=!192.168.88.1 , dst address NOT equals to router IP?? , how is this working. So any red that is not from a private IP, meaning will cover all external IPs whatever it is .............. Is this how it is working.??

Third, what was the objective of adding "/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat" rule?

Apologies for taking this so long to get into my head. Mikrotek ROS is not exactly, that straightforward ..

regards
Sammy

I already described that, but lets try it in diffent words. Most simple example is router with 192.168.88.1 on LAN port and e.g. 1.2.3.4 (public dynamic) on WAN port. When you use only dst-address-type=local, it will match any dst adress owned by router, i.e. both 192.168.88.1 and 1.2.3.4. That's not a problem when the rule is for some unusual port (like 5001 in one of your screenshots), because no service uses this port on router (at least by default). But imagine what would happen with e.g. port 80 (used by Webfix) or 8291 (used by WinBox). If you forwarded those to some internal server, you could no longer use them to connect to router. That's what the other condition (dst-address=!192.168.88.1) solves, the rule will match connections to any adress owned by router, except this one ("!" means "not").

Accept rule in firewall filter is to let forwarded ports through router. You may or may not need it, it depends on the rest of firewall rules. MikroTik's default firewall allows anything by default, except not dstnatted connections from WAN, so if you have that, you don't need this extra rule.

ok cool , are you sure it should be 1,4,6,8 and NOT 2,3,5,7, coz that where the dist-address needs to be updated to public IP, other than that, I get the script and might give it a try.

Apologies, yes.

@SOD, something went wrong, it stopped working from within LAN. I swear it did work. But when I added 2 more services with ports it stopped working from within LAN. IT IS STILL working from WAN,(internet) but if I type sam9s.synology.me connected to my Home LAN, I get the site can't be reached. From WAN it opens by NAS page.

Let me share the screen shot for you to have a look. This how the rules looks now

TIP: Don't share screenshots, share exports. Screens might not show everything. To get config export, open Terminal and use /export command, in this case (if you didn't change anything else) it should be enough to post output of "/ip firewall nat export". And btw, once you share your address (hostname in your case), it's kind of pointless to mask ports, there's only 65 thousands of them and anyone can easily scan which ones are open.

To see what happens, try to connect to some port and watch rule counters. Or use Tools->Torch, to see if packets are going where they should. You can also enable logging for each rule, to make sure that you won't miss any packet.

OK understood. Well something is wrong from my end only. Something with DDNS. Weird behavior. I have two DDNS, one from Synology that I shared here and one from no-ip as well. no-ip is the main one I use. with no-ip, all is working but with Synology.me 2 services are not working HA and seafile rest all are. Strange. I checked and both DDNS are correctly updated with my public IP. So apologies again, Its nothing to do with you, the rules or Mikrotik ROS. Rules are fine. The problem is somewhere else. Let me investigate more and see what could be wrong here. I am sorry to have troubled you.....and really BIG thanks for taking out time and assist this noob.