Access to public IP from LAN (behind Mikrotik)

xchose · Tue Dec 25, 2018 2:49 pm

Hello everyone,

I have maybe stupid question anyway I am not able to fix it few days.

I have WebServer on LAN 192.168.0.88 with porp 80. Which is accessible from network via

add action=dst-nat chain=dstnat comment="freya apache 80" dst-port=80 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.88 \
    to-ports=80

So I am able to access my webServer via PUBLIC IP which is fine.
Anyway when I am in local network when I put public IP i can see only website of mikrotik device.

Screenshot 2018-12-25 at 13.43.27.png

I have my public IP only at one place in mikrotikc config

 add address=185.221.125.XX/30 comment="Public IP" interface=ether1-gateway network=185.221.125.XX

Could you give me some tips how to fix this issue?
Thank you Chose

Jotne · Tue Dec 25, 2018 3:19 pm

Not a stupid question. This is normal behavior.
When you try to access your server from inside, it looks opp the public IP (your route) from a public DNS server.
To fix this, use your router as DNS server for all device on the inside (default behavior after a reset to default config)
Then add a static DNS entry to your Web server.

Eks:

/ip dns static
add address=192.168.0.88 comment="freya apache" name=myserver.dyndns.org

Change name to your public DNS server name.

For nat you can remove to-ports=80 since its the same as dst-port=80.

xchose · Tue Dec 25, 2018 6:01 pm

Thank you: this solution works but this is not really what I expected.

after adding to DNS:

http://freya.domain.zz

I can access via DNS record to my web server. Anyway there any way how to access like from internet??

Because now: LAN PC (192.168.0.20) > directly based of dns > 192.168.0.88

But I would like to to go: LAN PC (192.168.0.20) > Internet > Public IP Mikrotik (NAT 80 > 192.168.0.88 port 80)

I would like to have more web servers and access will be based on NAT translate like:

PublicIP:80 > webserver1 192.168.0.88 80
PublicIP:8080 > webserver2 192.168.0.88 75
...

Thank you for any idea

anav · Tue Dec 25, 2018 7:16 pm

You are asking for hairpin NAT.
https://wiki.mikrotik.com/wiki/Hairpin_NAT

Lots of thread on the topic do a search as well.

Jotne · Wed Dec 26, 2018 8:38 pm

As anav write hairpin NAT may be a soulution for you.

Another solution is to use a reverse proxy, like HAproxy.

I have one server running HAProxy, and redirect port 80 to it on my Rotuer.
Then it will send me to my camera/windows webserver/linux webserver/tv tuner +++
Also it does not matter what port it runs on internally. HAProxy redirect ports as well.
On inside I do point DNS name to the HAProxy server, so it will work same on innside and outside for all my webserver and other stuff.

xchose · Thu Dec 27, 2018 8:34 pm

Thank you verry much for support, I used HairPin NAT and works perfectly for me.

I will push my config here - maybe will be usefull for someone.

My first web server is now accessible by my publicIP:80

add action=dst-nat chain=dstnat=\ 
    dst-address=PUBLIC_IP dst-port=80 protocol=tcp to-addresses=\
    192.168.0.88

My second web server is now accessible by my publicIP:2080

add action=dst-nat chain=dstnat=\ 
    dst-address=185.221.125.13 dst-port=2080 protocol=tcp to-addresses=\
    192.168.0.80 to-ports=80

dmisavenko · Tue Jun 09, 2020 4:49 pm

I cannot configure Hairpin NAT properly in the situation, when port is forwarded with netmap.

I'm accessing my server via host:8888, which is mapped to local_host:80
Are there any ideas how to properly configure NAT in this case to be able to access the resource from local by host:8888 address?

Access to public IP from LAN (behind Mikrotik)

Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)

Re: Access to public IP from LAN (behind Mikrotik)