I'm looking for a way to route a publicly resolved domain to an internal IP, sourced of course, from my internal network. I host several servers for personal use that resolve to my public IP address, i.e. nextcloud.mydomain.com, smokeping.mydomain.com, cacti.mydomain.com, homeassistant.mydomain.com, etc. What I currently do is add an entry to my hosts file to resolve the respective subdomain.domain to the local address on my network so I can continue to use the domain name when on network using my desktop. But this is not ideal. 1) I have to remember to copy the hosts file or I have to recreate it if/when I replace my pc or os, which I recently did and forgot to copy/backup my hosts file. There's not a lot of entries, but a pain. And I have to remember to do this on any laptop/desktop I'm using while on network. And more importantly 2) my phone is confused because when on my local network's wifi, it's resolving the public IP. So, for example, my Nextcloud Android app can't reach the server; it's trying to reach the Public IP on my WAN interface. I have to disable the wifi connection on my phone so it will work over the carrier network. I'd like to capture all outbound traffic that's resolved to my public/WAN IP and redirect to my internal server farm's IP. I've tried to set up a dst-nat rule at the top of the chain but that does not seem to work. It seems to catch the outbound traffic as I can see the counters increase on the rule, but traffic isn't returned to the source. I also thought I could catch all outbound traffic on the WAN interface with the dest of the Public IP on the WAN interface but that's not possible in input and prerouting chains.
172.20.0.9 is the IP address of my NGINX Proxy which forwards the traffic to the appropriate Docker Container hosting the app/service. All domains have a SSL Cert but I want all port 80/443 traffic to forward to 172.20.0.9.
I could set up my own Authoritative DNS server for on network resolution, but it would be so much easier to add a Rule or two to my router vs maintaining a DNS server; been there done that setting up and managing this kind service.
I'm sure I'm not the first to encounter this need but haven't run across any post in my Google search yet that addresses this and my effort hasn't worked out. I'm probably overlooking something obvious, but... Any suggestions would be most welcome.
Thank you in advance!
Here's my NAT Chain: (I've also attached a snippet of the Log, don't know if that will be of any use. The grayed out portion of the INTERNAL_SERVER_FARM entries point to my Public IP Address)
Code: Select all
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT Outbound Traffic to my Public IP to Server Farm NGINX Proxy
chain=dstnat action=dst-nat to-addresses=172.20.0.9 protocol=tcp
src-address=172.20.0.0/24 dst-address=<MY.PUBLIC.IP>
log=yes log-prefix="INTERNAL_SERVER_FARM"
1 ;;; NAT Inbound Traffic to my Public IP on Ports 80,443,8080,4443 to Server Farm NGINX Proxy
chain=dstnat action=dst-nat to-addresses=172.20.0.9 protocol=tcp
dst-address=<MY.PUBLIC.IP> in-interface=ether1-gateway
dst-port=80,443,8080,4443 log=yes log-prefix="PUBLIC_SERVER_FARM"
2 ;;; Forward Port <xxxxxx> on Public Interface to Port <xxxxxx> on workstation
chain=dstnat action=dst-nat to-addresses=<workstation.ip> to-ports=<xxxx>
protocol=tcp in-interface=ether1-gateway dst-port=<xxxxxx> log=yes
log-prefix="NOTIFY ME"
3 D ;;; upnp 172.20.0.28: A29B
chain=dstnat action=dst-nat to-addresses=172.20.0.28 to-ports=5101
protocol=tcp dst-address=<MY.PUBLIC.IP> in-interface=ether1-gateway
dst-port=5101
4 ;;; Masqarade
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
log-prefix=""
[admin@MikroTik] >
https://drive.google.com/open?id=1zFcv ... xS-_2hOPR
