Before switching to MT, I was able to port forward a web server, and access it via my public IP: http:mywebsite.com:40399
After I switched to MT, I went to IP > Firewall > NAT , and set up the below, which let's me access the web server from outside my network:
add action=dst-nat chain=dstnat comment=web-server dst-port=40399 protocol=tcp to-addresses=192.168.1.9
to-ports=80
I was looking around and saw that this may be called a "hairpin nat" ? I messed around with some rules and added this, which works, but I want to know if this is correct and the best way to achieve what I want to do:
add action=src-nat chain=srcnat comment="Hairpin NAT to for motioneye" dst-address=192.168.1.9 src-address=192.168.1.0/24 to-addresses=*my_public_ip_here*
-
-
talormanda
just joined
- Posts: 4
- Joined:
Re: Access internal web server with internet IP from the same LAN
Yes. Have a look at https://wiki.mikrotik.com/wiki/Hairpin_NAT for the packet-by-packet explanation.
In summary, what happens is the internal device receives an answer from the internal, dst-natted IP when it expects the source IP it to come from the public IP it requested; hairpin nat does an additional src-nat so that device receives a answer with the src-address it expects (the one it requested).
You could also use action=masquerade if your WAN interface has only a public IP that is dynamically fetched from your ISP.
In summary, what happens is the internal device receives an answer from the internal, dst-natted IP when it expects the source IP it to come from the public IP it requested; hairpin nat does an additional src-nat so that device receives a answer with the src-address it expects (the one it requested).
You could also use action=masquerade if your WAN interface has only a public IP that is dynamically fetched from your ISP.
-
-
talormanda
just joined
- Posts: 4
- Joined:
Re: Access internal web server with internet IP from the same LAN
Yes. Have a look at https://wiki.mikrotik.com/wiki/Hairpin_NAT for the packet-by-packet explanation.
In summary, what happens is the internal device receives an answer from the internal, dst-natted IP when it expects the source IP it to come from the public IP it requested; hairpin nat does an additional src-nat so that device receives a answer with the src-address it expects (the one it requested).
You could also use action=masquerade if your WAN interface has only a public IP that is dynamically fetched from your ISP.
Do you mean this?
add action=masquerade chain=srcnat comment="Hairpin NAT to for motioneye" dst-address=192.168.1.9 src-address=192.168.1.0/24 to-addresses=*my_public_ip_here*
Re: Access internal web server with internet IP from the same LAN
action=masquerade is the same as action=src-nat, but will automatically src-nat with the IP of the interface, so no to-addresses required.
Code: Select all
add action=masquerade chain=srcnat comment="Hairpin NAT to for motioneye" dst-address=192.168.1.9 src-address=192.168.1.0/24 out-interface=YourLanBridge
-
-
talormanda
just joined
- Posts: 4
- Joined:
Re: Access internal web server with internet IP from the same LAN
Okay thanks, I will try this when I get home, unfortunately I am having packet loss, disconnect issues again (i made another post in this forum). So I cannot implement the change while I am remote.action=masquerade is the same as action=src-nat, but will automatically src-nat with the IP of the interface, so no to-addresses required.
Code: Select alladd action=masquerade chain=srcnat comment="Hairpin NAT to for motioneye" dst-address=192.168.1.9 src-address=192.168.1.0/24 out-interface=YourLanBridge