0

I try to access my external IP address from the local network, but instead of reaching my webserver behind NAT - the webfig page shows up.

NAT forwarding is working when accessing from the internet.

EDIT: This is my current nat config

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

 1    chain=dstnat action=dst-nat to-addresses=<server's ip> to-ports=80 protocol=tcp in-interface=ether1 dst-port=80
Alex S.
  • 131
  • 1
  • 5
  • Look up "Hairping NAT" on the documentation. It is not trivial to set up but that is what is missing - your traffic is not being NAT's because it is bypassing the NAT. – TomTom Apr 13 '20 at 18:10
  • Yup. That worked well. Thanks! – Alex S. Apr 13 '20 at 18:34

1 Answers1

2

To achieve this, you need to use Internal NAT Hairpin. You can configure it in a few commands.

Let's assume that 1.1.1.1 is our external IP address, 192.168.1.0/24 is our local network, and 192.168.1.128 is a webserver.

Then, you need to add these NAT rules:

/ip firewall nat
# Forwarding
chain=dstnat action=dst-nat to-addresses=1.1.1.1 dst-address=1.1.1.1 dst-port=80,443
chain=srcnat action=src-nat to-addresses=1.1.1.1 src-address=192.168.1.128 src-port=80,443

# Masquerading
hain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24

This rule should already exist:

chain=srcnat action=masquerade out-interface-list=WAN
Alex S.
  • 131
  • 1
  • 5
  • but what if my external IP address if dhcp controlled by provider and different from time to time? are there any tricks to avoid explicitly declaring dst-address ? – xorza Dec 09 '20 at 06:58