HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

loubou89 · Thu Dec 15, 2022 10:48 pm

Hello

I've got public IP and own domain. I read some articles about NAT Hairpin, Port Forwarding etc.

At the moment I can:
* Connect to my webserver from local network with local IP (192.168.0.50).
* Connect to my webserver from local network with WAN-IP (i.e. 109.92.141.121)
* Connect to my webserver from external network with WAN-IP
* Connect to my webserver from external network with domainname (mysite.example.com)

I cannot:
*Connect to my webserver from local network with domainname - keep redirecting me to router's main page (login page of router - 192.168.0.1)

How can I fix that problem?

My config in NAT Hairpin:
Src.Address: 192.168.0.0/24
Dst.Address: 192.168.0.50 (webserver's IP)
Protocol: 6 (tcp)
Out.interface: bridge
Action: Masquerade

My port forward config:
Chain: dstnat
Protocol: 6 (tcp)
Dst.port: 80
In.interface: ether1
Action: dst-nat
To addresses: 192.168.0.50
To ports: 80

Fri Dec 16, 2022 5:36 pm

I've got public IP and own domain. I read some articles about NAT Hairpin, Port Forwarding etc.
...

Read them again rest router to defaults and search this forum for harpin to find what to do?

loubou89 · Fri Dec 16, 2022 8:16 pm

What a perfect answer! Forum Guru? In number of posts for sure.

If I registered an account, write a question with my config, that means I probbably miss something and dont know how to resolve my problem, dont you think?

Next reply "search forum" is the worst answer you could send. Seriously I know in Poland we've got so much hate, you are next example of that, but please, imagine that not all people who has Mikrotik are experts.

Peace

Znevna · Fri Dec 16, 2022 8:29 pm

that means I probbably miss something and dont know how to resolve my problem

[...]
My port forward config:
Chain: dstnat
Protocol: 6 (tcp)
Dst.port: 80
In.interface: ether1
Action: dst-nat
To addresses: 192.168.0.50
To ports: 80

Your LAN traffic doesn't reach the router via ether1 I presume.
Remove in.interface and add dst.ip=your.wan.ip
Doesn't hurt to read other examples of how to do it better.
Cheers.

loubou89 · Fri Dec 16, 2022 8:45 pm

If I use my Public IP for uknknown reason it doesnt work at all. I use in interface ethernet1 and only in this case I can connect with Public IP.

Dst.address doesnt work with WAN IP.

Webserver is on virtual machine, if it changes anything.

cfikes · Fri Dec 16, 2022 8:59 pm

Normis just made a video for this verry thing.

https://www.youtube.com/watch?v=1I5FywY6opQ

loubou89 · Fri Dec 16, 2022 9:16 pm

Oh my goddnes, thank you guys for replies but I think you miss the clue.

I can connect my webserver both - from internal or external Network. It's not that typical error of Loopback NAT.

I can connect and use it normal with IP address.

I cannot connect with domain name. With mywww.examplesite.com, which redirects me exactly to that Public IP.

If I use external Network (for example mobile Phone with LTE), I can connect to my webserver. But if I use internal Network, it redirects me to router login page instead.

cfikes · Fri Dec 16, 2022 9:20 pm

Oh my goddnes, thank you guys for replies but I think you miss the clue.

I can connect my webserver both - from internal or external Network. It's not that typical error of Loopback NAT.

I can connect and use it normal with IP address.

I cannot connect with domain name. With mywww.examplesite.com, which redirects me exactly to that Public IP.

If I use external Network (for example mobile Phone with LTE), I can connect to my webserver. But if I use internal Network, it redirects me to router login page instead.

Apologies. I'll setup something in EVE to replicate it to mess with it.

cfikes · Fri Dec 16, 2022 9:52 pm

Just tested with the following setup, and all works even using the DNS names. Webserver was .3 on the 192.168.123.0/24 network.

/ ip防火墙过滤添加行动=接受链=输入comment="HTTPS Input" disabled=yes dst-port=443 protocol=tcp /ip firewall nat add action=masquerade chain=srcnat comment="HairPin WebServer" dst-address=192.168.123.3 out-interface=\ bridge protocol=tcp src-address=192.168.123.0/24 add action=dst-nat chain=dstnat comment="Webserver NAT" dst-address=66.xxx.xxx.xxx dst-port=443 \ protocol=tcp to-addresses=192.168.123.3

loubou89 · Fri Dec 16, 2022 10:18 pm

cfikes

Thank you for testing, I used exact same command to check if I do something wrong (just with my IPs ofcourse) and... it's not working for me.

I check my public address onwww.myip.com, and I copy it -> paste as dst-address, and from local network I can use that IP, but from external network it doesn't work.

If I use in.interface=ethernet1 -> it works fine. Exactly the same IP...

Exported config:

# 12月/ 16/2022 21:33:57 Rol雷竞技uterOS 6.49.7 # software id = W51K-T1ZZ # # model = RB750Gr3 # serial number = ## /interface bridge add admin-mac=DC:2C:6E:53:AF:F8 auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp ranges=192.168.0.10-192.168.0.200 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /ip address add address=192.168.0.1/24 comment=defconf interface=bridge network=\ 192.168.0.0 /ip dhcp-client add comment=defconf disabled=no interface=ether1 /ip dhcp-server lease add address=192.168.0.122 mac-address=00:1B:9C:0A:9F:30 server=defconf add address=192.168.0.50 client-id=1:52:54:0:20:c6:d mac-address=\ 52:54:00:20:C6:0D server=defconf /ip dhcp-server network add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.0.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=accept chain=input comment="HTTPS Input" disabled=yes dst-port=443 \ protocol=tcp add action=accept chain=input comment="HTTP Input" disabled=yes dst-port=80 \ protocol=tcp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="HairPin WebServer" dst-address=\ 192.168.0.50 out-interface=bridge protocol=tcp src-address=192.168.0.0/24 add action=dst-nat chain=dstnat comment="Webserver NAT" dst-address=\ 109.xx.public.wan.ip dst-port=80 protocol=tcp to-addresses=192.168.0.50 \ to-ports=8123 /system clock set time-zone-name=Europe/Warsaw /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN

Znevna · Fri Dec 16, 2022 11:29 pm

I check my public address onwww.myip.com, and I copy it -> paste as dst-address, and from local network I can use that IP, but from external network it doesn't work.
If I use in.interface=ethernet1 -> it works fine. Exactly the same IP...

Is the IP shown onwww.myip.comthe same as the IP shown here?

/ip address print where interface=ether1

loubou89 · Fri Dec 16, 2022 11:55 pm

No it's not the same. On ethernet1 I've got address: 10.50.52.126/24, but as far as I read in the Internet it's local address.

Znevna · Fri Dec 16, 2022 11:58 pm

Then you don't have a public IP and it will never work.
Cheers.

loubou89 · Sat Dec 17, 2022 12:00 am

So how is that possible? If I put ether1 in interface, I can use my public IP on any device out of my network and connect to my webserver... I don't understand it at all.

Znevna · Sat Dec 17, 2022 12:17 am

Only if whoever gives you that 10.50.52.126 also forwards port 80 from that public IP to your private IP.
You need two dst-nat rules then, one with the public IP to make hairpin work, and another one as you've had in the first place, with ether1 to make it available from outside.

anav · Sat Dec 17, 2022 2:58 am

You sir are rude to people trying to help. Perhaps its what you respond to more favourably, thus..............
I will ask you to make an effort and actually read......

All covered here, from hairpin, to asking if you really have a public IP and how to arrange dst nat rules for dynamic WANIPs....

viewtopic.php?t=179343

As clearly pointed out, ether1 as incoming for a dynamic WANIP is useless.....
It wouldnt surprize me if your firewall rule for dstnat was equally inept.

/export file=anynameyouwish (minus router serial # and any public WANIP information )

loubou89 · 日坐2022年12月17日,9:04

I'm so sorry, I don't want to be rude. I'm just helpless in that situation.

I call my ISP and they told me that everything is setup from their side. Before I had simple TP-Link Archer Router and I was able to port forward everything simple way.

The problem is, when I put it in in.interface=ethernet1, and I "open" any port (f.e. 1234) I can connect using my WAN-IP without problems. If I also check it with any site like portchecker.co - it shows me that port is open on my public IP.

So I'm confused - is it public or not?

My config is in code - in post #10

I checked as you described in linked post if my Public IP is Public,
Cloud IP and IP read in browser is the same - 109.xxx.xxx.xx
DAC and DHCP Clinet IP is different - 10.50.52.126

@Znevna

我不知道有多安全,但作为一个快速的灵魂ution it works. I made 2 dstnat rules to port 443 - one to Public IP (that allows me to connect via domain name from localc network) and second one with that address 10.50.52.126, which allows me to connect from external network.

Buckeye · Sat Dec 17, 2022 2:11 pm

What is your ether1 interface connected to? It seems it is a router (perhaps provided by your ISP) and it is already doing nat.

Do you have access to login to that device? And can you do port forwarding? If the address on your ether1 interface was in the range 100.65.0.0 - 100.127.255.255, then that would indicate your ISP was using CGNAT to conserve public IP addresses, but it is still possible that your ISP is providing you with a private IP and doing NAT before your RB705gr3 gets its ip address via DHCP.

About all we can say is the there is at least one layer of NAT between the global ip address you will get when browsing towww.myip.comprovides, and the ether1 interface on the RB750gr3.

Perhaps your ISP had your Archer's WAN mac address and it was giving it a global ip address (perhaps grandfathered?). If you still have it, and it still works, you can probably spoof its mac address with the RB750gr3 and the ISP will think it is your old Archer Router.

loubou89 · Sat Dec 17, 2022 5:24 pm

Yes youre right. It's connected to ISP's router and I dont have password to it (and they wont share it with me).

At the moment everything is working fine with double dstnat rule, just curious how safe it is.

On the other hand I use it only for Home Assistant, its not a typical webserver.

anav · Sat Dec 17, 2022 7:18 pm

So they will forward ports to your router if you request it ????

loubou89 · Sat Dec 17, 2022 10:24 pm

They told me I can forward them by myself in my router because from their side all ports are open.

anav · Sat Dec 17, 2022 10:26 pm

That doesnt mean they can reach the MTrouter........... It just means they are not blocking any incoming ports on their router.
It does not mean they have forwarded any ports to your router...........

Remember if they forward said ports to your router, they are no longer available to those on the main router...........

Znevna · Sun Dec 18, 2022 12:32 am

@anav, Imagine this, if I, the ISP, give the client a router that's under my management, but I want to keep the public IP on my (the ISP) router, I'm just gonna forward all ports on whatever private IP the clients requests, if the client adds another router then he is free to forward on his router. It's a bad setup, and I've seen such cases of double NAT, sadly, but it works.

anav · Sun Dec 18, 2022 1:04 am

Agree znevna, but its not clear to me all the ports are forwarded to the MT router, just wanted to confirm that is all.....

HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Re: HEX RB750gr3 - Can connect via WAN-IP, cannot via domainname

Who is online