NAT/PortForward - server to also be accessible from within the LAN (2024)

Hello,

I have configured a dst-nat rule to make the HTTP server available from the internet
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port="80" to-addresses="10.10.5.4" comment="PortFowarding: HTTP"

I also have an A-record in domain's DNS configured, for example "testserver.mydomain.com A 23.45.67.89"

The http testserver is accessible from the internet, but not from my other computers in the LAN.
It doesn't work whether i go to my public IP http://23.45.67.89, or to http://23.45.67.89. But both ways work from the internet.
What configuration did I do wrong, or am I missing? Thanks!

Yup,,,,,,,,,,,
Also you dstnat rule is incomplete but we can get to that when you post a config.

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port="80" to-addresses="10.10.5.4" comment="PortFowarding: HTTP"

1) For the LAN do not work using public IP out-of-LAN, because the packet, not literally, must go out the route and back-in
For test the rule is working use external IP, for make it work on LAN, your DNS must provide local LAN IP to LAN devices

2) The rule you have writed say: for all tcp connection from everywhere, to everywhere, to port 80, do change destination to 10.10.5.4
The correct rule must be like: if tcp connection coming from <WAN> to <Public IP> <port 80> must be redirect to 10.10.5.4 (to port 80) changing destination address.

/ip firewall natadd action=dst-nat chain=dstnat comment="PortFowarding: HTTP" dst-address=23.45.67.89 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.5.4 to-ports=80

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port="80" to-addresses="10.10.5.4" comment="PortFowarding: HTTP"

Code: Select all

/ip firewall natadd action=dst-nat chain=dstnat comment="PortFowarding: HTTP" dst-address=23.45.67.89 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.5.4 to-ports=80

WHY USE in-interface here??? and dont need to-ports if same as dest port!
Shouldnt this suffice?

/ip firewall nat
add action=dst-nat chain=dstnat comment="PortFowarding: HTTP" dst-address=23.45.67.89 dst-port=80 protocol=tcp to-addresses=10.10.5.4

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port="80" to-addresses="10.10.5.4" comment="PortFowarding: HTTP"

Code: Select all

/ip firewall natadd action=dst-nat chain=dstnat comment="PortFowarding: HTTP" dst-address=23.45.67.89 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.5.4 to-ports=80

WHY USE in-interface here??? and dont need to-ports if same as dest port!
Shouldnt this suffice?

/ip firewall nat
add action=dst-nat chain=dstnat comment="PortFowarding: HTTP" dst-address=23.45.67.89 dst-port=80 protocol=tcp to-addresses=10.10.5.4

I cannot explain myself well in English, it is simply better to be clear, even with future changes (like dynamic public IP), and for understand better for newbie how firewall works.....

Doesn't it tell you anything "from everywhere, to everywhere"??? too much generic....

Instead of hairpin NAT (which is just fine), why not have this resolved by DNS.
Funny...this is my first English pun!

@erlinden Jajajaja
Regardless the NAT has to be done properly not matter how external or internal users get there.....( by way of public IP )

@rextended. If you had read the link provided above, it explains the difference or different requirements between dynamic and static/fixed IP.
Its important that a new learner starts to appreciate the differences between a consumer/prosumer router and the MT, where the admin should be cognizant of
how packets are handled in more granularity and that there is a difference between dynamic and static WANIP.

Thanks for all the replies.
I have just resolved this using static DNS entries, there's still one service though that has a different external and internal ports. But in any case, I'll try to configure this using the NAT rules you mentioned, so that I'll understand how it should work.

EDIT: All figured out, thanks!
For every port forwarding rule, i have to create two firewall rules. For example:
add action=dst-nat chain=dstnat comment="PortFowarding: HTTP, SVN" dst-address=23.45.67.89 dst-port=80,3690 protocol=tcp to-addresses=10.10.5.4
add action=masquerade chain=srcnat dst-address=10.10.5.4 dst-port=80,3690 protocol=tcp src-address=10.10.5.0/24

And for cases where the internal port is different than the external, the srcnat rule must have dst-port defined as the internal port:
add action=dst-nat chain=dstnat comment="PortForwarding: CouchDB" dst-address=23.45.67.89 dst-port=7984 protocol=tcp to-addresses=10.10.5.4 to-ports=6984
add action=masquerade chain=srcnat dst-address=10.10.5.4 dst-port=6984 protocol=tcp src-address=10.10.5.0/24

WRONG!

You only need the one hairpin NAT rule. ( so max of one xtra source nat rule on top of the normal source nat rule(s) )
Remember, the reason the users cannot access the server via the LANIP is if the server is in the same subnet.
Therefore one add this as the first source nat rule.
add chain=srcnat action=masquerade src-address=192.168.xx.0/24 dst-address=192.168.xx.0/24 where 192.168.xx.0 represents the subnet.

Furthermore there is only ONE firewall forward filter rule needed and that is to allow dstn packets from the WAN to pass through the router to the LAN interface,
One either has the default forward chain firewall filter rule:
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

OR uses the direct rule
add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN comment="allow port forwarding"
add chain=forward action=drop comment="drop all else"

Finally there is only one DST NAT rule, (one NAT rule required per port forwarding desired). One can combine a number or range of ports to the same TO-ADDRESS (same server) if the ports are not translated and thus combining multiple rules into one rule. Personal preference

Thanks for the correction.

I did it with your one-nat-rule:
/ip firewall nat add chain=srcnat action=masquerade src-address=10.10.5.0/24 dst-address=10.10.5.0/24
+ all of the specific port forwards, e.g.
/ip firewall nat add action=dst-nat chain=dstnat comment="PortFowarding: HTTP, SVN" dst-address=23.45.67.89 dst-port=80,3690 protocol=tcp to-addresses=10.10.5.4

Seems to work ok.

Initially I used the rule from the Wiki, but it didn't work. Using two-rules per portforward worked, but I prefer your way - much cleaner (and also it's the correct way).