Iptables – Redirect private LAN traffic to internal server when DNS answers with external IP

I have a mikrotik RB2011 router/firewall. Inside the firewall I have a web server that has an private IP (lets say it's 192.168.1.5)

On the WAN side of the firewall I have a static IP (assume it's 192.0.43.10 – www.example.com).

The firewall/router is running NAT.

I have a dstnat rule to pass through HTTPS traffic to the server and that works.

Now the age old problem is that if an internal PC tries to connect https://www.example.com it fails to load the page with this error in chrome:

Google Chrome's connection attempt to www.example.com was rejected.
The website may be down or your network may not be properly
configured.

Here are some suggestions: Reload this web page later. Check your
Internet connection. Reboot any routers, modems or other network
devices that you may be using. Add Google Chrome as a permitted
programme in your firewall or antivirus software's settings. If it is
already a permitted programme, try deleting it from the list of
permitted programmes and adding it again. If you use a proxy server,
check your proxy settings or contact your network administrator to
make sure the proxy server is working. If you don't believe you should
be using a proxy server, adjust your proxy settings: Go to the Chrome
menu > Settings > + Show advanced settings > Change proxy settings…
and make sure your configuration is set to "no proxy" or "direct."
Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the
connection.

Traditionally I have solved this by using a split DNS or dual DNS type of setup where dns lookups to www.example.com returned the internal IP of the server rather than the external. However I don't have the luxury of that setup here.

There should be a way to solve this on the mikrotik using a prerouting rule but I'm unsure how to set that up. How would I do that?

This is what I have in my nat table. But again, it doesn't. I am running tcpdump on the server but I can see that the and the packets are not actually reaching it.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.0.10 protocol=tcp 
     dst-address=114.134.xxx.xxx in-interface=wan dst-port=22 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.10 protocol=tcp 
     dst-address=114.134.xxx.xxx in-interface=wan dst-port=443 

 2   chain=srcnat action=masquerade src-address=192.168.0.0/24 
     dst-address=192.168.0.0/24 

 3   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=114.134.xxx.xxx
     out-interface=wan

Best Answer

If complicated "Hairpin_NAT" isn't your scene, solution for the lazy:

simply add a static DNS entry in the MT device that points to the local server.. sorted. All local requests get correctly resolved, bypassing the router, all external stuff ignores your DNS entry so goes the dstnat route.

/ip dns
set allow-remote-requests=yes cache-size=8048KiB servers=\
    8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.5 name=www.example.com

Best Answer

Related Solutions

Firewall – Use MikroTik Bridge as a Public IP Firewall for Public Hosted Servers

Linux – OpenVPN tun routing (can ping tun interfaces) with mikrotik and NAT on both ends

Related Topic