Port forwarding when connecting from LAN to external addressPosted: December 12, 2014
So, you have a WEB server sitting in your LAN, with the IP address of 192.168.101.11.
You set up the port forwarding at your MikroTik router and anyone from the Internet can now connect to your WEB server quite happily.
Except for yourself.
None of the requests to the external address of your WEB server ever gets a response as long as your computer has its IP address from the internal address pool of LAN.
Now, fire up the MikroTik console or log in with SSH and run these two commands:
ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=80 action=dst-nat to-address=192.168.101.11 to-port=80
ip firewall nat add chain=srcnat src-address=192.168.101.0/24 dst-address=192.168.101.11 protocol=tcp dst-port=80 out-interface=bridge-local action=masquerade
Why is this happening? You may want to read about hairpin NAT.
The idea in a nutshell is that while your client computer is requesting data from the server via router, the server is sending the response back to the client directly, so the client computer gets confused, as it does not know what to do with the data it (as much as it is aware of) had never requested, and drops it. So we tell the router to pretend to the server that it was the router itself who had requested the data from the server (we tell nothing about the client to the server) and upon receiving the response pass it further to the client. In short, we ask the router to remain a middle-man for all the length of the communication, not only for the requests from the client, as it is normally done when the requests come from the external networks with their foreign addresses.
Side effect of this is that all requests to the server will seem to come from the same IP address – from that of the router. So you will not be able, for example, to tell who exactly of your colleagues had browsed the web pages of the local server. As long as your colleagues are connecting to the external IP address of the router.