hairpin

RBrogen

... extra to allow a user to type in a url that has to go out of the fireall and back in to work. I believe it has to do with a NAT Loopback or Hairpin NAT. I have tried and am currently trying different approaches with that but it doesn't seem to want to work. Can someone please point me in ...

Sob

It's not blocked by your firewall, since you don't have any. Srcnat on WAN doesn't have any conditions, so that's not breaking it. Mangle rules won't touch it, so no problem there either. It seems to me that if VPN client 192.168.89.x tries to route internet traffic via this router, it should work. ...

chindo

Good news! If you have server in LAN1 (one subnet) and clients in LAN2 (another subnet), then the problem that's solved by hairpin NAT doesn't occur. So you don't need hairpin NAT. Your problem (aside from non-existent firewall filter section, but that's another story) is the mangle ...

chindo

Good news! If you have server in LAN1 (one subnet) and clients in LAN2 (another subnet), then the problem that's solved by hairpin NAT doesn't occur. So you don't need hairpin NAT. Your problem (aside from non-existent firewall filter section, but that's another story) is the mangle ...

chindo

Well when you have to have a consistent config, and plan. You are stuck between assigning subnets to ports, and having vlans. Suggest if you are considering doing vlans, drop subnets to ports. If not, then drop vlans. Let me know which way you go as I dont want to waste time. Hi there, Sorry I shou...

IgoRR

... dst-address=192.168.11.0/24 out-interface=REMOTE-3_L2TP src-address=192.168.1.0/24 add action=masquerade chain=srcnat comment="HAIRPIN NAT GENERAL LAN" dst-address=192.168.1.0/24 out-interface=LAN-bridge src-address=192.168.1.0/24 /ip route add disabled=no dst-address=172.16.16.0/24 ...

kleshki

... dhcp-options=clientid disabled=no interface=LAN /ip firewall address-list add address=*WHITE_IP* list=RealIP add address=10.100.0.0/16 list="Hairpin NAT" add address=10.10.0.0/16 list="Hairpin NAT" add address=192.168.188.0/24 list="Hairpin NAT" /ip firewall filter ...

mktbm

Thank you for the help, adding the following rule solved the issue I was having.

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=10.0.0.0/24 src-address=10.0.0.0/24

anav

Post your complete config minus the usual, please, the snippets you show are not useful without context of the rest of the config.
I also have my doubts as to complete success...........

ilgmars

All good points, thank you. Some of the configs got mangled when sanitizing :) So I got this fixed by monkeying around. Not sure about the exact mechanics for it, but the local network masquerade started to work after I added these 2 rules, address list entry and a route: > ip firewall/mangle/ print...

anav

... add action=drop chain=forward comment="Drop all else" /ip firewall nat add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.88.0/24 src-address=192.168.88.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN ...

anav

... or particular application. This occurs at layer2 and is oblivious to firewall rules etc......... just works. Server-LANIP : Port# 2. Next is the hairpin nat problem, you want users to access the Server by DYNDNS URL that identifies the public IP of the router. It could be a paid or free one available ...

ilgmars

... the network sorted than host a DNS server. b. if needing to access them by DYDNS URL (representing the WANIP of the local router ) then will need hairpin nat associated rules but would be much easier to create a separate subnet for servers.......... or users........ Yes, that is what I was thinking ...

anav

... a. why not access them by direct LANIP. b. if needing to access them by DYDNS URL (representing the WANIP of the local router ) then will need hairpin nat associated rules but would be much easier to create a separate subnet for servers.......... or users........ There is no circumstance here ...

ilgmars

Hi,
Thank you for your reply. Adding the details.

I think that this is the first schematic I have ever made

Hope that it is not too basic.

chrsetup-basic.jpg

I am selectively getting them to use the CHR Public address by adding routing rules.

anav

... Try these changes first.................... If still not working please detail what doesn't work. Then next add this hairpin nat rule. /ip firewall nat add chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24

anav

First will need both the CHR config and your home config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.). Second are you getting your external users (that need access to the server on your home LAN) to use the public IP of the CHR. dyndnsURL:port# w...

vingjfg

... 10.0.0.10 to the client, which expected a reply from 10.0.0.1. The client drops that datagram. If you *really* want to work that way, look into hairpin NAT.

ilgmars

... is being used as an internet gateway for some of the machines that sit on 192.168.88.0/24. Everything seems to be working as expected apart from hairpin-nat, when trying to reach locally hosted resources over public IP (Tried only via the CHR). The way the connection is set up for those machines ...

AlexX9

... the server is connected to is part of the default LAN bridge, if that's what you mean. I'm using defconf and have only enabled IPv6, added Hairpin NAT and some port forwards. If what you're asking is why I don't scan from within the same network then that's because I have firewalls upstream, ...

anav

Nice to see you Sob!!

Sob

Good news! If you have server in LAN1 (one subnet) and clients in LAN2 (another subnet), then the problem that's solved by hairpin NAT doesn't occur. So you don't need hairpin NAT. Your problem (aside from non-existent firewall filter section, but that's another story) is the mangle ...

ringrring

Thanks very much, yes I can see them using the IP addresses. I think I will continue to use that as hairpin is beyond my understanding and will be on the increasing pile of things to pick up later.

anav

... will not work without modifications. Easiest is to move users or server to different vlan. If you elect not to do that then you need to address a hairpin nat scenario. HAIRPIN NAT 1. Regardless of type of WAN connection, a single Source NAT rule is required. /ip firewall nat add chain=srcnat action=masquerade ...

anav

Well when you have to have a consistent config, and plan.
You are stuck between assigning subnets to ports, and having vlans.
Suggest if you are considering doing vlans, drop subnets to ports.
If not, then drop vlans.

Let me know which way you go as I dont want to waste time.

chindo

I know there are lots of posts about hairpin NAT but none of them seem to apply to my setup, so here goes. WAN1 - Ether1 Static Public IP 1.1.1.1 WAN2 - Ether2 Static Public IP 2.2.2.2 LAN1 - Ether6 10.0.15.0/24 LAN2 - Ether7 10.0.25.0/24 LAN3 ...

llamajaja

... is that the port does not appear on scans, and instead of port visible and closed, it is simply not visible. An additional problem occurs for the hairpin nat case. Here you want to direct users ON THE SAME SUBNET as the Server, to the server via the WANIP, aka typically an easier to remember dyndns ...

anovojr

Well, yeah the issue might be with the ISP, have you check it? For the SSH and RDP issues within your network, it seems like a case of hairpin NAT not being configured or working as intended. This is where traffic from your internal network to your public IP isn't being routed back correctly. ...

mkx

No, hairpin NAT is not the problem here, communication between client on site B and server on Site A has to pass router (actually both of them) in both directions (if it doesn't, then one needs hairpin NAT). The problem here ...

anav

Hi Chechito not sure hairpin or what applies here, I get muddled trying to work my way through it.

Josephny

... traffic for A.dyndns.org to be routed via the Wireguard interface? Then one has to deal with that traffic at arrival at Device A................ Hairpin NAT??? /ip dns static add regexp=["a.dyndns.org]" address=wireguardIP/32 No idea.

llamajaja

... words any traffic queries for that URL should go through wireguard. Then one has to deal with that traffic at arrival at Device A................ Hairpin NAT??? /ip dns static add regexp=["a.dyndns.org]" address=wireguardIP/32 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ...

CGGXANNX

... of the other host. If that's the case it will be worsened by the fact that the router will even perform NAT on the packets due to the " hairpin NAT for bridge-10 " rule that you have in the firewall configuration. Side note: all the dst-nat rules for port forwarding to 10.10.10.251 ...

burnduck

... log-prefix=rule20 /ip firewall nat add action=masquerade chain=srcnat out-interface=sfp28-1 add action=masquerade chain=srcnat comment="hairpin NAT for bridge-10" \ disabled=yes dst-address=10.10.10.0/23 src-address=10.10.10.0/23 add action=masquerade chain=srcnat comment="hairpin ...

slaz

What is listening on IP address 192.168.200.1 and what on 192.168.200.11?: Line 458: add action=dst-nat chain=dstnat comment="Wireguard hairpin nat" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address dst-address-list=WANs ...

erlinden

What is listening on IP address 192.168.200.1 and what on 192.168.200.11?: Line 458: add action=dst-nat chain=dstnat comment="Wireguard hairpin nat" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address dst-address-list=WANs ...

slaz

... action=drop chain=input in-interface-list=!LAN /ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" dst-address-list=WANs new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs add action=mark-routing chain=prerouting ...

tesme33

Hi
thanks for the idea. Will try it. But for now i needed to switch back to my old router.

CGGXANNX

... subnet but then add a srcnat rule to the firewall, to masquerade connection from 172.17.20.0/24 into 10.0.0.0/16 (similar to what is done for Hairpin NAT). That way, when client from 172.17.20.0/24 access 10.0.0.0/16, the source address of the packet sent will be changed to the 10.0.0.1 address ...

anav

... add action=drop chain=forward comment="drop all else" (2) Not sure if order is critical but best to do this.... ( fixed your hairpin rule as well) /ip firewall address-list add name=MYNETNAME list=M yWAN comment="dyndns from my IP Cloud settings" /ip firewall nat ...

tesme33

... 7.14.2 onto my mikrotik router and i want to use it for internet access. As i have my mailserver at home i have some NAT what i also want to hairpin. i used the quickset on the WEB IF to make the initial config including the NAT i needed. And then i wanted to add HAIRPIN. I watched this video ...

xstrid3rx

... comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\ 192.168.50.0/24 log-prefix=NAT src-address=192.168.50.0/24 add action=dst-nat chain=dstnat dst-port=6668 protocol=tcp ...

anav

... (4) Now onto the port forwarding firewall rule is fine Format for hairpin is not quite correct. Typically its ( and no out interface nor protocol ) add action=masquerade chain=srcnat comment="Hairpin NAT" ...

svenvg93

... add action=drop chain=input comment="Drop all else" /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=172.16.10.3 out-interface-list=WAN protocol=tcp src-address=172.16.10.0/24 add action=masquerade chain=srcnat ...

anav

Sorry your missing the complete config so unable to comment with certainty/
/export file=anynameyouwish ( minus router serial number, any public WANIP info, )

svenvg93

Hi All, Im trying to setup Hairpin NAT. So my lan clients can reach the server via the public domain name. I created a DNAT rules that works from the outside. But the hairpin nat rule that i made based on: https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT ...

Josephny

... add action=drop chain=forward log=yes /ip firewall mangle add action=mark-connection chain=prerouting comment=\ "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \ log=yes new-connection-mark="Hairpin NAT" passthrough=yes src-address=\ 192.168.2.0/24 ...

BinaryTB

... dynamic 0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 1 ;;; Hairpin NAT chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface-list=LAN log=no log-prefix="" ...

cosinguyen93

... nat add action=masquerade chain=srcnat comment="Internet" out-interface=all-ppp add action=masquerade chain=srcnat comment="Hairpin" dst-address-list=lanAddresses src-address-list=lanAddresses add action=masquerade chain=srcnat out-interface=bridgeLAN <<< here It worked. ...

MakroTok

For dynamic WANIPs the dst nat rule usually has something like in-interface-list=WAN, which we replace with dst-address-list=external_wan where externel_wan is a firewall address list entry with an address=DDNSname If you have public address directly on router, you can skip DDNS and use this as DHC...

mkx

The "red" traffic will likely only pass bi-directionally if you'll implement hairpin NAT for that "public to public" NAT. Without it, webserver 2 will try to reply to client (accessing abcabc.com:9999) directly, but client will reject this as it ...

anav

Hairpin via dns.................. Not a clue what it does though, assuming 192.168.88.68 is the IP of the server..... 3. DNS METHOD - AVOID NAT – REDIRECT LAN REQUEST VIA DNS Create the following rule! /ip dns static add address=192.168.88.68 ...

mkx

Well, in such a convoluted setup you'll have to think it out yourself. I'm not willing to guess the size of your problem and all the interactions.

But the fact is that NAT isn't exactly piece'a'cake in certain conditions.

wcsnet

the config files for applications get pushed globally both internal and external systems use them so one set of ports just makes for easier management

mkx

If servers need to communicate with each other, then ... I don't see why you couldn't configure them to communicate directly (over real ports)?

wcsnet

Okay that works, however what do I do with servers on the same subnet

mkx

... the best solution is to move server(s) into dedicated IP subnet. The dst-nat would then work the same way for both internet and LAN clients (no hairpin NAT necessary). BTW, DNS records have nothing to do with the way NAT is executed, NAT simply works on individual connections (and those are ...

wcsnet

Currently I have my local dns a records pointing to the router?

wcsnet

thanks @mkx

Sounds simple enough I how ever see one concern.
Some of my internal services run on different source ports and I would still require a dot-net to do the port translation

Example service runs on port 1050 and the clients use 5050

HalfWolf

... - FT/CTF turned on implies that QoS/Bandwidth Limiting are ignored and I want to have the full bandwidth available for QoS/BW Limit working Hairpin/NAT Loopback - currently the only way I can connect from my PC to the server is to have a LAN IP entry for the domain the server is using in ...

mkx

If you want to see actual source IP addresses, then you must not use hairpin NAT ... i.e. use split DNS where A record for public internet points at your router's WAN IP address (and plain dst-nat is enough to have connection working). And A record for "same ...

wcsnet

... some web services I run the source ip address is extremely important. These web services run both internal and external to the network. When using hairpin nat (src-nat -> masquerade ) I obviously lose the ability to see the source ip address. Is there I way I can use the static dns entries on the ...

lanslot

I raised the issue in both places. Thank you both!

lanslot

Currently UPnP and Hairpin NAT does not work together. It is because the dynamic dst-nat rules created by UPnP has the in-interface=<external> filter. It would be nice to remove this filter from dynamic rules created UPnP, either by ...

Right here.

TheCat12

I would try here:

viewtopic.php?t=45934&hilit=Feature&start=1500

lanslot

Thanks for confirming! Do you by any chance know how to submit feature requests to MikroTik? It would be nice for them to add a config option to remove the in-interface=ether1 filter from dynamic dst-nat rules. Unfortunately, yes. And the only workaround I see is to make the addresses of the UPnP en...

TheCat12

Is my understanding above correct? Unfortunately, yes. And the only workaround I see is to make the addresses of the UPnP enabled devices static and add your dst-nat rules before the dynamic ones because, as you're probably familiar with, rules are processed in ascending order relative to their pla...

lanslot

... this didn't work. I think the problem is in the dst-nat rule #3, not in the src-nat rules. Here is my understanding of the packet flow for Hairpin NAT (Scenario A): Say a LAN client at 192.168.1.100 sends a TCP SYN packet to my web server at <WAN_IP>:80 The packet enters the router at the ...

anav

... in the Forward Chain vice DSTNAT ?? 7. Not sure why you are mangling or using UPNP for that matter. I would remove it and use the normal sourcenat hairpin rule. add chain=srcnat action=masquerade src-adddress=192.168.1.0/24 dst-address=192.168.1.0/24 Edit; Ahh I see you already have it in place, ...

RhoAius

... Yes you can with port forwarding Do a dstnat and the "to Address" field should be the ip of the module 10.10.1.1 You will need "Hairpin NAT" if you want to access the status page via the dstnat from within the network

mbovenka

... looking up the domain name from the inside gives you the internal address, and doing so from the outside gives you the external address. 2) Proper hairpin NAT, so that packets from the inside to your external address get bounced to the internal address. Either way the CRS305 has nothing to do with ...

TheCat12

Maybe change action=masquerade and set dst-address to be the one of the server on the hairpin nat rule as well as on the defconf rule unless there is a reason to be src-nat:

/ip firewall nat
set 0 action=masquerade src-address=""
set 1 action=masquerade dst-address=192.168.1.2

TheCat12

@adispy My bad, it's not possible to list out separate ports in the to-ports section. You can leave it blank and the rule will work as intended.

adispy

Thank you very much for your help guys. In the end I followed DeadStik advice and by removing the In. Interface from the DST-NAT rule, the HairPin NAT started working. @ TheCat12 just curious how you manage to put those ports in the to-ports section of the rule, because it does not let me. ...

TheCat12

... in-interface=RDS_PPOE_01 dst-port=443,80,8080,8443 log=no log-prefix="" Secondly, I think the problem is that the Hairpin NAT rule is before the dst-nat rule whereas it should be the opposite because rules in Mikrotik are processed in ascending order (from top to ...

adispy

Sorry about that. Here it is. PUBLIC IP 1 - main IP for internet connection PUBLIC IP 2 - second public IP for my email and web services 0 ;;; HairPin NAT chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 log=no log-prefix="" 1 ;;; defconf: ...

anav

Yes its your config, which we know nothing about and thus cannot comment on

DeadStik

More likely your DST-NAT rule is not working as you intended. Using in-interface or in-interface-list limits the rules to those interfaces which local users do not reach.

lanslot

Hi there, I am having some trouble getting UPnP and Hairpin NAT to work together. Can you help? NAT is working for my web server with src-nat rule #0 in the config and dst-nat rule #2 Hairpin NAT is also working for devices on the LAN to access the ...

adispy

Thanks for the reply, but it's still not working. 0 ;;; HairPin NAT chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.254 log=no log-prefix="" I have also tried putting 192.168.10.10 as the dst-address ...

jjmuriel

... LAN de NTP (UDP-123) a enrutador." dst-port=123 \ protocol=udp src-address=192.168.111.0/24 add action=masquerade chain=srcnat comment="Hairpin NAT para HA" dst-address=\ 192.168.30.10 src-address-list=HA_CON add action=dst-nat chain=dstnat comment="HA Yellow-Acceso desde Internet" ...

anav

out-interface=LAN is not required.

TheCat12

The second rule is almost correct, provided that dst-address is the one to which you want to hairpin nat and you've made the rest of your configurarion properly as @anav already said: /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.254 ...

anav

Yes, with proper config........
https://help.mikrotik.com/docs/display/ROS/NAT
https://help.mikrotik.com/docs/display/ ... HairpinNAT

adispy

Hello everyone, I am trying to set up my hairpin NAT but no matter what I do can't seem to make it work. I have two PPPOE WAN IPs and I have tried using: 0 chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 ...

jaclaz

... are trying from another connection through internet it should be enough. If you are trying from the same network, then you will need additionally hairpin NAT: https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT

baragoon

Hairpin NAT

DeadStik

If the DNS server is in the same IP scope, it would be broken without the masquerade rule. This is the same issue as Hairpin NAT.

If you use an IP outside of your LAN IP scope, there is no need for the rule as the packets would return to the router already.

Amm0

... not steps. e.g. even after much reading, still not find the perhaps 5-10+ lines of config to adapt the default firewall for SOHO things like hairpin NATs or blocking inter-VLAN routing. And that's if you figured out VLAN bridging first. A SOHO user may lack networking knowledge, but may be ...

MTNick

You're right, the Hairpin NAT has 0 traffic in the counters. So, it's not needed. Tested, proved lol If access using LAN is working, I'd say the OP is wrapped up. OP stated external access is good. Now internal access is as well. The ...

Mesquite

... similar in concept to what you have offered, but since I dont understand it at all,,,,,,, just putting it out there. I don't even think you need hairpin nat rule with this one. For the example 192.168.88.68 is the local LAN server IP and myserver is the domain name. Create the following rule! ...

MTNick

... port 443. In the test router, the following NAT rules are applied: /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24 add action=dst-nat chain=dstnat comment="Server - HTTPS" ...

MTNick

... users using the DOMAIN name Do NOT reach the servers Exactly. It seems counter-intuitive to me, but that's, what it is. The above points to the hairpin NAT rule. The domain name shouldn't be needed in the address list. But I see what's trying to be accomplished. Has a static DNS been attempted ...

MTNick

... nat add action=masquerade chain=srcnat comment="ISP Masquerade" out-interface-list=WAN add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=expected-address-from-LAN out-interface-list=LAN protocol=tcp src-address-list=expected-address-from-LAN add action=dst-nat ...

MTNick

Hi Mesquite. Stop yelling at me lmao (1) The hairpin nat rule is port/protocol agnostic. Not required. He has the correct rule. ----- Didn't know this. But still, this rule works haha. (2) The dstnat (port forwarding rules) can very much so have ...

Mesquite

Hey MTNICK. (1) The hairpin nat rule is port/protocol agnostic. Not required. He has the correct rule. (2) The dstnat (port forwarding rules) can very much so have a different dst port, the one hitting the router, and a to-port the ...

MTNick

Hello atais & Mesquite. Hoping I can help out on this one. Looking at the Hairpin NAT rule. It's missing the protocol & you might as well add the out-interface-list=LAN. I've got the same scenario that's been working well for a long time. I can access my ...

Mesquite

... firewall rule allowing port forwarding add chain=forward action=accept connection-nat-state=dstnat comment="port fowarding" You need a hairpin nat source nat rule in case you want internal users to be able to access the server by the WANIP or DNS name. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Mesquite

... and get port forwarded to the router. dst-address=actual WANIP for static, in-interface=WAN for dynamic. ( dst-address-list=some dyndns URL for hairpin) OR you connect directly to the LANIP of the server from internally. THere is no such thing or even a good idea to connect using the interface ...

Mesquite

... IP address as if you were coming in from externally. Boggles my mind, why not just use the LANIP address LOL. In any case you are running into hairpin NAT. 1. Solved partially by adding this sourcenat rule put at the top of the order add action=srcnat chain=masquerade src-address=192.168.88.0/24 ...

optio

This doesn't make sense since have hairpin dst-nat NAT rule for all outgoing DNS traffic from LAN to Pi-hole unless Chrome is performing DoH request to Google DNS when is set manually and that bypasses router NAT rules. Did you try with other ...

Kataius

... protocol=tcp src-address-list=!excluded \ to-addresses=192.168.55.55 to-ports=53 add action=masquerade chain=srcnat comment="PiHole hairpin NAT" dst-address=\ 192.168.55.55 dst-port=53 protocol=udp src-address-list=filtered add action=masquerade chain=srcnat comment="PiHole ...

bpwl

... subnet range Some reading : https://forum.mikrotik.com/viewtopic.php?t=201448 If you still want to have it on one L2 network, start reading about Hairpin NAT in this Forum

PhilipPeake

... add action=masquerade chain=srcnat comment="WG-UK VPN" out-interface=\ wireguard2 add action=masquerade chain=srcnat comment=\ "Hairpin - Loopback for external address" dst-address=10.0.0.0/24 \ src-address=10.0.0.0/24 add action=dst-nat chain=dstnat comment="Camera ...

PhilipPeake

... add action=masquerade chain=srcnat comment="WG-UK VPN" out-interface=\ wireguard2 add action=masquerade chain=srcnat comment=\ "Hairpin - Loopback for external address" dst-address=10.0.0.0/24 \ src-address=10.0.0.0/24 add action=dst-nat chain=dstnat comment="Camera ...

You may want to look into Hairpin NAT.

https://help.mikrotik.com/docs/display/ ... HairpinNAT
or
viewtopic.php?t=172380

TheIBM

... now I can't get past the router DMZ address from the LAN. I've tried umpteen configurations to no avail. Gone round in circles actually. I tried hairpin and simple routing. If I get one side working it breaks the other. Rather than share a clearly incorrect set of configs can anyone share a working ...

patrikg

When i read this, something says me that your app even tries to connect to your wan ip.
If so you should look and enable the function hairpin nat.

https://help.mikrotik.com/docs/display/ ... HairpinNAT

Mesquite

... not static. Please confirm if your IP indeed does not change. If it indeed static, vingjfg dst-nat rules are correct. I personally prefer a wider hairpin nat rule, to account for potentially more servers and users involved. To- ports are not required if same as dst-ports. Finally if static, then ...

vingjfg

... all I asked. Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT. For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with your actual public IP. /ip firewall nat add action=masquerade ...

vingjfg

... internal server (note: using the real IP, not the external)? Lastly, if you try from the inside using the external IP, you will need to set up a hairpin NAT, which I do not see in your configuration. Regarding the source NAT: the in-interface describes the interface which receives the packet ...

schoudhry

... to the correct local ip addresses in Adguard (or whatever DNS server in use) Port forward 80 and 443 to NGINX proxy on the WAN interface Have hairpin NAT rule. I added x.x.x.x/24 to x.x.x.x/24 for all ports Generated Let's Encrypts certificates through NGINX. Then exported and imported into ...

gabrielrocha

You need a HairPin NAT. https://help.mikrotik.com/docs/display/ROS/NAT (about a quarter of the way down the page) Edit: I misread the question (that's what I get for doing it FAST), so this answer is not likely what you need... ...

k6ccc

You need a HairPin NAT.
https://help.mikrotik.com/docs/display/ROS/NAT (about a quarter of the way down the page)

Edit: I misread the question (that's what I get for doing it FAST), so this answer is not likely what you need... sorry.

mkx

... NAT device. As client originally started connection towards WAN IP, reply from server's LAN IP is not valid. One of solutions is implementation of hairpin-NAT and your second src-nat rule is a variation of it. One of side effects of hair-pin nat is that all connections appear to come from router ...

adispy

... 6. Set you masquerading rule to send traffic only on the first public IP/PPPOE connection. This will cause another problem with the hairpin NAT rule if you have one, in that it is not going to work anymore. 4.png It should work now, your internal server should get the public IPs ...

adispy

One other thing that I have noticed is that if I masquerade just one public IP (primary one) the hairpin NAT rules is not working anymore.

adispy

... protocol=tcp dst-address=<PUBLIC_IP_02> connection-mark="" in-interface=RDS_PPOE_02 dst-port=80,443 log=no log-prefix="" 5 ;;; Hairpin NAT Sophos Proxy chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp src-address=192.168.10.0/24 dst-address=<PUBLIC_IP_01> ...

adispy

... connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=dst-nat chain=dstnat comment="Hairpin NAT Sophos Proxy" \ dst-address-list=!192.168.10.254 dst-address-type=local dst-port=80,443 \ protocol=tcp src-address=192.168.10.0/24 ...

system7

... W/ this rule, I should see my web server from outside the network, sadly I cannot! BUT if I add another rule what is for - as I know - for hairpin (to see my website inside the network) add action=masquerade chain=srcnat dst-port=443 protocol=tcp So, if I add these rules, after that I can ...

vingjfg

... host routes (my preferred version but that's personal). For the NAT configuration, there are some issues, see the corrections below. There is no hairpin NAT, so you won't be able to reach the servers using the public IP. This explains why you connect to the device when you use the public IP addresses. ...

anav

Glad its working for you!!

OctarineGlow

Ah, thanks so much y'all! Turns out it my issue was the in-interface-list=WAN in the original dst-nat rule. I got a real kick out of Sob's bit there, it's foolproof, you can't mess it up (ok, I know I underestimate creativity of some people) But here we are. The final working rules are chain=dstnat ...

jaclaz

The whole post by Sob:
viewtopic.php?t=179343#p892135

anav

... nats the traffic from 192.168.88.1 to the original 192.168.88.5 and the packet arrives at the client and is accepted. Finally this explanation on hairpin nat from MKX is invaluable! Standard SRC-NAT is masquerading source address and standard DST-NAT is masquerading destination address . And hairpin ...

sergeyseleznev

... but I want to use the public DNS name always to avoid TLS issues. As far as I understand, in IPv4 this problem can be solved by hairpin NAT. However, I couldn't manage to implement it with IPv6 and I'm not sure it's even applicable here. Thanks in advance for your help!

OctarineGlow

Anav, it's quite possible this is a foolish way to solve things. Currently, local users can access the site just fine through the LANIP, and I can access it on the desktop through localhost. I'd mostly prefer the consistency of having only one address. Hosting it on a different device on a different...

anav

Yes, nothing like a short video showing how the electrons are moving about, with some appropriate IPs, and text, would make it crystal clear, but I dont have those skill sets. I relied on explanations from others like MKX, to help understand. Its not something that sticks and have to relearn every t...

The difficult bit isn't regurgitating canned examples into the CLI, it's understanding what it does. Case in point, this thread's OP.

anav

There we disagree,
add chain=srcnat action=src-nat dst-address=SubnetofServer src-address=SubnetofServer

Is tres simple!! In zyxel speak, there was a checkbox called loopback to enable. Never knew what it was for until I started using MT devices.

... away is rare, so it costs me nearly nothing to switch the URLs when needed. My broader point is, for some applications, the automatic magic of hairpin NAT isn't pulling its own weight in terms of the complexity it adds to the router's configuration, so why add it?

anav

So you are using an application to do this???? Me is confused. My impression then was incorrect. I thought you were using a. mynetname or some other dyndns URL when external to the router to access your server AND b. you were able to construct an internal URL of sorts ( a way of pointing to the inte...

... site, I'd keep two different bookmarks in my browser, selected depending on where I am at the moment. Yes, these methods require a bit of thought. Hairpin NAT saves you from having to think about it, but I don't think it's worth the bother, in the main.

anav

... there are a variety of reasons. What you are suggesting is KEEP the NAME method but NOT to use the external WANIP and this quite neatly avoids the hairpin nat problem. I also recommend simply moving the server or users to different subnet also avoiding the issue ( vlans are what .0001c - cheap) ...

mkx

... or out-interface instead of lists, then it's the out-interface-list=WAN which should be removed). As to the problem: you need to implement hairpin NAT . Without it, in your case, packets from client towards server go via router (who does port forwarding), but return packets go directly ...

... covers the example's 10.0.0.3 host and anything else inside the example's private LAN. If you have only one host inside the private LAN that needs hairpinning, you could write this example's rule as "10.0.0.3/32" instead. I'm afraid I just don't have that firm a grasp on it, though. Hairpinning ...

OctarineGlow

... DNAT worked like a charm, and the website's address resolves just fine outside of my LAN, but I'm having trouble interpreting the documentation on hairpin NATs. The example in the documentation is: /ip firewall nat add chain=dstnat action=dst-nat dst-address=172.16.16.1 dst-port=443 to-addresses=10.0.0.3 ...

fionaellie

... DDNS (Cloudflare). I have checked to be sure the a record is indeed the same as the public IP. I have a feeling my issue is related to the way hairpin NAT is configured. [admin@MikroTik] > ip firewall nat print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; back-to-home-vpn chain=srcnat ...

Spaider

... firewall nat add action=masquerade chain=srcnat disabled=yes out-interface=wg2 /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT for Home Assistant" dst-address=192.168.88.60 dst-port=443,8123 log-prefix=hair-pin protocol=tcp src-address=192.168.88.0/24 /ip firewall ...

Pillendreher

Thanks! Just fyi: I got it to work by creating the hairpin NAT rule like this:

https://superuser.com/questions/663820/ ... airpin-nat

Hope that works for you as well

henkieb

Hairpin is only in case of the internal server cannot be reached from the LAN side right? My problem is only from the WAN side. From LAN 192.168.88.50/console works fine, from WAN external ip:8091/console the server (which ...

gigabyte091

Public IP (that was the previous way) and they would like to keep it that way

Well in that case you need something called hairpin nat: https://forum.mikrotik.com/viewtopic.php?t=172380

abbio90

https://foisfabio.it/index.php/2022/12/ ... -routeros/

anav

A couple of pointers on the last post. 1. The dst-nat rule does not require dst-address-type=local . 2 The general hairpin nat rule that will cover all servers in a subnet, or if just one............ one rule. add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address= ...

MTNick

... protocol=tcp to-addresses=Local.Server.IP If your trying to access the server from your LAN/wifi, using the external website address, add the Hairpin NAT as well (don't forget to edit & add your network/server/ISP info): /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin ...

dalben

... Container running on my Unraid server. Everything works when accessing from WAN, but unfortunately not when connecting from LAN. I even added an Hairpin NAT rule , yet that didn't work either. Did you set the rules up in Adguard Home? Yep, setup the rules in AGH / Filters / DNS rewrites. Pointed ...

Pillendreher

... Container running on my Unraid server. Everything works when accessing from WAN, but unfortunately not when connecting from LAN. I even added an Hairpin NAT rule , yet that didn't work either. Did you set the rules up in Adguard Home?

Rihards9229

... is critical, but its also very smart to organize chain rules together for easy reading to spot errors etc................ (3) I see you have a hairpin SourceNat Rule which tells me you have users on the same subnet as your server and you want them to use the dyndns name vice the direct LANIP ...

anav

... is critical, but its also very smart to organize chain rules together for easy reading to spot errors etc................ (3) I see you have a hairpin SourceNat Rule which tells me you have users on the same subnet as your server and you want them to use the dyndns name vice the direct LANIP ...

k6ccc

The Hairpin is used so that you can access the server from your local LAN using the public IP address or URL. To get port 80 to forward to the server you need a Destination NAT add action=dst-nat chain=dstnat comment="Web ...

vingjfg

I think you meant SERVER!

Correct, server not router.

robmaltsystems

Thanks everyone for their input here. Fascinating subject. I will return to this soon as I'm like a dog with a bone on things like this. Probably spend hours learning (which is good) for a real edge case. But then again, I spent hours bringing a 10 year old laptop back to life!

letmeout

You need to add hairpin NAT if you want DNS lookups on dstnat IPs to work from the inside.

I tried but it didn't work

im not shure how to setet corect

anav

... has a typo...... Lastly, You may opt to isolate the router on its own subnet. In that case, only the dstnat is needed as you are no longer doing a hairpin NAT. This would be my recommended solution as currently, you have a server directly reachable from the internet sitting in the middle of your ...

kd2om

I am hosting a webpage on my network, I have added the Hairpin rule, which seems to work as I can connect to the webpage from a pc on my lan. This only works if I set the webserver to a port other than 80. When set to 80 I get the router home page. ...

vingjfg

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" log-prefix="Hairpin NAT Masquerade" add action=masquerade chain=srcnat comment="Default NAT Masquerade" out-interface=ether1.12 ...

robmaltsystems

Here is what it worked for me: And it worked for me on the DoH laptop.... I can see exactly what it's doing. Using mangle to mark packets from the LAN to the WAN which is then processed by the srcnat rule. Learning a lot here. Just need to zap my internal DNS zone record to make sure it works for c...

You need to add hairpin NAT if you want DNS lookups on dstnat IPs to work from the inside.

robmaltsystems

I was about to ask if somebody minded posting their firewall config that's using hairpin

anthonws

Here is what it worked for me: /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" log-prefix="Hairpin NAT Masquerade" add action=masquerade chain=srcnat comment="Default NAT Masquerade" ...

robmaltsystems

Another suggestion is to use another subnet. This might work for me as I have the main private Wi-Fi interface but also a second 10.0.0.0/24 VLAN used for guests. Will try connecting client DoH laptop to that. That didn't work either although I suspect when the article talks about putting the serve...

themrdrprof

... dst-address=FiberIP dst-port=32400 protocol=tcp to-addresses=10.0.0.61 to-ports=32400 add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=10.0.0.0/24 out-interface=sfp-sfpplus2 src-address=10.0.0.0/24 /ip firewall service-port set sip disabled=yes ...

robmaltsystems

Thanks for that - will have a look at that later too.

anav

Rule in forward chain needs to be add chain=forward action=accept connection-nat-state=dstnat The old default rule can be deleted but you need to add two more rules. THis one above it....... add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="internet traffic&q...

robmaltsystems

... where the LAN users and the Server are on the same subnet, all that is required is the following generic source NAT rule, often called the HAIRPIN NAT Rule placed as the first source NAT rule (although I have been told order here is not important). This required source NAT rule is independent ...

vingjfg

Hi, Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port) add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443 instead of using in-interface-list=WAN, ...

robmaltsystems

... one can do with adguard/piehole/doh etc..... if the user is savvy enough. I'm not trying to block them using DoH as such but solve the classic hairpin issue. Not problem with them using DoH but this is what happens when you use DNS to workaround the hairpin issue: Clients on LAN using LAN DNS ...

robmaltsystems

Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port) That's what I suspected which is why removing it (WAN interface) fixed for these specific cases but broke everything else. This dstnat rule format was created by ...

anav

Its impossible to block or control DNS from an encrypted methodology to my knowledge.
In other words there are limits to what one can do with adguard/piehole/doh etc..... if the user is savvy enough.

rplant

Hi,

Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port)

add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443

instead of using in-interface-list=WAN, perhaps use dst-address-type=local

robmaltsystems

... connection-nat-state=!dstnat connection-state=new \ in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 src-address=192.168.0.0/24 add action=masquerade chain=srcnat comment="outgoing nat" ipsec-policy=out,none ...

robmaltsystems

I've read this thread: https://forum.mikrotik.com/viewtopic.php?t=179343 which is most useful in explaining the hairpin issue. Whilst I won't say my knowledge of NAT is deep, I understand the basic principals. I originally solved via the DNS approach as that, well, worked. My home ...

vingjfg

... NAT is problematic, you are changing the source IP to the same as the destination IP add action=masquerade chain=srcnat comment="for PiHole - Hairpin NAT" \ dst-address=192.168.0.17 dst-port=80 out-interface=vlan100 protocol=tcp \ src-address=192.168.0.0/24 to-addresses=192.168.0.17 You ...

anav

... server by the server LAN IP address directly, but by the roundabout method of using the Domain Name/url/dyndns type name. then yes you need the hairpin nat rule. If you move the users or server to a separate subnet, then that is no longer the case.

rseke

Ohhh this is so confusing for me,i cant add simple port forward to my server without this NAT HAIRPIN?

MTNick

... out-interface-list=WAN \ src-address-list=expected-address-from-LAN to-addresses=MY-WAN-IP add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\ expected-address-from-LAN out-interface-list=LAN protocol=tcp \ src-address-list=expected-address-from-LAN add ...

ductiena12

... comment="for WAN2 Connection" \ out-interface=pppoe-out-viettel add action=masquerade chain=srcnat comment=\ "for DVR Camera Apps - HairPin NAT" dst-address=192.168.0.60 dst-port=\ 8888 out-interface=vlan100 protocol=tcp src-address=192.168.0.0/24 add action=masquerade chain=srcnat ...

falcka

... in the hotel and went to our site – WireGuard will in that case send all traffic as usual, even internally. I’ve been experimenting with NAT hairpin/loopback in the affected VLAN, but the rules never shows any traffic being masqueraded to the gateway (UDP traffic in 10.203.86/23 with destination ...

keirstitt

... What I might try and do is use a spare rasberry pi and write something as a kernel module driving sk_buff directly to be an L2 NAT as a kind of hairpin - it will create a shadow device for everything on a particular VLAN that will allow it to hairpin.

martinszeltins

... connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="[Hairpin / Loopback NAT] - Allow t\ o access the home server on public IP address from within LAN" \ dst-address=192.168.8.230 dst-port=80 out-interface=bridge ...

vingjfg

... need to masquerade behind the public IP, just behind the local IP of the router. /ip firewall nat add action=masquerade chain=srcnat comment=TEST-HAIRPIN dst-address=\ 172.16.0.0/24 src-address=172.16.0.0/24 to-addresses=103.xx.xx.xx Second, depending on what the IP-PLUIT address-list contains, ...

firsaavln

... \ new-routing-mark=ROUTE-SOSMED passthrough=no src-address-list=IP-PLUIT /ip firewall nat add action=masquerade chain=srcnat comment=TEST-HAIRPIN dst-address=\ 172.16.0.0/24 src-address=172.16.0.0/24 to-addresses=103.xx.xx.xx add action=masquerade chain=srcnat comment=TEST-HAIRPIN dst-address-list=\ ...

vingjfg

Config export, please.

firsaavln

... with a static wan public ip, sometimes it can't be accessed by the local network, but if from the outside network it works, I have applied hairpin but it doesn't work, my own local server ip is 172.16.0.249, when we access to ip 172.16.0.249 from the local network, we can't access the server ...

robmaltsystems

... chain=dstnat dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.197 to-ports=21 I still need to do some reading of this hairpin issue as I'm about to replace my Virgin Media Superhub with a hAP ax2 router so I'm using RouterOS all the time at home. I do have a bit of ...

OliZi

... W1" dst-address=\ 81.223.59.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.60 to-ports=0 add action=masquerade chain=srcnat comment=Hairpin dst-address=10.0.0.0/24 \ src-address=10.0.0.0/24 add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.64 \ to-addresses=176.66.79.XXX ...

anav

... are required to reach server by the domain name/url ) 1. forward firewall rule add chain=forward action=accept connection-nat-state=dstnat 2. Hairpin sourcenat rule add chain=forward action=accept src-address=ServerSubnet dst-address=ServerSubnet 3. Properly formatted dstnat rules. add chain=dstnat ...

hook

... . I would add comments to each rule, too, explaining why you need two rules to get port forwarding to work when one suffices in many normal cases. Hairpin NAT isn't always required. Now that I (re-)read about hairpin NAT that does sound like what I was trying to do those years ago. I just didn’t ...

... . I would add comments to each rule, too, explaining why you need two rules to get port forwarding to work when one suffices in many normal cases. Hairpin NAT isn't always required.

OliZi

... W1" dst-address=\ 81.223.59.XXX94 dst-port=80 protocol=tcp to-addresses=10.0.0.60 to-ports=0 add action=masquerade chain=srcnat comment=Hairpin dst-address=10.0.0.0/24 \ src-address=10.0.0.0/24 add action=masquerade chain=srcnat comment=Hairpin dst-address-list=RFC1918 \ src-address-list=RFC1918 ...

vingjfg

You are doing hairpin NAT, that's often an issue but a casual review shows this is fine. I see that the HTTPS rule for Monolith is disabled. DId you enable it when you had disabled the other rules? The test you mention, does it run ...

optio

My sole objective is to have specific url pointing to the same IP address but with different ports.

You need some reverse proxy for this, like Nginx. Create hairpin nat for reverse proxy http service and configure it redirect traffic by host name to specific webapp ip:port.

laurenettaieb91

... -> Internal IP, Port Y I have tried to have a specific virtual IP address for Application A and for Application B and then use DNS Hairpin to redirect to Internal IP, Port X and do the same for Application B. Unsure, what would be the best method. If someone has encountered the ...

mkx

# socat -T 600 UDP4-LISTEN:51515,reuseaddr,fork UDP4:xx.xx.xx.xx:51515 Isn't this what NAT does? With "hairpin" part added? Something like this: /ip/firewall/nat add chain=dstnat action=dst-nat protocol=udp dst-port=51515 to-addresses=xx.xx.xx.xx add chain=srcnat action=masquerade ...

mkx

If your browsing PC is in same IP subnet as actual server (IP address on router, used as NAT intermediate, doesn't matter), then you have to implement hairpin NAT. Either use official docs or search this forum to get an idea of what and how.

GrennKren

... routing tables behaviour for local destinations. Thanks! I joined this forum just to express my gratitude. Spent quite some time dealing with the Hairpin NAT issue. Finally figured out that disabling all Mangle was the solution, so I went around looking for ways to keep Mangle while fixing the ...

tnakir

... dst-port=8080 protocol=tcp to-addresses=192.168.1.10 to-ports=80 If i try to access from any IP from the Bridge-PUBLIC, it doesn't work. I guess Hairpin NAT will not solve the issue since I am not doing NAT from private range? What am I doing wrong?

thegorneman

... from WAN, but in LAN they are unreachable. In my router I've set up these rules: /ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=LAN subnet src-address=LAN subnet add action=src-nat chain=srcnat comment="Server interni" dst-address-type="" ...

rplant

If the router is actually routing the packet, it can dst-nat the packet it doesn't need to have the IP address on itself.

Because it will presumably be hairpinning the packet, you will need to src-nat the packet as well.
(Possibly the src-nat IP you use does need to be on the router)

Search found 4328 matches: hairpin