Problems Hairpinning and general port forwarding

RouterOS Forwarding Protocols
1

Good evening, all!

I have a small home network, maybe 10 nodes, on a RouterBOARD 750G r3. I have a couple of Ark: Survival Evolved server instances running on a desktop in my network. These are running on a number of ports which I have forwarded. The forwarding appears to be correct as players outside my network can connect to the server, but services like canyouseeme.org continue to say that the service is not responding.

What I really need now is to institute a hairpin NAT rule since one can transfer from one server to another, and those inside my LAN will not be able to do so without it.

add action=masquerade chain=srcnat dst-address=192.168.88.243 dst-port=\
    7773-7779 out-interface=ether1 protocol=udp src-address=\
    192.168.88.0/24 src-port=7773-7779
	
add action=dst-nat chain=dstnat dst-port=27015-27017 protocol=udp \
    to-addresses=192.168.88.243 to-ports=27015-27017
		
add action=dst-nat chain=dstnat dst-port=27036 protocol=udp \
    to-addresses=192.168.88.243 to-ports=27036
	
add action=dst-nat chain=dstnat dst-port=7773-7779 protocol=udp \
    to-addresses=192.168.88.243 to-ports=7773-7779
	
add action=dst-nat chain=dstnat dst-port=27015 protocol=tcp \
    to-addresses=192.168.88.243 to-ports=27015
	
add action=dst-nat chain=dstnat dst-port=7777 protocol=tcp to-addresses=\
    192.168.88.243 to-ports=7777
	
add action=dst-nat chain=dstnat dst-port=27016 protocol=tcp \
    to-addresses=192.168.88.243 to-ports=27016
	
add action=dst-nat chain=dstnat dst-port=7778 protocol=tcp to-addresses=\
    192.168.88.243 to-ports=7778
	
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
	
add action=accept chain=dstnat dst-port=25565 protocol=tcp to-addresses=\
    192.168.88.237 to-ports=25565
	
add action=dst-nat chain=dstnat dst-port=12974 protocol=tcp \
    to-addresses=192.168.88.249 to-ports=12974	
	
add action=dst-nat chain=dstnat dst-port=25565 protocol=tcp \
    to-addresses=192.168.88.243 to-ports=25565

I am currently using three of the 5 ports on the router. They are as follows:

 0  R  ether1                              ether            1500  1596
 1  R  ether2-master                       ether            1500  1596
 2  RS ether3                              ether            1500  1596
 3   S ether4                              ether            1500  1596
 4   S ether5                              ether            1500  1596

ether2-master and ether3 are LAN ports serving out my local network. ether1 connects to my cable modem and is what I would normally call my WAN port. I am relatively new to mikrotik and this level of networking.

Is there any way of testing the hairpin rule? I only need it hairpinning several ports for UDP only. I have used the packet sniffer and I see my computer attempting to connect to the server (requesting EXTERNALIP:27015) but I do not see those packets returning.

2 
add action=masquerade chain=srcnat dst-address=192.168.88.243 dst-port=7773-7779 \
    out-interface=ether1 protocol=udp src-address=192.168.88.0/24 src-port=7773-7779

Your server isn’t connected to ether1, right? So you want out-interface=ether2-master. And are you sure that source ports are 7773-7779? Try it without src-port=7773-7779.

3

Server is connected (via switch) to ether3. 7773-7779 are the ports being requested. Should those not be specified in the rule? I will give it a go.

4

If ether3 has master-port=ether2-master, then ether2-master is what you want to use in firewall rules.

About ports, now you have both dst-port=7773-7779 and src-port=7773-7779. Dst-ports is what you forward using dstnat rule, that’s correct and can’t break anything. But I wouldn’t count on source ports being the same, so try to remove that option. In fact, you don’t have to specify dst-ports either, because there are not going to be connections from LAN to LAN unless you add dstnat rules for them, so you don’t have to add any extra limits to this masquerade rule.

And one thing about dstnat rules I forgot to mention before, it’s good idea to limit their original destination. Currently you have only dst-port=X and it means that it will match connections from anywhere to anywhere, both incoming and outgoing. With unusual port numbers like you have, there’s a chance you won’t ever notice. But it’s good to know about it, because when one day you forward some standard port (e.g. 80 for web server) like this, then you’ll wonder why you won’t be able to connect anywhere yourself. Solution is to include dst-address= or dst-address-type=local in your dstnat rules.

5

You’re matching anything with a destination of the ports already mentioned which isn’t the end of the world, it just means those ports won’t do anything else locally. The previous poster is correct in saying it’s better to try and narrow it down. If you make the dst-address (not the forward address) your WAN IP then that will free up your lan.

You also need to add another rule above your main internet nat rule stating src-address 192.168.88.0/24 dst-address 192.168.88.0/24 as a masquerade rule as your LAN traffic will be heading for the WAN IP and redirecting to the local address however your servers will respond directly which will cause problems, you add the NAT rule and then the servers respond to the router then back to your machine.

6

Sweet! Thanks all. Those suggestions fixed me up!