I am trying to do a NAT route. The NAT works except for
one thing. The hosts on the xx.169.0 net at the bottom can't see the new NATed Host
200 on itself at the bot. router, if pinged (or http access) from it's NATed address
through the top router. You can't call up a website on host 200 if the DNS points to
the NATed address 157.200 from host 200 or any host on Rtr 1 LAN (169.0).
The internet has no problem seeing any of these hosts real
or NATed. The bot. hosts can ping any real host on Rtr 3 (xx.157.0). I've read about
hairpin NAT and my Linksys (dd-wrt) does NAT reflection, it just works but
not on the Mikrotik's! One problem I see is that the xx.157.0 net doesn't appear on
Rtr 1 except in the NAT rules and routes to the tunnel. I tried a local DST-NAT/SRC-NAT
pair but it didn't help. The new local DST-NAT rule gets traffic in it's counter but no
packets come out on the LAN xx.200.0 net??? The hosts on 169.0 net can ping any real
host on the 157.0 net but not the NATed ones. The tunnel works and pings in both
directions. It would have to to make the NAT from the internet work.

0 chain=dstnat action=netmap to-addresses=xx.xx.169.200 to-ports=0-65535 src-address=!xx.xx.169.0/24
dst-address=xx.xx.157.200 in-interface=HE<>COX

1 chain=srcnat action=src-nat to-addresses=xx.xx.157.200 to-ports=0-65535 src-address=xx.xx.169.200

2 chain=dstnat action=netmap to-addresses=xx.xx.169.200 to-ports=0-65535 src-address=xx.xx.169.0/24
dst-address=xx.xx.157.200

3 chain=srcnat action=src-nat to-addresses=xx.xx.157.200 to-ports=0-65535 src-address=xx.xx.169.200



Subnet Routed in: V
XX.XX.157.0/24 >>> |rtr IP:
|xx.xx.176.46/30
----------------
| |
| Router 3 |
| MT 3.28 |
| |<<<>>>>
| | V
---------------- V
| V IPIP Tunnel
xx.xx.157.0/24 V xx.xx.157.200
V (400 miles
^ internet)
^
Subnet Routed in: V ^
XX.XX.169.0/24 >>> |rtr IP: ^
|xx.xx.153.46/30 ^
---------------- ^
| | ^
| Router 1 |<<<>>>>
| MT 3.13 |
| | NAT DST xx.xx.157.200 >>> xx.xx.169.200
| | NAT SRC xx.xx.169.200 >>> xx.xx.157.200
----------------
|
|
|
xx.xx.169.0/24
|
|--------------------------------------
| | |
------------- -------------- --------------
| | | | | |
| Host 1 | | Host 200 | | Host XX |
| xx.xx.169.5 | | xx.xx.169.200| | xx.xx.169.xx |
| | | | | |
| | | | | |
------------- ------------- --------------


Thanks,
Dave

Search the forums for 'hairpin', there's several of threads with examples.

Alternatively use split horizon DNS and serve inside hosts the inside IP, and outside hosts the outside IP.
This is done by either having two nameservers (one inside, one outside), a nameserver that can natively do split horizon or on the cheap by putting the nameserver outside the network (and serving the outside IP) and using the MT in the middle as a transparent DNS proxy, and configuring a static entry for the inside address on it.

I think I know what you are trying to do... You have a dstnat on the router for a web server, and you are trying to get to it from machines that use the same router as their gateway?

I'm guessing you have a default srcnat masquerade rule like: You need to change that rule so it does NAT inside and not just out the wan interface, like so: Where the "exclude_nat" address list includes all subnets behind your gateway.

I think this is the answer I'm seeking, but I still can't make it work. Can someone enlarge on it?

I'm trying to run one end of an IPIP tunnel out of a NATed interface but it won't work. The two interfaces carrying the tunnel can ping each other but the two IPIP addresses can't. I think the NAT is the problem but can't understand why and don't comprehend the above solution.

Thanks.