1-to-1 NAT problems at Internet Gateway

gibbesh · November 2, 2011, 2:51pm

I am having problems with my NAT rules at our internet gateway. Everything works properly for our 1-to-1 NAT except if you try to get to one of the 1-to-1 NAT’d addresses from inside the network. I assume that there’s something wrong with my DST-NAT or SRC-NAT Rules.

Here’s an example:

add action=dst-nat chain=dstnat comment=“xxxxx” disabled=no dst-address=
69.x.x.161 to-addresses=10.x.x.12
add action=src-nat chain=srcnat comment=“xxxxx” disabled=no
out-interface=bridge2Internet src-address=10.x.x.12 to-addresses=
69.x.x.161

These will only work if you access them from somewhere outside the network.

How do I get them to work from inside the network? They’ve worked in previous setups.

cbrown · November 2, 2011, 3:47pm

I would guess you need hairpin nat setup.

http://wiki.mikrotik.com/wiki/Hairpin_NAT

gibbesh · November 3, 2011, 4:34pm

Thanks cbrown, That makes sense… I’ll try it out.

gibbesh · November 3, 2011, 9:55pm

Oddly enough that doesn’t seem to be working properly. I’m running a fairly large firewall with over 200 rules, mainly 1-to-1 IP address assignments to customers inside the network.

fewi · November 4, 2011, 11:54am

So post the rule sets you have. It’s much easier to have an opinion on actual configuration than to wildly guess. Far less frustrating for both the people helping and the person asking for help, too.

gibbesh · November 7, 2011, 2:01pm

Here’s a summary of my rules. I have a lot more, but this provides a sample of the significant rules.

/ip firewall nat
add action=masquerade chain=srcnat comment=
“Masquerade Internal to Internal Traffic” disabled=yes dst-address-list=
Internal src-address-list=Internal
add action=dst-nat chain=dstnat comment=“########” disabled=no dst-address=
69.##.##.### to-addresses=10.##.##.##
add action=src-nat chain=srcnat comment=“########” disabled=no out-interface=
bridge2Internet src-address=10.##.##.## to-addresses=69.##.##.###
add action=masquerade chain=srcnat comment=“BOTTOM RULE” disabled=no
out-interface=bridge2Internet src-address-list=Internal

/ip firewall address-list
add address=10.0.0.0/8 disabled=no list=Internal
add address=192.168.0.0/16 disabled=no list=Internal

fewi · November 7, 2011, 2:07pm

That first NAT rule is disabled. It would perform the hairpin NAT function.

gibbesh · November 7, 2011, 4:26pm

Whether it’s enabled or not hasn’t made a difference.

fewi · November 7, 2011, 4:29pm

From what you posted it should be working with the rule enabled. Traffic from internal to the public would first hit destination NAT and be directed back to internal, and would then hit source NAT to be masqueraded to the router IP as required for hairpin NAT.

Have you looked at other configuration besides NAT? Firewall filters, etc.?

gibbesh · December 5, 2011, 1:15pm

Thanks Fewi,

Hairpin NAT did end up working in the end.