Another Hairpin NAT Problem HELP PLEASE!!!!

nixfix · July 27, 2013, 9:37pm

Hello Gang,

It should be simple - outside public IP, internal webserver, setup Hairpin NAT so that I can access domain from within the network - easy yes???

Obviously not for me - everything works OK from outside, can't use web browser to access domain from within network - but - can access the webpages by using internal IP of webserver (10.10.64.3), and can also ping domain name internally, just not access http. Have added static DNS as someone suggested that, but no good

Here are the ping's I tried...
ping <MY_DOMAIN.com>
Reply from <PUBLIC_IP>: bytes=32 time=2ms TTL=64
ping 10.10.64.3
Reply from 10.10.64.3: bytes=32 time=2ms TTL=64

Webserver lives at 10.10.64.3 in the same subnet as all the clients on Vlan5

any ideas? Here's my export of the relevant info

jul/27/2013 17:56:18 by RouterOS 6.1

/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/ip pool
add name=subnet19 ranges=10.10.65.1-10.10.95.254
/ip dhcp-server
add address-pool=subnet19 disabled=no interface=vlan5 lease-time=15m name=
default
/ip address
add address=<PUBLIC_IP>/30 interface=ether1-gateway network=<PUBLIC_NETWORK>
add address=10.10.1.1/24 interface=bridge-local network=10.10.1.0
add address=10.10.64.1/19 interface=vlan5 network=10.10.64.0
add address=10.10.2.1/24 interface=vlan2 network=10.10.2.0
add address=10.10.3.1/24 interface=vlan3 network=10.10.3.0
add address=10.10.4.1/24 interface=vlan4 network=10.10.4.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=10.10.1.0/24 gateway=10.10.1.1
add address=10.10.64.0/19 dns-server=10.10.1.1 gateway=10.10.64.1
/ip dns
set allow-remote-requests=yes servers=<PUBLIC_DNS1>,<PUBLIC_DNS2>,8.8.8.8
/ip dns static
add address=10.10.64.3 name=<MY_DOMAIN_NAME.com> ttl=1s
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input dst-port=80 protocol=tcp
add chain=input dst-port=22 protocol=tcp src-address-list=ssh_access
add chain=input dst-port=443 protocol=tcp
add chain=input dst-port=1443 protocol=tcp
add chain=input dst-port=5800 protocol=tcp src-address-list=""
add chain=input connection-state=related dst-port=5900 protocol=tcp
add chain=input dst-port=5905 protocol=tcp
add chain=input dst-port=88 protocol=tcp src-address-list=ssh_access
add chain=input dst-port=21 protocol=tcp src-address-list=ssh_access
add chain=input dst-port=20 protocol=tcp src-address-list=ssh_access
add chain=input dst-port=3350 protocol=tcp src-address-list=ssh_access
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=
10.10.64.3 dst-port=80 out-interface=bridge-local protocol=tcp
src-address=10.10.64.0/19
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=80
protocol=tcp to-addresses=10.10.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="PF 443" dst-address=<PUBLIC_IP>
dst-port=443 protocol=tcp to-addresses=10.10.1.3 to-ports=443
add action=dst-nat chain=dstnat comment="PF 1443" dst-address=<PUBLIC_IP>
dst-port=1443 protocol=tcp to-addresses=10.10.1.3 to-ports=1443
add action=dst-nat chain=dstnat comment="PF SSH" dst-port=5800 in-interface=
ether1-gateway protocol=tcp to-addresses=10.10.1.3 to-ports=22
add action=dst-nat chain=dstnat comment="PF VNC" dst-port=5900 in-interface=
ether1-gateway protocol=tcp to-addresses=10.10.1.3 to-ports=5900
add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=21
protocol=tcp to-addresses=10.10.1.3 to-ports=21
add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=20
protocol=tcp to-addresses=10.10.1.3 to-ports=20
add action=dst-nat chain=dstnat comment="PF RDP" dst-address=<PUBLIC_IP>
dst-port=5905 protocol=tcp to-addresses=10.10.1.3 to-ports=3389
add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=3350
protocol=tcp to-addresses=10.10.1.3 to-ports=3350
/ip route
add distance=1 gateway=<PUBLIC_GATEWAY>

efaden · July 27, 2013, 9:54pm

add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=
10.10.64.3 dst-port=80 out-interface=bridge-local protocol=tcp
src-address=10.10.64.0/19

Where exactly are your clients?.. (e.g. which of the networks CANNOT reach the webserver that you are trying to make work?)… your SRCNAT is messed up.

nixfix · July 27, 2013, 11:08pm

Clients are all wireless via a Motorola RFS controller connected to bridge-local, getting addresses from dhcp-server in Routerboard on 10.10.64.0/19 subnet

Have tried every permutation that I can think of / find in the forums, and nothing will make the clients reach the webserver for html, only the ping works. I can ping the clients from the server too, so there’s definitely connectivity, just not the right kind!!

efaden · July 27, 2013, 11:19pm

add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=\
10.10.64.3 dst-port=80 out-interface=bridge-local protocol=tcp \
src-address=10.10.64.0/19

Shouldn’t the out-interface be vlan5? … Based on your config bridge-local is in a different IP range.

nixfix · July 27, 2013, 11:35pm

Tried that too - and all vlans are already associated to bridge-local - as I said, the server interface on vlan5 can ping the clients, and vice-versa, it’s only when I want to use port 80 (or any other port such as 443) that it doesn’t work - just concentrating on port 80 for http at the moment, will worry about the others when that’s fixed!!

By the way, Thanks for your swift replies efaden!!

efaden · July 27, 2013, 11:39pm

No worries… what is in bridge-local?..

If you try to ping the public IP from those clients what happens?

-Eric

efaden · July 27, 2013, 11:42pm

Also is there anything in the forward table in the firewall? I’m working a 24 tomorrow, so my replies will be delayed. Also… maybe I am confused, but why does your dnat and snat rules not match… Your dnat goes to 10.10.1.3 and your snat is in the 10.10.64.3 range?

add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=80 \
protocol=tcp to-addresses=10.10.1.3 to-ports=80

add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=\
10.10.64.3 dst-port=80 out-interface=bridge-local protocol=tcp \
src-address=10.10.64.0/19

nixfix · July 27, 2013, 11:51pm

This is a very basic setup on a RB2011, so all the ports apart from ether1 are in the bridge-local. Incoming from ISP is on Ether1, wireless controller on eth7, webserver on Eth8
And I can ping the public IP just fine, as well as pinging the actual domain name - just no http!!

Below is my interface export - thanks again!!
-Nick

/interface bridge
add admin-mac=D4:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local
protocol-mode=rstp
/interface ethernet
set 0 auto-negotiation=no name=ether1-gateway
set 6 master-port=ether6
set 7 master-port=ether6
set 8 master-port=ether6
set 9 master-port=ether6
set 10 name=sfp1-gateway
/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan1 vlan-id=1
add interface=bridge-local l2mtu=1594 name=vlan2 vlan-id=2
add interface=bridge-local l2mtu=1594 name=vlan3 vlan-id=3
add interface=bridge-local l2mtu=1594 name=vlan4 vlan-id=4
add interface=bridge-local l2mtu=1594 name=vlan5 vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
/interface ethernet switch vlan
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=1
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=2
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=3
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=4
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=5

efaden · July 27, 2013, 11:56pm

add action=dst-nat chain=dstnat dst-address=<PUBLIC_IP> dst-port=80 protocol=tcp to-addresses=10.10.1.3 to-ports=80

add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=10.10.64.3 dst-port=80 out-interface=bridge-local protocol=tcp src-address=10.10.64.0/19

I think this is where the problem lies… your dst-nat goes to 10.10.1.3 and your src-nat is for the 10.10.64.0/19 range… Is your server 10.10.64.3 or is it 10.10.1.3?

-Eric

nixfix · July 28, 2013, 12:17am

It’s both - we have em2 on the server set as 10.10.64.3 for local monitoring (the server’s primary function is running Packetfence NAC), and 10.10.1.3 is on em1 of the server for outside access.
The functional issue we have is that Packetfence controls the clients - they associate on vlan2 to pass through authentication (public guest signup, with an emailed authentication link) - they then get moved to Vlan5 for 10 minutes, which gives them outside internet access to be able to open their email and click on the link - which is hosted on the local webserver, and therefore fails IF the link works, then they remain on vlan5 for the duration of their authorized access time, and are able to access locally hosted content as well as the outside interwebs.

I think I’ve tried every possible combination of dst-nat, src-nat, in, out, shake it all about, server addresses and not one thing has worked - it’s got to be something simple, but damned if I can find it!!
If I change the dst-nat to 10.10.64.3, it breaks my outside access into the webserver…

But discussing this with you, have just had a thought that it might be a NAT issue inside the wireless controller - gonna look at that now…

efaden · July 28, 2013, 12:24am

nixfix:

efaden:

I think this is where the problem lies… your dst-nat goes to 10.10.1.3 and your src-nat is for the 10.10.64.0/19 range… Is your server 10.10.64.3 or is it 10.10.1.3?

-Eric

It’s both - we have em2 on the server set as 10.10.64.3 for local monitoring (the server’s primary function is running Packetfence NAC), and 10.10.1.3 is on em1 of the server for outside access.
The functional issue we have is that Packetfence controls the clients - they associate on vlan2 to pass through authentication (public guest signup, with an emailed authentication link) - they then get moved to Vlan5 for 10 minutes, which gives them outside internet access to be able to open their email and click on the link - which is hosted on the local webserver, and therefore fails IF the link works, then they remain on vlan5 for the duration of their authorized access time, and are able to access locally hosted content as well as the outside interwebs.

I think I’ve tried every possible combination of dst-nat, src-nat, in, out, shake it all about, server addresses and not one thing has worked - it’s got to be something simple, but damned if I can find it!!
If I change the dst-nat to 10.10.64.3, it breaks my outside access into the webserver…

But discussing this with you, have just had a thought that it might be a NAT issue inside the wireless controller - gonna look at that now…

Wow… It’s odd that it works with a dst-nat with one IP, but not the other if they are both assigned to the same computer.

Have you tried.

add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=\
10.10.1.3 dst-port=80 out-interface=bridge-local protocol=tcp \
src-address=10.10.64.0/19

nixfix · July 28, 2013, 12:27am

efaden:

Wow… It’s odd that it works with a dst-nat with one IP, but not the other if they are both assigned to the same computer.

Have you tried.
add action=masquerade chain=srcnat comment=Hairpin disabled=no dst-address=\
10.10.1.3 dst-port=80 out-interface=bridge-local protocol=tcp \
src-address=10.10.64.0/19

Yep, that was where I started Working on the Wireless controller at the moment, will let you know!!

nixfix · July 30, 2013, 10:00pm

Yep, that was where I started > > Working on the Wireless controller at the moment, will let you know!!

All working - turned out it was the $%#%$* laptop that I was testing with!!! Nothing wrong with my Hairpin settings at all That’s the trouble with working remotely to set these things up - I’m 150km away from where the router and server is, using a remote laptop hardwired via teamviewer to test changes to the wireless network.

All good now, thanks again for your help Eric!

-Nick