can not enable hairpin NAT on my network

Techsystem · April 19, 2023, 8:47am

Hello for all Mikrotik People there…!
so i am trying to set Hairpin NAT on my RB951ui but with no avail
i follow Normis steps in his video on Mikrotik official channel but with no avail yet i dont have this complicated Network..!!
Just one WAN interface and Bridge that contain all LAN interface ..
here is my config
1942023.rsc (7.28 KB)

anav · April 19, 2023, 10:24am

https://forum.mikrotik.com/viewtopic.php?t=179343

Techsystem · April 19, 2023, 5:36pm

Hello anav..!
thanks for your article.!
so in my configuration i apply the same rules as you mentioned and here is my problem..!! i couldn’t identify why its not work..!
really diappointed.

anav · April 19, 2023, 8:33pm

Your config seems to be indicating issues??? What are those???

/interface list member
add interface=ether1 list=WAN
add interface=Bridge list=LAN
add interface**=9* list=LAN
add interface=F list=LAN
add interface*=*D li**st=LAN

and
/ip dhcp-server alert
add disabled=no interface=Bridge on-alert=
“:log error message="Rogue DHCP Server Discovered"”

Your using this crappy rule for port forwarding which one should not use with a more complex setup. Not in my setup!!
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

The masquerade rule I show is also NOT THIS In fact this looks like butchery …
/ip firewall nat
add action=src-nat chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN to-addresses=192.168.2.2

So its the wrong format altogether for normal nat rule,
You are missing the hairpin nat rule AND
all your dst-nat rules are in the wrong format.

Summary, you actually need to read it this time and take notes!!! ( and refrain from making false claims )

Techsystem · April 20, 2023, 4:37pm

Your config seems to be indicating issues??? What are those???

/interface list member
add interface=ether1 list=WAN
add interface=Bridge list=LAN
add interface**=9* list=LAN
add interface=F list=LAN
add interface*=*D li**st=LAN

and
/ip dhcp-server alert
add disabled=no interface=Bridge on-alert=
“:log error message="Rogue DHCP Server Discovered"”

Your using this crappy rule for port forwarding which one should not use with a more complex setup. Not in my setup!!
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

The masquerade rule I show is also NOT THIS In fact this looks like butchery …
/ip firewall nat
add action=src-nat chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN to-addresses=192.168.2.2

So its the wrong format altogether for normal nat rule,
You are missing the hairpin nat rule AND
all your dst-nat rules are in the wrong format.

Summary, you actually need to read it this time and take notes!!! ( and refrain from making false claims )

So sorry Mr.anav..!
it seems that i sent to you the wrong configuration file..!
here is the router configuration
2042023.rsc (4.45 KB)

anav · April 20, 2023, 5:07pm

Indeed LOL.

(1) If your ISP addresses are fixed…
From:
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
TO:
add action=src-nat chain=srcnat out-interface=ether1 to-address=192.168.2.1
add action=src-nat chain=srcnat out-interface=ether2 to address=192.168.3.1

Since you have two static WANIPs… Your dsnat rules format is not helpful to indicate which WAN??
add action=dst-nat chain=dstnat comment=PBX-1 dst-address=???
dst-port=9021 protocol=tcp to-addresses=192.168.1.100 to-ports=9021

(2) The role of WAN1 and WAN2 a seem clear
Primary and Failover…
How do external users know which WAN they should come in on to reach server ???

(3) See nothing that should be stopping hairpin to work yet… Mainly because you have no firewall rules so all traffic should pass. ( if your dstnat rules are not the cause )