I have a device which is 1:1 natted to a public IP address. I can access it just fine outside my network, and I can access it just fine inside my network on its LAN IP address. I can’t access that device on its public IP address from the lan though. I assumed it would be setup like a hairpin nat, but I couldn’t get that to work. I’ve tried several other configurations, and they don’t work either. I’m not saying I’m doing them correctly, just that I can’t get them to work.
I’ve been trying to find the answer to this for days, and I haven’t found any other forum posts exactly like this, although I have found some that were close, but I couldn’t get the advice on those to work for me.
Does anyone have any advice on how I can fix this?
Let’s call the public IP address 172.16.0.5, and the LAN addresses are in the 10.0.1.0/24 range. The machine that the public IP is 1:1 natted to is 10.0.1.55.
Certainly it can be done with Hairpin NAT..
The example here can help you https://wiki.mikrotik.com/wiki/Hairpin_NAT
Or you can export your Firewall Nat configuration so we can see what is wrong with the way you tried to configure the Hairpin NAT…
It doesn’t seem to work with either a single port and protocol or everything. I would also like to just forward everything, and not have to do it port by port.
For the Hairpin NAT you need the rules in Bold {b}… I corrected the last rule, you need the LAN IP there, because it has been NATed earlier from the previous rule…
I dont understand your rule No 0…
Also hide your Public IP…
Finally, i cant tell if the IP addresses you use are correct. You know that…
Main problem is dstnat rule, you can’t have in-interface=“ether1 Gateway-2-Metro” (which I assume is WAN interface), because all connections from LAN will be coming from - no surprise - LAN. Using in-interface for dstnat rule is just a quick hack when you don’t have static address, otherwise it’s not needed.
The only thing changed by NAT 1:1 is that you need dstnat rule that will take both addresses:
Private one on WAN interface to which ISP forward traffic from internet, that will be used by connections from outside.
Real public address (which is otherwise on ISP’s router), that will be used by connections from LAN.
Just put them both in address list and then use dst-address-list=.
Okay, I mistyped that 172.x.x.x address. I just tried to sub a private IP address for a public one, and I wrote 172.15.0.5 instead of 172.16.0.5. Anyway, the 172 address is just a placeholder for my actual public IP address.
As for rule 0, that’s the outgoing 1:1 NAT rule. Rule 1 is the incoming 1:1 rule.
Anyway, as for your edit, I made that change, and a couple other changes. Instead of using the src-nat and dst-nat action, I changed them to netmap. Here are the current rules.
Okay, I removed the WAN from the in-interface, and things still work the same at that point, so that is good. I don’t quite understand what you are saying to put on the address list. Also, should I be putting the address list in both the incoming and outgoing rule?
If you have NAT 1:1, the difference is that is not on your router, but elsewhere. Instead the router has some other private address on WAN interface (e.g. 10.20.30.40). So if you want to avoid in-interface hack, correct dstnat rule is:
But this breaks it for connections from LAN to , because it no longer matches. So you can either add second rule (same as the one for public address on router):
Well Sob, you have me officially confused now. I’m not sure how to get from where I am to what you are thinking. I sincerely appreciate the help, but at this point I’m not sure if you are talking over my head, or trying too hard to hold my hand. LOL
I’ve been trying to understand and implement what you are talking about, but at this point, I don’t know the right question to ask to get myself to understand what you are saying my problem is. I understand all the words you are saying, and I think I understand what each individual rule you wrote does on its own, but for the life of me, I can’t figure out how to get what you said to work together.
I just sent a request to my ISP to route me a /29 instead of this crap. I don’t know if they will do it, but I do know it would make my life easier. Every time I turn around, I’m finding something that won’t work how I need it to, or I’m breaking something trying to get something else to work how I need it to.
If they tell me they won’t do the /29, I’ll be back here.
I was going for really simple and easy to understand description.
You can describe what you do undestand, and I’m willing to try again. Or maybe there’s some misundestanding. You can draw a diagram how is everything connected, where are what addresses, etc. Perhaps it could be something different than I think, and it could explain why my advice sounds confusing.
I thought you were going for really simple, but I am unsure which of those rules you are suggesting need to be used. On top of that, with the address list, I’m not sure why you suggest to use them. You add one that says , and another that says 10.20.30.40, which I believe you were using to denote a public address. What other address are you suggesting I need in a list?
When we get down to port forwarding, once I put the 1:1 rules in, all ports already go to the device. So, when this is in the rules:
. When I use that rule, I still get no response from the machine on port 80, so I added the other rule you said would fix the connections from lan to public address, and still no response.
There’s definitely some misundestanding. When you wrote that you have 1:1 NAT, I thought that ISP is doing that, but now it looks like you’re the one who’s doing it?
What I was describing is:
ISP’s router (which you don’t have any access to) has public IP address, e.g. 2.2.2.2
Your router’s WAN interface has some private address (10.20.30.40 in my example)
LAN behind your router is 192.168.88.0/24 in my example
ISP is doing 1:1 NAT, which means that:
– any packet to 2.2.2.2 gets new destination address 10.20.30.40
– any packet from 10.20.30.40 gets new source address 2.2.2.2
No, the ISP routed 5 IP addresses to my ont. I am using one for the lan, one for another router, and one for a pbx. Needing to have people have access to phones outside the lan, since the shelter in place stuff is going on, I realized how limiting it was to not be able to access the pbx from inside the lan using the public ip, at least to provision phones. I tried just using a domain name and changing things on the dns server to the local ip, but there were unforeseen difficulties there too.
Anyway, I thought that just fixing the way things are on the router would save me the time of finding all the places an ip address was used instead of a domain on the pbx. I didn’t realize that would probably have been faster.
So you do have 5 public addresses on your router? Or does ONT also work as router, public addresses are there and it does 1:1 NAT to your router and other devices? And you’re in fact not connecting back to same LAN, but to another device connected behind ONT? I’m affraid I got lost in it. Maybe a diagram would help, i.e. how exactly is everything connected, where is each address, etc.
The 5 addresses are pointed to my router individually, but my router is not assigned its own subnet. It only gets 5 addresses on a /27 subnet. Because of that, I have to use 1:1 Nat to route them to my devices. I believe they use private ip addresses on the onts themselves, and send the 5 ip addresses with a vpn. I’m not 100% sure though.
As for a diagram, I’m replying to this on my phone right now. That will have to wait until I get to a regular pc.
