Can't get hairpin nat running

jjarolim1 · March 31, 2014, 5:33pm

Hi -

Activated my new Mikrotik Router yesterday and my basic configuration runs smoothly: Internet traffic gets routed over my providers adsl modem (pppoe), my webserver is reachable from outside and all dns requests (except my own ones) get forced to opendns: Children

Additionally, i run a updater script for a dyndns service and have an domain pointing at my external-ip: I’d like to reach my webserver from outside (runs) and inside via hairpin-NAT.

But - I can’t seem hairpin nat to run: I tried the rule (masquerade) from the documentation (wiki) and several solutions from the forum - but nothing seems to work on my setup My suspicion: It has something todo with my pppoe and dynamic ip setup AND/OR … my lack of knowledge

May anyone have a look at my configuration and give a hint to the right solution?

Interfaces:

- ether1-gateway (Connects to bridged adsl modem: 192.168.1.2)
- ether2-master-local (Connects to LAN: 192.168.10.1)
- ether3-slave-local
- ether4-slave-local
- ether5-salve-local
- pppoe-tele2 (created by pppoe client setup)

My Webserver runs at the IP 192.168.10.5 and i’d like to reach it over the external IP.

/IP firewall nat print:

0   ;;; Masquerading
     chain=srcnat action=masquerade 

1   ;;; Webserver
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=80 protocol=tcp in-interface=pppoe-tele2 
     dst-port=80 

2   chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=443 protocol=tcp in-interface=pppoe-tele2 
     dst-port=443 

3   ;;; Webserver Hairpin NAT
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.5 
     out-interface=ether2-master-local dst-port=80 

4   ;;; RDP Access
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=3389 protocol=tcp in-interface=pppoe-tele2 
     dst-port=1234 

5   ;;; Force OpenDNS
     chain=dstnat action=dst-nat to-addresses=130.244.127.161 to-ports=53 protocol=tcp 
     src-address=192.168.10.0/24 dst-address=1.2.3.4 dst-port=53 

6   chain=dstnat action=dst-nat to-addresses=130.244.127.169 to-ports=53 protocol=udp 
     src-address=192.168.10.0/24 dst-address=1.2.3.4 dst-port=53 

7   chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=tcp src-address=192.168.10.0/24 
     dst-port=53 

8   chain=dstnat action=dst-nat to-addresses=208.67.220.220 to-ports=53 protocol=udp src-address=192.168.10.0/24 
     dst-port=53

My routing know how is not as deep as i’d wish - It’s enough for simple routing but i’m not able to see what’s wrong with my setup.

Thanks in advance for your help!
br from Salzburg,

Johannes

Rudios · April 1, 2014, 12:43pm

Add out-interface=pppoe-tele2 to your first masquerade rule

jjarolim1 · April 1, 2014, 1:25pm

Hi Rudios -

Thanks for your help!

I have edited the first masquerade rule but unfortunately it doesn’t work.

Will try it from my workstation when i come home -
Maybe it’s because i’m trying it from the webserver itself via RDP …

br from Salzburg,

Johannes

jjarolim1 · April 1, 2014, 4:22pm

Hi -

It’s still not working - these are the rules right now:

 0   ;;; Masquerading
     chain=srcnat action=masquerade out-interface=pppoe-tele2 

 1   ;;; Webserver
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=80 protocol=tcp in-interface=pppoe-tele2 
     dst-port=80 

 2   chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=443 protocol=tcp in-interface=pppoe-tele2 
     dst-port=443 

 3   ;;; Webserver Hairpin NAT
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.5 
     out-interface=ether2-master-local dst-port=80 

 4   ;;; RDP Access
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=3389 protocol=tcp in-interface=pppoe-tele2 
     dst-port=1234 

 5   ;;; Force OpenDNS
     chain=dstnat action=dst-nat to-addresses=130.244.127.161 to-ports=53 protocol=tcp 
     src-address=192.168.10.0/24 dst-address=1.2.3.4 dst-port=53 

 6   chain=dstnat action=dst-nat to-addresses=130.244.127.169 to-ports=53 protocol=udp 
     src-address=192.168.10.0/24 dst-address=1.2.3.4 dst-port=53 

 7   chain=dstnat action=dst-nat to-addresses=208.67.222.222 to-ports=53 protocol=tcp src-address=192.168.10.0/24 
     dst-port=53 

 8   chain=dstnat action=dst-nat to-addresses=208.67.220.220 to-ports=53 protocol=udp src-address=192.168.10.0/24 
     dst-port=53

ping of the domain returns the correct IP:

C:\Users\jjarolim>ping agentur-ds.jarolim.eu

Ping wird ausgeführt für jjarolim-serverchen.dynamic-dns.net [83.187.171.60] mit 32 Bytes Daten:
Antwort von 83.187.171.60: Bytes=32 Zeit=1ms TTL=64
Antwort von 83.187.171.60: Bytes=32 Zeit=1ms TTL=64
Antwort von 83.187.171.60: Bytes=32 Zeit=1ms TTL=64
Antwort von 83.187.171.60: Bytes=32 Zeit=1ms TTL=64

Ping-Statistik für 83.187.171.60:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 1ms, Maximum = 1ms, Mittelwert = 1ms

that ip address can be found on the tele2 interface:

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                
 0   ;;; default configuration
     192.168.10.1/24    192.168.10.0    ether2-master-local                                                      
 1   192.168.1.2/24     192.168.1.0     ether1-gateway                                                           
 2 D 83.187.171.60/32   62.218.4.27     pppoe-tele2

I’ve no idea what could be wrong …
br from Salzburg,

Johannes

Rudios · April 2, 2014, 11:55am

Try removing the protocol and dst-port options, maybe it helps?

jjarolim1 · April 3, 2014, 12:00pm

I’ve found a solution working for me at the first comment here:

http://networkingforintegrators.com/2013/02/hairpin-nat-or-how-to-use-your-dyndns-address-internally-or-externally/

The working configuration as a reference - that works fine if you have a 192.168.10.0/24 subnet with a webserver at 192.168.10.5 (or you change the rules accordingly):

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; Masquerading
     chain=srcnat action=masquerade src-address-list=RLCNet out-interface=pppoe-tele2 

1   ;;; Hairpin NAT
     chain=srcnat action=masquerade src-address-list=RLCNet dst-address-list=RLCNet out-interface=ether2-master-local 

2   ;;; Webserver
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=80 protocol=tcp dst-port=80 

3   chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=443 protocol=tcp dst-port=443 

4   ;;; RDP Access
     chain=dstnat action=dst-nat to-addresses=192.168.10.5 to-ports=3389 protocol=tcp dst-port=1234

And the Address list:

[admin@MikroTik] /ip firewall address-list> print
Flags: X - disabled, D - dynamic 
#   LIST                                                                                                ADDRESS                         TIMEOUT             
0   RLCNet                                                                                              192.168.10.0/24

Thanks for the help and
br from Salzburg!

Johannes

jarda · April 15, 2014, 7:31am

Is it possible that hairpin nat does not work in case the wan interface does not have the public ip? I have several routers, some have public ip directly on wan, some not - 1:1 nat - and for these the hairpin nat does not work. What can I do?