So,
I’ve always used Cisco products and my ISP convinced me to use MikroTik because I’ve seen his systems stay online and updates he’s made live without needing to power cycle. Very cool until he installed it and I started having issues due to Hairpin NAT.
I’ve done what the wiki says… I’ve done what the forums say… the only thing I haven’t done is deleted every rule and reset the device and setup the Hairpin NAT BEFORE adding the other rules. I feel like the only reason someone would do this is to solve a configuration issue… can anyone point a small time local web host with offsite backups being done to my office to a solution that doesn’t involve any downtime?
If not I’m thinking about going back to my Cisco products and no longer using MikroTik… this is a fairly egregious oversight to not have a solution to a simple issue like this.
My setup:
outside ip: ..69.5
inside gateway: 192.168.12.1
inside network: 192.168.12.0/24
My ISP put a server in my basement to host a website on as trade for the router. He did the initial setup and configuration of the device and made it so I could use 192.168.12.2 as the gateway on a secondary NIC in my web server via something called masquerading. I’m not understanding what masquerade is doing when selected as an action but I have setup several rules with it and they’ve worked.
I’m running a web server on 192.168.12.201 with gateway .12.1 and 2nd NIC on 192.168.12.205 with gateway .12.2
I’m running an ADDC/DNS/DHCP server on 192.168.12.202
I’m running a rented server for voice/games to an online entity at 192.168.12.209
I’m running a security system that I remotely monitor at 192.168.12.241
I’m running a IP-Power switch that I can remotely control power to my rack and pings ip’s to power cycle if they go non responsive at 192.168.12.250
Here’s a copy/paste from terminal “export” command. I grabbed just above and just below where I saw the firewall rules… I hope this is enough information.
/interface bridge port
add bridge=LAN_Bridge interface=ether2
add bridge=LAN_Bridge interface=ether6
/ip address
add address=*.*.69.5/29 interface=ether1_WAN network=*.*.69.0
add address=192.168.12.2/24 interface=LAN_Bridge network=192.168.12.0
add address=192.168.12.1/24 interface=LAN_Bridge network=192.168.12.0
/ip dns
set servers=*.*.68.10,*.*.69.10
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN src-address=\
192.168.12.0/24
add action=dst-nat chain=dstnat comment="WebServ (:80)" dst-port=80 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.205 \
to-ports=80
add action=dst-nat chain=dstnat comment="WebServ SSL (:443)" dst-port=443 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.205 \
to-ports=443
add action=dst-nat chain=dstnat comment="TS3 UDP voice" dst-port=9987-9997 \
in-interface=ether1_WAN protocol=udp to-addresses=192.168.12.209 \
to-ports=9987-9997
add action=dst-nat chain=dstnat comment="TS3 TCP File Transfer" dst-port=\
30033 in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.209 \
to-ports=30033
add action=dst-nat chain=dstnat comment="TS3 TCP serverquery" dst-port=10011 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.209 \
to-ports=10011
add action=dst-nat chain=dstnat comment="MC Server (Authentication)" \
dst-port=25560-25570 in-interface=ether1_WAN protocol=tcp to-addresses=\
192.168.12.209 to-ports=25560-25570
add action=dst-nat chain=dstnat comment="FTP Server (Passive)" dst-port=\
60000-62000 in-interface=ether1_WAN protocol=tcp to-addresses=\
192.168.12.201 to-ports=60000-62000
add action=dst-nat chain=dstnat comment="FTP Server (Handshake)" dst-port=20 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.201 \
to-ports=20
add action=dst-nat chain=dstnat comment="FTP Server (Active)" dst-port=21 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.201 \
to-ports=21
add action=dst-nat chain=dstnat comment="MC Server (Votifier)" dst-port=8192 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.209 \
to-ports=8192
add action=dst-nat chain=dstnat comment="NetBooter (Remote Power Management)" \
dst-port=1337 in-interface=ether1_WAN protocol=tcp to-addresses=\
192.168.12.250 to-ports=1337
add action=dst-nat chain=dstnat comment="DNS (TCP)" dst-port=53 in-interface=\
ether1_WAN protocol=tcp to-addresses=192.168.12.202 to-ports=53
add action=dst-nat chain=dstnat comment="DNS (UDP)" dst-port=53 in-interface=\
ether1_WAN protocol=udp to-addresses=192.168.12.202 to-ports=53
add action=dst-nat chain=dstnat comment="WebServ RDP (1107->3389)" dst-port=\
1107 in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.201 \
to-ports=3389
add action=dst-nat chain=dstnat comment="ADS/DNS RDP (1108->3389)" dst-port=\
1108 in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.202 \
to-ports=3389
add action=dst-nat chain=dstnat comment="MC Server RDP (1109->3389)" \
dst-port=1109 in-interface=ether1_WAN protocol=tcp to-addresses=\
192.168.12.209 to-ports=3389
add action=dst-nat chain=dstnat comment="Security Camera App" dst-port=5550 \
in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.241 \
to-ports=5550
add action=dst-nat chain=dstnat comment="Security RDP (1101->3389)" dst-port=\
1101 in-interface=ether1_WAN protocol=tcp to-addresses=192.168.12.241 \
to-ports=3389
/ip route
add distance=1 gateway=*.*.69.1
I could use some very basic “MikroTik for Dummies” assistance here in getting hairpin NAT functional. Thanks in advance!