hair pin when out interface has different address

glmnet · July 17, 2019, 3:10pm

I have this scenario
a ISP provided router facing internet doing NAT, it’s LAN address is 192.168.1.1
a mikrotik connected to it, fixed ip is 192.168.1.252, doing nat to, it’s lan address is 10.0.1.1
There is a long range wifi link in between the routers, but that is working without adding route hops, so this can be ignored.

Now I have a web server at 10.0.1.206
I was looking at hair pin nat, but the router facing the internet seems not able to do it

Also the public internet IP is not fixed ip.

I guess hair pin would only work as the manual says if my out interface address where the public ip address, which in this case is not. Also I wouldn’t like this traffic to bounce on the 192.168.1.1 router as it has the wifi link.

I guess router could do kind of NAT so I can reach my web server from within the 10.0.1.0/24 lan using the public IP but I am clueless.
The port forwarding works already, I can reach my web server from the internet no problems.

Thanks

2frogs · July 17, 2019, 5:18pm

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.

glmnet · July 18, 2019, 5:02pm

I already have a dns: xxx.duckdns.org, can I omit enabling the built in DDNS and adding this name to an address-list and follow steps from there?
the dns updates are working already.

2frogs · July 18, 2019, 5:13pm

Yes, you can use the DDNS you already have setup.

glmnet · July 18, 2019, 11:36pm

It’s not working for some reason, external access works but when I put the name on a browser it takes me to my in-between router admin web page

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 
 1    chain=dstnat action=dst-nat to-addresses=10.0.1.206 protocol=tcp in-interface=ether1-cpe dst-port=443 log=no log-prefix="" 
 2    chain=srcnat action=masquerade protocol=tcp src-address=10.0.1.0/24 dst-address-list=my_duckdns out-interface=bridge dst-port=443 log=no log-prefix=""

The my_duckdns seems to work ok, I see a dynamic entry created by Mikrotik with my public IP Address.

 #   LIST                                                     ADDRESS                                                          CREATION-TIME        TIMEOUT             
 0   my_duckdns                                               ****.duckdns.org                                                 jul/18/2019 19:44:27
 1 D ;;; ****.duckdns.org
     my_duckdns                                               <my public ip shows up here>                                     jul/18/2019 19:51:12

2frogs · July 19, 2019, 1:13am

I am sorry, I either miss read your original setup or confused it with another. You don’t even need the ddns hack. Use dst-address=192.168.1.252.

/ip firewall nat 
add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge dst-port=443

glmnet · July 19, 2019, 2:16am

I’ve got it working at the end.

Thank you very much for your help

I ended up with two dst-nat rules, if I disable the first I cannot access from outside, if I disable any of the last two I cannot access from inside.
I don’t know if I can simplify the rules as both have the same action.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 in-interface=ether1-cpe protocol=tcp to-addresses=10.0.1.206
add action=dst-nat chain=dstnat dst-address-list=my_duckdns dst-port=443 protocol=tcp to-addresses=10.0.1.206
add action=masquerade chain=srcnat dst-address=10.0.1.206 dst-port=443 out-interface=bridge protocol=tcp src-address=10.0.1.0/24

Sob · July 19, 2019, 2:31am

You can:

/ip firewall address-list
add address=192.168.1.252 list=wan_ips
add address=****.duckdns.org list=wan_ips
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.1.206 protocol=tcp dst-address-list=wan_ips dst-port=443
add chain=srcnat action=masquerade src-address=10.0.1.0/24 dst-address=10.0.1.0/24

glmnet · July 19, 2019, 2:44am

Ahh yes, looks better and works ok. Thanks!