Hairpin Issues

I am trying to configure my internal hairpin so I can access my minecraft server through my web address (main two used ridiculoussmp.deppagaming.net (goes into minecraft game server) and repair.deppagaming.net (ssh portal into server itself for maintance)) I would like to be able to do these two without having to change from the web address to my internal ip for the server. The server is on it’s own dhcp server and ip pool (dhcp2 and pool1) used only for the server where as my machine is on my general dhcp server and ip pool (dhcp1 and dhcp_pool0). I have my hairpin nat as a srcnat from src 192.168.88.0/24 (general dhcp server) to dst 172.16.12.0/24 (server’s dhcp server) and set to masquerade. The server is static at 172.16.12.50 and when I set my port foward to have a dst. address they no longer work externally.
Below is my >export hide-sensitive file

/ip dhcp-client
add disabled=no interface="1-702 Com"
/ip dhcp-server lease
add address=172.16.12.50 client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:a5:a9:73:db:7f:8b:bf:5d mac-address=\
    F8:DB:88:FC:7B:A1 server=dhcp2
/ip dhcp-server network
add address=172.16.12.0/24 gateway=172.16.12.1 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall address-list
add address=379704868df8.sn.mynetname.net list=hairpin
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=\
    192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Masquerade for IP conversion" \
    out-interface="1-702 Com"
add action=dst-nat chain=dstnat comment=Maintnence dst-port=22 in-interface=\
    "1-702 Com" protocol=tcp to-addresses=172.16.12.50 to-ports=22
add action=dst-nat chain=dstnat comment=Vanilla disabled=yes dst-port=25569 \
    in-interface="1-702 Com" in-interface-list=listBridge protocol=tcp \
    to-addresses=172.16.12.50 to-ports=25569
add action=dst-nat chain=dstnat comment=RidJava dst-port=25565 in-interface=\
    "1-702 Com" protocol=tcp to-addresses=172.16.12.50 to-ports=25565
add action=dst-nat chain=dstnat comment=RidBed-needswork dst-port=19132 \
    in-interface="1-702 Com" protocol=tcp to-addresses=172.16.12.50 to-ports=\
    19132
add action=dst-nat chain=dstnat comment=Origins disabled=yes dst-port=25567 \
    in-interface="1-702 Com" in-interface-list=listBridge protocol=tcp \
    to-addresses=172.16.12.50 to-ports=25567
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes

New day, new topic about port forward.
Try to read this https://forum.mikrotik.com/viewtopic.php?t=179343

@Znevna,
I didn’t know what to answer him…
if you look at the firewall there is no “drop” and has winbox open to the world, plus the cloud active and published here on the forum…
It’s too much, I even lost the want to suggest him to censor those things…

Concur the biggest problem is not the hairpin its the lack of firewall rules.
The op should at least put in the defaults…

/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward

I’d say that having in-interface defined in the dst-nat rules prevents hairpin from working, as per the subject of this topic, that is the issue.
Regarding the rest of the security holes in the config, those are offtopic.

Id say your outta your cotton picking mind to make such a bold and WRONG claim.
Show me the firewall rule that allows dstnat ??

I cannot believe such ignorance from a usually good contributor. Many things are interrelated on the MT Config and therefore its never a good idea to ignore one part of the config when having issues overall. Best to go have my first cup of coffee today as I feel like tearing additional strips

He has all the rules required.

Ehm… pratically no rule on firewall = NAT&Hack allowed …

My opinion of your basic acumen is dropping drastically…
However you do have a point in that we dont know what he needs.
If this is not a public facing router then perhaps he doesnt need any rules which is basically the current state of affairs.
If this is a public facing router, you should go directly to IT jail.

Like I’ve said above, the lack of security in his firewall is beyond the subject of this topic.
If you have something to say regarding the dst-nat rules, please do so.

Nope, will not let it go, and I have all day and night today, and tomorrow and the next day and the next day and the next day and then next day…

You may not like it, but even though firewall filter may be “unfinished”, it does not break dstnat. The problem there is using in-interface(-list). If replacing those with dst-address= breaks outside access, then it’s probably NAT 1:1 or something and public address is not directly on this router.

I dont work on what ifs and suppositions… Otherwise I would be a priest.

There are no “what ifs and suppositions” here. Get over it.

Thats the difference between you/others and I. I have no psychopathic compulsion to help someone hang themselves (metaphorically), no instead I have the moral fortitude to lead them on a different path. Maybe tomorrow will be different and I wont give a phuck.

Sorry for the delayed response, I never received the email saying my post was posted.
Thank you for this, I have added these rules. I am still very much new to setting up my own router, and had a hard time finding instructions on setting up my own firewall, I have implemented all the rules above.
This unit is my main router, that is public to the internet. I accept I need to go to temporary IT Jail for this.
I will gladly admit I do not know everything and am willing to learn and grow.

HI MJ, no need, you are in NEW LEARNERS SAFE HAVEN. Lots of time for newbies, been there, still there sometimes.
The only person going to jail is Znevna for happily letting you go down in flames without any warning… He deserves a good bout of gastroenteritis!

Glad you fixed things up, and will have another look, once you post your config.

Do you get a fixed IP or is it a dynamic IP?
If you are hosting anything you will be doomed to hacking attempts which is never fun, so my advice is to at least use source address list entries for your destination nat rules.
If you dont know all the external users coming in, well thats asking for trouble. There is no reason why folks cannot provide you with
a. their static public IP
b. their dyndns name which the MT router will resolve for you to IP address (many free providers out there to get one so no excuses).

If this is strictly for you to access the server and it could be from any site, then suggest wireguard into the router and then access the server).