Hairpin NAT and DDNS (noob)

limbo · January 27, 2017, 8:44pm

Hello Mikrotik experts
I’m completely noob with Mikrotik and routerOS and I need your precious help. (so be gentle on me)

Major question Hairpin NAT
My setup is as follows: LAN > Mikrotik (with PPPoE Dialing) > MODEM > ISP (with Dynamic IP)

I have several server devices on LAN (1 NVR, 1 web based light switch, 2 IP cameras) and I have managed to forward the ports using dstnat rules. Now I can access the devices from internet using DDNS address which is updated regulary using a specific script. Everything is fine.

However I really don’t get how to setup the router to redirect my DDNS request to internal IP’s when I’m on connected to LAN.
I know that I have to setup Hairpin NAT but I can’t understand really the rule structure.
To be more specific:
My public DDNS is: mymikrotik.two-dns.de
My internal switch (web server) is running on 192.168.128.199 on port 8880
My router is on 192.168.128.1

Can anybody provide an example how to setup my firewall rules to achieve Hairin NAT?

Thank you in advance

JB172 · January 27, 2017, 9:56pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT

/ip firewall nat
add chain=srcnat src-address=192.168.128.0/24 dst-address=192.168.128.199 protocol=tcp dst-port=8880 out-interface=LAN action=masquerade

limbo · January 27, 2017, 11:04pm

Well I’m definitely missing something major here.
I tried few times to use the rule but “no juice”.

I tried to create two different rules for two different devices, but no success.
Any ideas?

My master interface is bridge1 (where the rule is targeting). Is this correct?

The indicated rule is targeting correctly an active device and an active port:

What am I doing wrong?

2frogs · January 28, 2017, 3:00am

The problem is your dst-nat rule. You have in-interface=pppoe-out1, which works fine for traffic coming from outside your network. However, your local traffic never hits that interface. You will need something like this:

/ip firewall nat add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 dst-port=8008 protocol=tcp action=dst-nat to-address=192.168.128.248 to-port=8008

Now your hairpin should work.

docmarius · January 28, 2017, 10:01am

I really don’t get the idea behind the previously provided responses…
What you need is to D-NAT the requests originating from your internal LAN towards your public IP to the internal server’s IP.
Now here we have 2 solutions:

Assuming your external IP is static (not your case, just for the concept):

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<your_ext_ip> in-interface=bridge-lan to-addresses=192.168.128.199

If your IP is dynamic add it to a address list in your update script and use that address list for DST-NAT:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=Hairpin in-interface=bridge-lan to-addresses=192.168.128.199

Of course, in both cases, you can adapt the NAT rules to be restricted to certain ports, or use multiple different internal servers.

Here is an example script that you can adapt to get your interface IP periodically and add it to the ‘Hairpin’ address list, and should work regardless of static or dynamic IP. Just run it every minute or so:

# this is the global variable holding the last known public IP
:global HairpinPreviousIP ;

# get the current WAN IP
:local currentIP ;

:do {
    :set currentIP [/ip address get [find interface="YOUR_WAN_INTERFACE"] address] ;
} on-error={
    # you could add a failover static IP here, just have something so the script won't fail
    :set currentIP 192.168.128.199 ;
}

# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
   :if ( [:pick $currentIP $i] = "/") do={
       :set currentIP [:pick $currentIP 0 $i] ;
   }
}

# Public IP has changed
:if ($currentIP != $HairpinPreviousIP) do={

    # clear the address list
    :foreach entry in=[/ip firewall address-list find list="Hairpin"] do={
         /ip firewall address-list remove $entry
     }
     
   # add new address to the address list
   /ip firewall address-list add list="Hairpin" address=$currentIP
   
   # here you could also add other static router IPs to the Hairpin list
   # /ip firewall address-list add list="Hairpin" address=192.168.1.2
   
   # store the new IP
   :set HairpinPreviousIP $currentIP ;
}

If you run a dynamic dns update script, you probably have most elements there, just migrate the delete/add IP to the ‘Hairpin’ address list to that script.

Steveocee · January 29, 2017, 7:29pm

Rather than using a dst-address or a convoluted script to update the WAN IP and update the rule try using the MikroTik’s build in DDNS, enable it and copy your host name.

Go into the Firewall and create an address list and call is WAN-IP (or similar), amend your dst-nat rules so that they apply to an address-list and choose the WAN IP list you just made.

In recent RoS the address list can resolve host names so it will resolve your WAN IP and change when you swap IP (if your ISP supports dynamic)

msatter · January 29, 2017, 8:02pm

To be independable from your dynamic IP address you can use !local:

http://forum.mikrotik.com/t/setup-2-public-ip-addresses-nat-mail-server-web-server/104547/5

docmarius · January 29, 2017, 8:03pm

I forgot this one. So ignore the script and just add your wan dns name to the list:

/ip firewall address-list
add address=mymikrotik.two-dns.de list=Hairpin

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=Hairpin in-interface=bridge-lan to-addresses=192.168.128.199

The only issue is that there will be a hiatus after ddns update for the remainder of the DNS entry TTL (usually 5-15 minutes worst case since ddns providers use some 300-900 seconds TTL). This does not happen with the script, which limits this behavior to the script cycle.

neven · March 26, 2018, 11:30am

I’m trying to configure Hairpin using dst-address-list but looks like I’m missing something.

[admin@MikroTik] /ip firewall filter> /ip firewall address-list print

Flags: X - disabled, D - dynamic 
 #   LIST              ADDRESS                        
 0   Hairpin           xxxx.sn.mynetname.net  
 1 D ;;; xxx.sn.mynetname.net
     Hairpin           xxx.xx.xx.182                  

[admin@MikroTik] /ip firewall filter> /ip firewall filter print      
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; allow IPsec NAT
      chain=input action=accept protocol=udp dst-port=4500 

 3    ;;; allow IKE
      chain=input action=accept protocol=udp dst-port=500 

 4    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701 

 5    ;;; allow pptp
      chain=input action=accept protocol=tcp dst-port=1723 

 6    ;;; allow sstp
      chain=input action=accept protocol=tcp dst-port=443 

 7    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 9    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

10    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

12    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

13    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

14    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

15    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN 

[admin@MikroTik] /ip firewall filter> /ip firewall nat print                      
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 

 2    chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=41234 
      protocol=tcp in-interface=ether1 dst-port=41235 log=no log-prefix="" 

 3 X  chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=3389 
      protocol=tcp in-interface=ether1 dst-port=3389 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=41234 
      protocol=tcp dst-address-list=Hairpin in-interface=bridge dst-port=41235 
      log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.7.11 to-ports=22 
      protocol=tcp dst-address-list=Hairpin in-interface=bridge dst-port=22 
      log=no log-prefix=""

Connection request is triggering firewall/NAT dst-nat rule 4 and 5 but it is not reaching to-address

Do I need src-nat masquerade for local network?

Steveocee · March 26, 2018, 8:03pm

Have a watch of this;
https://www.steveocee.co.uk/mikrotik/hairpin-nat/hairpin-nat-video/

If you try https://www.steveocee.co.uk/mikrotik/hairpin-nat/ you will find fully scripted setup.

jspool · March 27, 2018, 4:19am

If you can access it fine externally and not internally that’s generally a masquerade issue
Typically the default settings will masquerade the LAN traffic leaving ether1. However if you temporarily remove the ether1 from the rule and apply it my guess is that it will work fine.
If so you should be able to customize rules needed to access devices locally.

neven · March 29, 2018, 9:43am

Yup, masquarade for bridge to local subnet in src-chain did the trick. Thank you all.

ilovepancakes · December 16, 2018, 4:17pm

Do you mind sharing your final full config for NAT rules? I am trying to get this working and am having similar issues as you originally described.