Hairpin NAT and misc questions

Hey guys, I’ve had my 450G running for a few days now and things are going great, but I have a couple small issues and questions:

1) I can’t seem to get hairpin NAT working the way I want. Currently if I access my WAN IP from within the network I see the RouterOS landing page. From outside the network it properly routes to an internal web server. What NAT rule would I need to add to allow me to hit the internal web server from inside via the WAN IP? I tried following the instructions here but the NAT rule never seems to get any hits and does nothing: http://wiki.mikrotik.com/wiki/Hairpin_NAT

Here is my IP configuration (public IP replaced with ):

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.1.1/24 network=192.168.1.0 interface=ether2
actual-interface=ether2

1 D address=/21 network=<wan_network> interface=wan
actual-interface=wan

The only NAT configuration I have (aside from port forwarding rules) is chain=srcnat action=masquerade out-interface=wan

2) I am using ether2 as a master port and ether3-5 use it as a master, which I believe is a common configuration. I have devices using all ports, but when I am monitoring the ports in the interface list, I only see traffic on ether2 and my WAN ports even if there is definitely traffic going through ports 3-5. Is there something that should be changed to see the actual traffic hitting those ports, or is this a limitation of using a master port?

3) I am using an Ubiquiti UniFi wireless AP. It works just fine by itself with no specific configuration in RouterOS, but I noticed there’s a wireless section in RouterOS. Is this for Mikrotik devices that have wireless cards, or can I somehow use some of these features with the UniFi? If not, is there a way for the wireless clients to be given a different DHCP range or subnet so I can do QoS differently for them?

4) Is there a way to get the admin to use a specific skin that I saved at all times? It seems to go back to default most of the time when I visit WebFig and I have to manually switch it back to my skin.

Thanks!

#1
Your should change your port-forwarding NAT rule so it catches internal traffic as well. You probably have something like in-interface=public within the rule. Take that part out so it catches from ANY interface, not just the public.

#2
I believe that “switch” bypasses the CPU completely, so none of the slave ports are really seen by Mikrotik, just the master port traffic. You could use “bridge” instead if you need that.

#3
Wireless in Mikrotik is only for wireless cards, not external access points. External access points have their own config, seperate from the Mikrotik.

#4
Yes, SYSTEM → USERS → GROUPS → SKIN (in winbox)

Thanks for the info. I still can’t get #1 to work. Could you possibly give me an exact rule addition command that might do the trick? The cheap way out would be to create a static DNS entry for the hosts I use to point to the internal IP, but I’d rather not do that.

Post your current NAT port-forward rule here.

This is the rule I made based on the hairpin NAT wiki article:

0 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24
dst-address=192.168.1.10 dst-port=80

It doesn’t really make sense to me because I would think the dst-address would need to be my WAN IP, but I am probably missing something. With this rule, I never see any packets or bytes recorded for it. It’s at the very top of the list, above my general wan masquerade.

I just tried this, it worked fine. I was able to access my internal PC from my internal network using my Public IP address.

The SRC-NAT rule is the magic to making it work from within the local network. Notice that first rule is dst-nat and not masquerade.

action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.1.100
action=src-nat chain=srcnat dst-address=192.168.1.100 to-addresses=192.168.1.1

192.168.1.100 is the internal PC
192.168.1.1 is the router
(adjust the addresses to match your current addresses)

When adding both of those it seemed to work, however I was then unable to access the WebFig page from my web server, which is something I’d like to be able to do. Would that now be impossible?

Yes. But you can change the service port for webfig.

Alright I’ll give that a try, thanks. I feel like it should still be possible to be able to do since my old D-Link consumer router was able to do all this automatically. I would imagine it’s just some special combination of rules.

Sure you can, just play around with the src-address, dst-address (or whatever you want to look at) on the rules so they only apply when you need them to.

Not to hijack, but I have a very similar question.

I am using dyndns.org and would like to be able to hit my internal services from computers by typing “myaddress.dyndns.org”. Does this mean I need to add a rule for every port I have forwarded?

Basically, I have a NAS sitting at 192.168.15.10. It has services running at the ports you’ll see below. Here is my export from NAT:

0 chain=srcnat action=masquerade out-interface=WAN

1 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=43203
protocol=udp dst-port=43203

2 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=43203
protocol=tcp dst-port=43203

3 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=8080
protocol=tcp dst-port=8080

4 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=21
protocol=tcp dst-port=21

5 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=20
protocol=tcp dst-port=20

6 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=90
protocol=tcp dst-port=90

7 chain=dstnat action=dst-nat to-addresses=192.168.15.10 to-ports=8081
protocol=tcp dst-port=8081

Thanks in advance.

No, you can make blanket rules.

/ip firewall nat
add chain=srcnat src-address=192.168.15.0/24 dst-address=192.168.15.10 action=masquerade
add chain=srcnat src-address=192.168.15.0/24 dst-address=192.168.15.2 action=masquerade

So easy…thanks fewi.