Hello I tried to do hairpin nat using this video
https://www.youtube.com/watch?v=_kw_bQyX-3U&t=89s
but now i cant reach my websites from my wan side!!!
Tip #1: People are much more likely to tell you what’s wrong when you post your non-working config, than watch some video they are not interested in and then guess what you might have done wrong.
Tip #2: When posting your config, use text export (run command “/export hide-sensitive file=yourconfig” in terminal and then paste content of created yourconfig.rsc in code tags).
Hi, Thanks for the tips, Here is my config file:
# oct/18/2019 22:09:51 by RouterOS 6.45.6
# software id = UDCQ-LZ2S
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = <-*HIDDEN*->
/interface bridge
add admin-mac=<-*HIDDEN*-> auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=<-*HIDDEN*->
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=<-*HIDDEN*-> wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=<-*HIDDEN*-> wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-script=":\
local DHCPtag\r\
\n:set DHCPtag \"#DHCP\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n :local ttl\r\
\n :local domain\r\
\n :local hostname\r\
\n :local fqdn\r\
\n :local leaseId\r\
\n :local comment\r\
\n\r\
\n /ip dhcp-server\r\
\n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network \r\
\n :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n \r\
\n .. lease\r\
\n :set leaseId [ find address=\$leaseActIP ]\r\
\n\r\
\n# Check for multiple active leases for the same IP address. It's weird a\
nd it shouldn't be, but just in case.\r\
\n\r\
\n :if ( [ :len \$leaseId ] != 1) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: not registering domain name for address \$lease\
ActIP because of multiple active leases for \$leaseActIP\"\r\
\n :error \"multiple active leases for \$leaseActIP\"\r\
\n } \r\
\n\r\
\n :set hostname [ get \$leaseId host-name ]\r\
\n :set comment [ get \$leaseId comment ]\r\
\n /\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty lease host-name or comment\"\r\
\n :error \"empty lease host-name or comment\"\r\
\n }\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty network domain name\"\r\
\n :error \"empty network domain name\"\r\
\n }\r\
\n\r\
\n :set fqdn \"\$hostname.\$domain\"\r\
\n \r\
\n /ip dns static\r\
\n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
no ] ] = 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
ess \$leaseActIP with ttl \$ttl\"\r\
\n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
abled=no\r\
\n } else=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
s \$leaseActIP because of existing active static DNS entry with this name \
or address\" \r\
\n }\r\
\n /\r\
\n} \\\r\
\nelse=\\\r\
\n{\r\
\n /ip dns static\r\
\n :local dnsDhcpId \r\
\n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
\n\r\
\n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
easeActIP\"\r\
\n remove \$dnsDhcpId\r\
\n }\r\
\n /\r\
\n}" lease-time=1h name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.20 mac-address=<-*HIDDEN*-> server=defconf
add address=192.168.88.150 client-id=<-*HIDDEN*-> mac-address=\
B8:86:87:7D:16:37 server=defconf
add address=192.168.88.5 mac-address=<-*HIDDEN*-> server=defconf
add address=192.168.88.100 client-id=<-*HIDDEN*-> mac-address=\
00:D8:61:9B:71:FC server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf domain=lan gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.253 comment=#DHCP name=DESKTOP-QSB6RJ4.lan ttl=1h
add address=192.168.88.11 comment=#DHCP name=amazon-17b000f13.lan ttl=1h
add address=192.168.88.5 comment=#DHCP name=amazonfiretv.lan ttl=1h
add address=192.168.88.27 comment=#DHCP name=myHivehub.lan ttl=1h
add address=192.168.88.30 comment=#DHCP name=Samsung-Galaxy-S7-edge.lan ttl=\
1h
add address=192.168.88.100 comment=#DHCP name=DEN-DESKTOP.lan ttl=1h
add address=192.168.88.251 comment=#DHCP name=Google-Home-Mini.lan ttl=1h
add address=192.168.88.254 comment=#DHCP name=Google-Home-Mini.lan ttl=1h
add address=192.168.88.20 comment=#DHCP name=ubuntu1804-webmin.lan ttl=1h
add address=192.168.88.150 comment=#DHCP name=WIN10.lan ttl=1h
/ip firewall address-list
add address=<-*HIDDEN*->.sn.mynetname.net comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment=Webmin-Ports dst-address-list=WAN-IP \
dst-port=22,80,443,10000,20000,53 protocol=tcp to-addresses=192.168.88.20
add action=dst-nat chain=dstnat comment="Webmin-(UDP) 53" dst-address-list=\
WAN-IP dst-port=53 protocol=udp to-addresses=192.168.88.20
add action=dst-nat chain=dstnat comment="RDP PORT for 192.168.88.100" \
dst-address-list=WAN-IP dst-port=3389 protocol=tcp to-addresses=\
192.168.88.100
/ppp secret
add name=<-*HIDDEN*->
add name=<-*HIDDEN*->
add name=<-*HIDDEN*->
/system clock
set time-zone-name=Europe/London
/system scheduler
add comment="DuckDNS updater for <-*HIDDEN*->.duckdns.org" interval=5m name=\
DuckDNS-Updater on-event=":local domain \"<-*HIDDEN*->\"\
\n:local token \"<-*HIDDEN*->\"\
\n:local userbs \"<-*HIDDEN*->\"\
\n:local passbs \"<-*HIDDEN*->\"\
\n:local hostbs \"<-*HIDDEN*->\"\
\n\
\n/tool fetch url=\"https://dyndns.topdns.com/update\?hostname=\$hostbs&us\
ername=\$userbs&password=\$passbs\" keep-result=no\
\n\
\n/tool fetch url=\"https://www.duckdns.org/update\?domains=\$domain&token\
=\$token&ip=\" keep-result=no" policy=read,test start-date=sep/16/2019 \
start-time=12:14:15
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Can you see anything that is wrong with my config?
Not clearly wrong, no.
One weak spot is dst-address-list=WAN-IP in dstnat rules and address resolved from xxx.sn.mynetname.net. It’s basically correct, but when WAN address changes, there will always be small interval until TTL for address list item expires and it gets the new address. So the rule will be for old one and connections to new one will be ignored. It can be even worse if for some reason MikroTik’s DDNS fails to update hostname immediately.
Two possible solutions for that are:
a) Don’t get address from xxx.sn.mynetname.net, but intead use lease script for dhcp client and update the address list item from there. That way you’ll have correct address right after DHCP gets it. It looks like you’re not scared of scripts, so it shouldn’t be problem for you.
b) Instead of dst-address-list=WAN-IP, use dst-address-type=local. Problem with this is that it will match any local address, so if you use for example WebFig on default port 80, it won’t work. But since you most likely don’t need it accessible on all addresses, probably just on 192.168.88.1, you can add additional dst-address=!192.168.88.1 and exclude it.
Again, I don’t currently see anything else, so check if it might be this problem. If not, I’ll try to look again.
Hi, thanks for that.
I have an update script updating other dynamic dns providers like Duckdns.
I have tried using those in the WAN-IP list to no avail.
It still is not working from outside the lan 
Two things:
- The public address is directly on this router (you can see it in IP->Addresses), not on some other router/modem from which you have ports forwarded to this one, right?
- Do you remember what you had before when it worked from outside?
-
yes wan ip resolves directly to the mikrotik via a fibre modem. Mikrotik receives ip from ISP.
-
only changes are hairpin nat enabled, and wan-IP address list to destination.
Not working from wan to lan
Try this:
/ip firewall mangle
add action=log chain=prerouting connection-state=new dst-port=20000 log-prefix=newconn protocol=tcp
Then connect from outside to .sn.mynetname.net:20000 and if anything comes to your router, it will log a line like:
17:12:10 firewall,info newconn prerouting: in:<incoming interface> out:(unknown 0), src-mac <something>, proto TCP (SYN), <source address>:<some port>-><destination address>:20000, len 44
If it does, then check if is the same address you see in IP->Addresses on WAN interface, and that you also see the same address in address list (resolved from .sn.mynetname.net).
If nothing gets logged, then try to ping .sn.mynetname.net and see if the address is the same as in IP->Addresses.