Hairpin NAT [can't figure it out]

Lukasz85 · May 14, 2024, 12:55pm

Hi
I have mikrotik RBD52G-5HacD2HnD. My Lan network is 10.0.0.0/24. I have apache server on one of my ubuntu pc 10.0.0.13 port 80. I can enter website from lan with http://10.0.0.13. Also I can enter my website from WAN http://my_wan_ip.

I’m not able to get to this site from LAN with http://my_wan_ip (I don’t need domain name). Tried hairpin NAT

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 dst-address=10.0.0.13 protocol=tcp out-interface=bridge action masquerade

I have no idea why it is not working.

anav · May 14, 2024, 1:14pm

Post config for review
/export file=anynameyouwish ( minus router serial number, and any public WANIP info )

Lukasz85 · May 14, 2024, 1:27pm

# 2024-05-14 15:22:59 by RouterOS 7.10
# software id = 2Y2I-QL4A
#
# model = RBD52G-5HacD2HnD
# serial number = ******
/interface bridge
add admin-mac=18:FD:74:6F:2D:BA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=poland disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=mywireless wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeCe country=poland disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=mywireless wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/queue simple
add disabled=yes max-limit=100M/100M name=queue1 target=10.0.0.0/24
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
/ip address
add address=10.0.0.1/16 comment=defconf interface=bridge network=10.0.0.0
add address=10.10.0.1/24 interface=wireguard1 network=10.10.0.0
add address=86.111.202.62/29 interface=ether1 network=86.111.202.56
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
# DHCP client can not run on slave or passthrough interface!
add add-default-route=no interface=wlan1
/ip dhcp-server lease
add address=10.0.0.5 mac-address=C0:06:C3:E0:48:D6
add address=10.0.0.3 mac-address=D4:25:CC:CA:EC:C8
add address=10.0.0.10 mac-address=30:9C:23:8C:94:4B
add address=10.0.0.222 mac-address=10:27:F5:26:FA:69
add address=10.0.0.252 client-id=1:c2:8e:57:46:f5:4f mac-address=\
    C2:8E:57:46:F5:4F server=defconf
add address=10.0.0.4 client-id=1:24:5e:be:3:50:74 mac-address=\
    24:5E:BE:03:50:74 server=defconf
add address=10.0.0.13 client-id=\
    ff:56:50:4d:98:0:2:0:0:ab:11:15:e6:67:5a:62:1e:a5:21 mac-address=\
    E8:D8:D1:4E:23:AA server=defconf
/ip dhcp-server network
add address=10.0.0.0/16 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=16
/ip dns
set allow-remote-requests=yes servers=******
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input dst-port=80 in-interface=wireguard1 protocol=\
    tcp
add action=accept chain=input dst-port=8291 in-interface=wireguard1 protocol=\
    tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=86.111.202.62 dst-port=2495 \
    protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat dst-address=86.111.202.62 dst-port=489 \
    protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment=synology3 dst-port=5001 \
    in-interface-list=WAN protocol=udp to-addresses=10.0.0.16 to-ports=5001
add action=dst-nat chain=dstnat comment=synology dst-port=5000 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.16 to-ports=5000
add action=dst-nat chain=dstnat comment=synology1 dst-port=5000 \
    in-interface-list=WAN protocol=udp to-addresses=10.0.0.16 to-ports=5000
add action=dst-nat chain=dstnat comment=synology4 dst-port=5001 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.16 to-ports=5001
add action=dst-nat chain=dstnat comment=synology5 dst-port=6690 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.16 to-ports=6690
add action=dst-nat chain=dstnat comment=synology6 dst-port=6690 \
    in-interface-list=WAN protocol=udp to-addresses=10.0.0.16 to-ports=6690
add action=dst-nat chain=dstnat comment=21 dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.0.13 to-ports=21
add action=dst-nat chain=dstnat comment=22 dst-port=0 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.0.13 to-ports=20
add action=dst-nat chain=dstnat comment=SSH dst-port=3344 in-interface-list=\
    WAN protocol=tcp to-addresses=10.0.0.13 to-ports=22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=\
    tcp to-addresses=10.0.0.13 to-ports=80
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=my_public_ip
/ip service
set www port=8080
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system routerboard settings
set cpu-frequency=716MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

DarkNate · May 14, 2024, 2:34pm

Use this, delete any other NAT rule you had for hairpinning, put this at the bottom of the table (last rule number).

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 dst-address=10.0.0.0/24 action masquerade

anav · May 14, 2024, 2:44pm

(1) The config report by the Router points you to a problem. That problem is you either assign an address to the WAN or your use IP DHCP CLIENT but not both…
Also your configuration for the network setting for IP address is wrong if IP address is the method you choose to stick with!

/ip address
…
…
add address=86.x.y.z/29 interface=ether1 network=86.x.y**.0**

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
# DHCP client can not run on slave or passthrough interface

(2) Remove old default static address…
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan

(3) This rule in the input chain makes ZERO SENSE TO ME.
In your text you stated you are running an apache server ON THE LAN, at port 80. Why do you have wireguard coming in on the input chain TO ROUTER SERVICES for port 80??
Remove this rule.
add action=accept chain=input dst-port=80 in-interface=wireguard1 protocol=
tcp

I suspect what you want is to be able to reach the server from wireguard and that would be a forward chain rule!

(4) By the way if the router is server for handshake, then you dont need any wireguard rules in input chain (except for handshake port of course), because you allow all LAN traffic access to the router.
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

(5) Modify forward chain to be clearer and better for port forwarding. What you have by default rules is now inadequate.
Replace Rule:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

WITH:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“wg to subnets” in-interface=wireguard dst-address=10.0.0.0/16
add action=drop chain=forward comment=“Drop all else”

(6) SOURCENAT RULES
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/16 src-address=10.0.0.0/16 comment=“hairpin nat rule”
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

(7) DSTNAT RULES

The format as per your first rule is CORRECT!!!
add action=dst-nat chain=dstnat dst-address=86.x.y.z dst-port=2495
protocol=tcp to-addresses=10.0.0.4

All of them should be the same, in some cases you revert back to in-interface-list=WAN, they may or may not work,
but should be in the format for fixed static IP, and certainly any being accessed both internally by domain name must be in correct format.
For example, if you wanIP was dynamic, then you would create a firewall list to mimic a dst-address BY USING a dst-address-list entry!!

(8) Dont recomment unsecure access to the router
/ip service
set www port=8080

Lukasz85 · May 14, 2024, 3:37pm

WoW ! I’m studying all your suggestions and I will be back as soon as I apply them.

=EDIT=
Thanks to you I was able to successfully enable hairpin Nat.