Hairpin NAT configuration

MikroTikFan · May 15, 2016, 12:46pm

Please help me to find reason why my router do not goes to external domains locally.

chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.210 protocol=tcp dst-address=192.168.111.111 dst-port=80 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.2   protocol=tcp dst-address=192.168.111.111 dst-port=487 log=no log-prefix="" 
chain=srcnat action=masquerade src-address=192.168.100.0/24 dst-address=192.168.20.100.0/24 out-interface=pppoe-out1 log=no log-prefix=""

My domain www.domain1.com is working fine but from outside of my network.

The problem is why domain www.domain1.com is not working from my local network.

Sob · May 15, 2016, 1:36pm

The last rule is obviously wrong:

dst-address=192.168.20.100.0/24 doesn’t really need an explanation
it can’t have out-interface=pppoe-out1 if it’s supposed to do hairpin NAT, the correct interface would be bridge-local

But if your WAN address is really 192.168.111.111, i.e. non-public one, your problem is elsewhere. Either haipin NAT must be done by the router with public address used by your domain, or you must create another set of dstnat rules on your router with dst-address=, to catch packets early and don’t let them go out.

MikroTikFan · May 15, 2016, 2:37pm

Sorry for wrong example address 192.168.111.111- this should be any external IP 192.162.150.20
Last rule should be ?

chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.210 protocol=tcp dst-address=192.162.150.20 dst-port=80 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.2   protocol=tcp dst-address=192.162.150.20 dst-port=487 log=no log-prefix="" 
chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface=bridge-local log=no log-prefix=""

??

Can you please put correct rule ?

Sob · May 15, 2016, 3:16pm

What you have should work. If it doesn’t, make sure you allow packets from bridge-local to bridge-local in forward chain.

MikroTikFan · May 15, 2016, 4:50pm

The problem is that this config doesn’t work and I can’t open this web page from internal network.

I’m not sure what you mean to allow packets from bridge-local to bridge-local in forward chain

chain=forward action=accept in-interface=bridge-local out-interface=bridge-local log=no log-prefix=""

This is that rule ?

Senux · May 15, 2016, 5:26pm

This is DNS problem. You must add DNS static record with server name and IP in router. Network clients must use local DNS server in router as primary.

MikroTikFan · May 15, 2016, 6:14pm

Can I configure not only DNS local records in ip dns static but also different dns for different URL ?

Senux · May 15, 2016, 6:47pm

Different dns server for different url? why? Local DNS server will forward dns requests to external if it has not corresponding record.

MikroTikFan · May 15, 2016, 7:11pm

Different because of using DNS services for using different area restricted services for some web pages

Senux · May 16, 2016, 9:11am

Too complicated, IMHO. How do you react if user will use externall dns, for example google? Simplicity is the power - why do not block by IP address?

MikroTikFan · May 16, 2016, 12:23pm

I just wondering if in my case the only one solution is to use local DNS services ?
This situation should be quite popular if someone is providing web services.

How do you react if user will use externall dns, for example google

Yes I’m blocking google dns and most other dns services.

Sob · May 16, 2016, 1:23pm

Haipin NAT works too. If it still doesn’t (btw, that forward rule was ok), it must be something small, rules in wrong order or something like that.

MikroTikFan · May 16, 2016, 2:43pm

Can you please add info which is right order ?

Sob · May 16, 2016, 3:17pm

Not really, it depends on your firewall setup, I have no idea what you have there. Firewall rules are processed in order, so if you want to allow something, it must happen before other rule explicitly blocks it.

Check wiki and understand what exactly happens with addresses when packets goes through router. Then just watch what happens on your router. RouterOS is great in this regard, every rule has live counters, you can add extra logging rules to prerouting, forward or postrouting, to more easily and reliably see what happens, what goes where, etc.

Kim · May 21, 2016, 8:12am

Check > wiki > and understand what exactly happens with addresses when packets goes through router. Then just watch what happens on your router. RouterOS is great in this regard, every rule has live counters, you can add extra logging rules to prerouting, forward or postrouting, to more easily and reliably see what happens, what goes where, etc.

I’ve followed that instruction, and I can make it work from WAN.
I have a setup where my router is behind my ISP router - would I be able to hairpin on my router, or should the ISP make it on their router?

Thanks.

Sob · May 21, 2016, 11:40am

It can be done on your router, you just need to catch packets going to public address and don’t let them go to ISP. So if currently you forward ports using dstnat rule with dst-address=<private address on your router’s WAN>, make another one with same settings and only change dst-address=.

Kim · May 21, 2016, 12:29pm

This is my setup:

A = ISP IP
B = My router external IP
C = My router internal IP
D = My webserver IP

This is my firewall NAT setup:
/ip firewall nat
add chain=dstnat dst-address=B protocol=tcp dst-port=80
action=dst-nat to-address=D

What i tried just now is this:
/ip firewall nat
add chain=dstnat dst-address=A protocol=tcp dst-port=80
action=dst-nat to-address=D

What am I doing wrong?

Thanks

Sob · May 21, 2016, 1:02pm

Nothing wrong, it should work. First rule is for connections from internet and second one for connections from your LAN. The actual hairpin NAT will be same for both, using srcnat rule from wiki. You do have that too, right? If it still doesn’t work, make sure it’s not blocked in forward chain. Specifically, connection from LAN to your server (going back to LAN) will have both incoming and outgoing interfaces the same (LAN).

Kim · May 21, 2016, 1:32pm

Yes I have the source nat setup like this:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24
dst-address=D protocol=tcp dst-port=80
out-interface=bride-local action=masquerade

Still it’s not working…
It’s the first NAT rules in the NAT table, so I don’t think that other rules can be blocking?

Sob · May 21, 2016, 2:01pm

Then try to connect and watch what happens. Every rule has counters, so you’ll know how far the packet got. You can also enable logging for each rule. Or add extra logging rules for debugging:

in prerouting with src-address=E and dst-address=A, to confirm that request came to router
in forward with src-address=E and dst-address=D, to tell that dstnat rule worked.
in postrouting with src-address=C and dst-address=D, to see the final packet leaving the router

Verify each step and you’ll see what did not happen, even though it should have.