HairPin Nat COnfusion

sachmonz · April 18, 2016, 7:34am

Hi Guys,

A little lost with this.

I have a dynamic DNS name with my Synology NAS (I have a static IP but it could change they say) hence using DDNS.

I have a webcam on port 80 with a NAT through to it which I can access fine externally via http://xxxx.synology.me dns name.

However on the internal network at home (and i assume this means my hairpin works)

I see the following on different devices/browsers whilst on the internal wifi.

Chrome on PC = go to http://xxx.synology.me = Get The RouterOS login page.
Chrome on Android = go to above address = Get the login for the camera.
Internet Browser on Android = Go to above address = Get the Router OS Login page.

My rules are below, it’s almost like chrome is smart enough to handle a broken hairpin??

0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”

1 chain=srcnat action=masquerade src-address-list=LocalLan
dst-address-list=LocalLan out-interface=bridge log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=554
protocol=tcp in-interface=ether1 dst-port=554 log=no log-prefix=“”

3 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=80
protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix=“”

(LocalLan is an address list for 192.168.0.0/24 i.e my internal LAN).

My interface list is here - Basically ether1 goes to a Fibre ONT, the rest are internal LAN switched ports.

\

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU

0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 S ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 S wlan1 wlan 1500 1600
6 R ;;; defconf
bridge bridge 1500 1598

Any ideas, is my hairpin working or my browsers are hair brain (and me too!)?

Cheers

rextended · April 18, 2016, 7:51am

/ip service
set www port=81

The dns name on internal network do not work properly if not are correcly configured.
i do not understand rule 1,
and is hard to understand your configuration if you use only print command,
use this for export the config:

/export

sachmonz · April 18, 2016, 8:14am

Hi,

the first rule is the masquerade entry i created in order to do the hairpin which I read about on the forums for users in the same situation.

The LocalLAN reference is an address list pointing at 192.168.0.0/24 (i.e my internal subnet)

I’ve changed the IP service port to 81 - thank you.

When i do an /export it has passwords etc in there, is there any way to get a more generic/less sensitive export automatically (be good to know in futre)

Cheers

rextended · April 18, 2016, 8:36am

the unique way is remove all uninvolved section and unwanted password manually

soonwai · April 18, 2016, 3:17pm

You can try /export hide-sensitive but go through it just to make sure.

Or to export just NAT rules.

> /ip firewall nat
/ip firewall nat> export

Why do you use an address list for rule 1 (Hairpin NAT)?

An alternative to Hairpin NAT is to use Split DNS which is what I do.

ZeroByte · April 18, 2016, 11:03pm

The problem is the in-interface=ether1 criteria.

When attempting hairpin access, the packet arrives from interface bridge, not from interface ether1, so the hairpin rules are failing to match.
I’m not quite sure why some devices are getting there and some aren’t - it seems odd.

You could change these rules:

2 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=554 
protocol=tcp in-interface=ether1 dst-port=554 log=no log-prefix="" 

3 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=80 
protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix=""

to this:

2 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=554 
protocol=tcp dst-address-type=local dst-port=554 log=no log-prefix="" 

3 chain=dstnat action=dst-nat to-addresses=192.168.0.23 to-ports=80 
protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=""

That should fix the hairpin issue, and still work with a dynamic WAN address.