Hairpin NAT for dynamic WAN IP

ptr727 · February 20, 2016, 6:09pm

Hi, I’ve read many posts about setting up harpin NAT with a dynamic IP, but for the life of me I can’t get it working.

Simple home setup:
WAN port is “ether5-wan”, gets IP over DHCP.
LAN port is “ether1-lan”, runs DHCP server, 192.168.0/24 scope.
Port forwarding TCP 8082 on WAN to 192.168.1.48 on LAN, for an IP camera NVR server.
Dynamic DNS resolves to WAN IP, updated using DNSoMatic script, let’s call it foo.bar.com.
L2TP IPSec server.

I can access the NVR over the internet by https://foo.bar.com:8082/, no problem.
But when I try to access it using the same URI from the LAN, no go.

Here is my firewall and NAT rules:

# Firewall
/ip firewall filter
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="L2TP" dst-port=500,1701,4500 in-interface=ether5-wan protocol=udp
add chain=input comment="XProtect HTTPS" dst-port=8082 in-interface=ether5-wan protocol=tcp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input comment="Drop WAN inbound" in-interface=ether5-wan

# NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether5-wan
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24 out-interface=ether1-lan
add action=dst-nat chain=dstnat comment="XProtect HTTPS" dst-address-type=local dst-port=8082 in-interface=ether5-wan protocol=tcp to-addresses=192.168.1.44 to-ports=8082

Any ideas?

gotsprings · February 21, 2016, 12:21am

Hairpin NAT

You need to set up a masquerade rule in the NAT chain to src-nat local network back to local network on the LAN interface.

Then in NAT you need to change all those firewall forwards from an interface… to your WAN address.

ptr727 · February 21, 2016, 5:14pm

The WAN IP is dynamic, I cannot create a rule pinned to a specific WAN IP.

ZeroByte · February 21, 2016, 5:47pm

In your last dstnat rule, remove in-interface=ether5-wan and add dst-address=!192.168.0.0/16

ptr727 · February 22, 2016, 1:14am

Thank you very much, that works.

For reference, new NAT rules

# NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether5-wan
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24 out-interface=ether1-lan
add action=dst-nat chain=dstnat comment="XProtect HTTPS" dst-address-type=local dst-address=!192.168.1.0/24 dst-port=8082 protocol=tcp to-addresses=192.168.1.44 to-ports=8082