'Hairpin NAT' in 6.38.3 - How should it be done?

squishio · February 26, 2017, 5:33pm

Hi Guys,

I have a couple of 951’s with dynamic WAN IPs that I’m trying to get hairpin nat working on without having to mess around with Split-DNS etc.
I’ve tried following various posts detailing how to configure the NAT rules for hairpin to work and its simply not working.
Almost all recent posts seem to follow this method - https://freek.ws/2016/11/21/mikrotik-hairpin-nat-with-dynamic-wan-ip-for-dummies/
Which for me does not work.

But I have also come across this thread (see last post) which suggests hairpin is not nessasary from ROS v6 onwards, instead you use filter rules, though I cant get this to work either…
http://forum.mikrotik.com/t/v6-x-hairpin-nat-not-working/68805/1

Can anyone advise what is the current method of making this work?

Following the first/most common method, my rules are like this…

0 ;;; WAN NAT
chain=srcnat action=masquerade src-address=10.10.5.0/24 out-interface=Ether1 - WAN log=no log-prefix=“”

1 ;;; Hairpin NAT
chain=srcnat action=masquerade protocol=tcp src-address=10.10.5.0/24 dst-address=10.10.5.0/24
out-interface=Ether5 - LAN log=no log-prefix=“”

2 ;;; CCTV Hairpin
chain=dstnat action=dst-nat to-addresses=10.10.5.230 to-ports=8000 protocol=tcp
in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix=“”

3 ;;; CCTV WAN NAT
chain=dstnat action=dst-nat to-addresses=10.10.5.230 to-ports=8000 protocol=tcp
in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix=“”

I’m currently trying to get this to work on 2 different connections, both have dynamic WAN IP addresses, one of them dials the pppoe to ISP directly, the other is a double NAT setup behind an ISP router, I cant get either to work.

baragoon · February 26, 2017, 6:03pm

Try to remove out interface from rules 1-3

Отправлено с моего iPhone используя Tapatalk

squishio · February 26, 2017, 8:18pm

No change.
The counters on these rules are staying at 0 too, so no traffic is even hitting them…

squishio · February 26, 2017, 10:37pm

I’ve got it working!
Thanks to something I read about address lists, I have now got rules for CCTV and RDP setup as below…

 0    ;;; WAN NAT
      chain=srcnat action=masquerade src-address=10.10.5.0/24 
      out-interface=Ether1 - WAN log=no log-prefix="" 

 1    ;;; hairpin NAT
      chain=srcnat action=masquerade src-address=10.10.5.0/24 
      dst-address=10.10.5.0/24 out-interface=Ether5 - LAN log=no log-prefix="" 

 2    ;;; RDP
      chain=dstnat action=dst-nat to-addresses=10.10.5.1 protocol=tcp 
      dst-address-list=Dynamic IP dst-port=3389 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.10.5.1 protocol=tcp 
      in-interface=Ether1 - WAN dst-port=3389 log=no log-prefix="" 

 4    ;;; CCTV
      chain=dstnat action=dst-nat to-addresses=10.10.5.230 protocol=tcp 
      dst-address-list=Dynamic IP dst-port=8000 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.10.5.230 protocol=tcp 
      in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix=""

The first entry of CCTV and RDP (#2 + #4) is for the hairpin, the second rules (#3 + #5) are for access from WAN

and my address list config…

 #   LIST         ADDRESS                          CREATION-TIME        TIMEOUT             
 0   Dynamic IP   MYROUTER.sn.mynetname.net        feb/26/2017 21:22:06
 1 D ;;; MYROUTER.sn.mynetname.net
     Dynamic IP   X.X.X.X                   feb/26/2017 21:50:20

If I reboot my modem, the ISP gives me a new WAN IP, and so far, after /ip cloud runs a DDNS update (every 60s), then the address list at some point updates itself with the new IP, but I dont know how often this is running. If I find it to be a problem, then I will just add a scheduled script with something like…

/ip firewall address-list disable 0
/ip firewall address-list enable 0

"

Sob · February 26, 2017, 11:14pm

You probably don’t need two dstnat rules. Just one with dst-address-type=local (instead of in-interface=Ether1 - WAN) should be enough. The trick with address list should not be required either. You would need that only if this router did not have public address, but was behind another router with one, in that case, your config would be correct.

Hostnames in address list resolve based on TTL, which in case of *.sn.mynetname.net seems to be 1 minute.