Hairpin NAT Internal Webserver Problems

rogerking1 · January 8, 2014, 2:53pm

The webserver is accessible via external connections (just re-checked). Tried to get Hairpin NAT working ( RouterOS - RouterOS - MikroTik Documentation ), and that didn't work from internal. Swapped for a rule found here: Port forwarding with dynamic WAN IP and that doesn't work either.

What do I want to look at or do next?

EDIT: Updated config dump
Edit2: Updated config dump
[admin@MikroTik] > export hide-sensitive compact

jan/11/2014 13:44:55 by RouterOS 5.26

software id = HFLJ-B1QM

/interface ethernet
set 0 name=sfp1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 name=ether10-WAN
/interface bridge
add admin-mac=D4:CA:6D:6F:6D:F3 auto-mac=no name=bridge-local protocol-mode=rstp
add l2mtu=1598 name=FiberOp-bridge protocol-mode=rstp
/interface vlan
add interface=ether10-WAN l2mtu=1594 name=FiberOp-VLAN vlan-id=35
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods=passthrough management-protection=allowed mode=dynamic-keys name=THX1138-WPA2 supplicant-identity=""
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=canada disabled=no distance=indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge security-profile=THX1138-WPA2 ssid=THX1138 wireless-protocol=802.11
/ip pool
add name=InternalPool ranges=192.168.0.105-192.168.0.200
/ip dhcp-server
add add-arp=yes address-pool=InternalPool disabled=no interface=FiberOp-bridge name=FiberOp-DHCP
/interface bridge port
add bridge=FiberOp-bridge interface=ether2
add bridge=FiberOp-bridge interface=ether3
add bridge=FiberOp-bridge interface=ether4
add bridge=FiberOp-bridge interface=ether5
add bridge=FiberOp-bridge interface=ether6-master-local
add bridge=FiberOp-bridge interface=wlan1
/ip address
add address=192.168.0.1/24 interface=FiberOp-bridge
/ip dhcp-client
add disabled=no interface=FiberOp-VLAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input comment="Accept Ping" protocol=icmp
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="Accept Related" connection-state=related
add action=drop chain=input in-interface=sfp1-gateway
add action=drop chain=input in-interface=FiberOp-VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT HTTP" dst-address=192.168.0.100 dst-port=80 out-interface=FiberOp-bridge protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=FiberOp-VLAN src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="NAT HTTP" dst-port=80 in-interface=FiberOp-VLAN protocol=tcp to-addresses=192.168.0.100 to-ports=80
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether10-WAN disabled=yes
set wlan1 disabled=yes
set FiberOp-VLAN disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24 port=8080
set ssh address=192.168.0.0/24
set winbox address=192.168.0.0/24
/system clock
set time-zone-name=America/Moncton
/system ntp client
set enabled=yes primary-ntp=142.4.200.228 secondary-ntp=198.245.49.187
/system ntp server
set enabled=yes
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool sniffer
set filter-direction=any

cbrown · January 8, 2014, 3:35pm

Rule order is important when making your masquerade rule. Try moving it to the top.

Next time when posting your config just post /export so we can see everything the way exactly the way the router is seeing it.

rogerking1 · January 8, 2014, 4:07pm

Which rule are we talking about moving up?

cbrown · January 9, 2014, 12:12pm

The hairpin nat rule.

Rudios · January 9, 2014, 1:59pm

I also do have my hairpin nat rule below my generic masquerade rule.
Only difference there is that I set src-address= at the generic masquerade rule.

rogerking1 · January 9, 2014, 2:10pm

No matter how I stack them it still doesn’t work. I tried using other out-interfaces as well, but nothing in my chain when applied on that rule seems to resolve the issue.
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat disabled=no dst-address=192.168.0.100 dst-port=80 out-interface=FiberOp-VLAN protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=FiberOp-VLAN src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=FiberOp-VLAN protocol=tcp to-addresses=192.168.0.100 to-ports=80

Rudios · January 9, 2014, 2:14pm

I anyhow advise you to remove all the unneeded ‘default configuration’ entries from your config.
And your out-interface for the Hairpin NAT rule should be your bridge, like you had before.

falestiny · January 9, 2014, 2:30pm

after moving the hairpin rule try to clear all previous connections in connections tab.

rogerking1 · January 9, 2014, 3:56pm

/ip firewall nat
add action=masquerade chain=srcnat comment=“Hairpin NAT HTTP” disabled=no dst-address=192.168.0.100 dst-port=80 out-interface=FiberOp-bridge protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=FiberOp-VLAN src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=“NAT HTTP” disabled=no dst-port=80 in-interface=FiberOp-VLAN protocol=tcp to-addresses=192.168.0.100 to-ports=80

Rebooted the router. Still encountering the same problem.

SurferTim · January 9, 2014, 6:41pm

What interface is your computer connected to?

Can you connect to the server using the localnet ip? 192.168.0.100

rogerking1 · January 9, 2014, 7:49pm

Tried from both the server itself and another computer over WiFi. Both work via IP, but not via host name.

rogerking1 · January 11, 2014, 5:51pm

I have posted my updated config, trimmed out as much as I could get away with. Does anyone have any suggestions about how I could troubleshoot this issue? Perhaps a walk-through about what traffic to look at while I attempt connections would be helpful?

Rudios · January 11, 2014, 8:16pm

Do you have a static public IP. If so, try to set it as the dst-address for your dst-nat rule and leave out the in-interface selector.

rogerking1 · January 12, 2014, 4:31pm

I don’t have a static address, but that seems to work. Is there any way to automate updating that when my address is rotated?

Rudios · January 12, 2014, 4:34pm

That is doable with scripting.
Create a script that regularly check the WAN ip and compares it with the last known.
If changed, change the NAT rule.
Nevertheless I think there must be a possibility with using in-interface parameter.
I will test it within a couple of days.

rogerking1 · January 21, 2014, 2:33am

Have you had the time to spare to take a peek at this problem?