Hairpin NAT issue

semperfi89 · February 23, 2011, 3:03am

I’ve got a problem setting a Hairpin nat rule. I need to allow access to my webserver (http and ssl) from the internal network using my public dns name. Below is my setup, My webserver is 192.168.5.23, and the LAN network is 192.168.5.0/24

/ip address print detail

Flags: X - disabled, I - invalid, D - dynamic 
 0   address=172.16.1.1/24 network=172.16.1.0 broadcast=172.16.1.255 interface=Phone_Bridge 
     actual-interface=Phone_Bridge 

 1   address=172.16.5.1/24 network=172.16.5.0 broadcast=172.16.5.255 interface=Kids_Bridge 
     actual-interface=Kids_Bridge 

 2   address=172.16.0.1/24 network=172.16.0.0 broadcast=172.16.0.255 interface=Guest_Bridge 
     actual-interface=Guest_Bridge 

 3   address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 
     interface=LAN_Bridge actual-interface=LAN_Bridge 

 4 D address=71.71.245.106/20 network=71.71.240.0 broadcast=71.71.255.255 
     interface=WAN_Bridge actual-interface=WAN_Bridge

/ip route print detail

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=71.71.240.1 
        gateway-status=71.71.240.1 reachable WAN_Bridge distance=0 scope=30 
        target-scope=10 

 1 ADC  dst-address=71.71.240.0/20 pref-src=71.71.245.106 gateway=WAN_Bridge 
        gateway-status=WAN_Bridge reachable distance=0 scope=10 

 2 ADC  dst-address=172.16.0.0/24 pref-src=172.16.0.1 gateway=Guest_Bridge 
        gateway-status=Guest_Bridge reachable distance=0 scope=10 

 3 ADC  dst-address=172.16.1.0/24 pref-src=172.16.1.1 gateway=Phone_Bridge 
        gateway-status=Phone_Bridge reachable distance=0 scope=10 

 4 ADC  dst-address=172.16.5.0/24 pref-src=172.16.5.1 gateway=Kids_Bridge 
        gateway-status=Kids_Bridge reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.5.0/24 pref-src=192.168.5.1 gateway=LAN_Bridge 
        gateway-status=LAN_Bridge reachable distance=0 scope=10

/ip firewall export

/ip firewall address-list
add address=64.18.0.1-64.18.15.254 comment="" disabled=no list=Postini
add address=192.168.5.23 comment="" disabled=no list=Allow_SMTP_Out
add address=192.168.5.24 comment="" disabled=no list=Allow_SMTP_Out
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
    tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=log chain=input comment="" disabled=yes dst-port=80 log-prefix="" protocol=tcp \
    src-address=192.168.5.4
add action=accept chain=input comment="Accept established connections" connection-state=\
    established disabled=no in-interface=WAN_Bridge
add action=accept chain=input comment="Accept related connections" connection-state=\
    related disabled=no in-interface=WAN_Bridge
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid \
    disabled=no in-interface=WAN_Bridge
add action=accept chain=input comment=UDP disabled=no in-interface=WAN_Bridge protocol=\
    udp
add action=accept chain=einput comment="SSH for secure shell" disabled=no dst-port=22 \
    in-interface=WAN_Bridge protocol=tcp
add action=drop chain=input comment="Drop Winbox from Guest_Bridge" disabled=no dst-port=\
    8291 in-interface=Guest_Bridge protocol=tcp
add action=drop chain=input comment="Drop Winbox from Kids_Bridge" disabled=no dst-port=\
    8291 in-interface=Kids_Bridge protocol=tcp
add action=drop chain=input comment="Drop Winbox from Phone_Bridge" disabled=no dst-port=\
    8291 in-interface=Phone_Bridge protocol=tcp
add action=accept chain=input comment="Allow Winbox from WAN" disabled=no dst-port=8291 \
    in-interface=WAN_Bridge protocol=tcp
add action=accept chain=input comment="Allow limited pings" disabled=no in-interface=\
    WAN_Bridge limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no in-interface=\
    WAN_Bridge protocol=icmp
add action=accept chain=input comment="PPTP Server: WAN" disabled=no in-interface=\
    WAN_Bridge protocol=gre
add action=accept chain=input comment="PPTP Server: WAN" disabled=no dst-port=1723 \
    in-interface=WAN_Bridge protocol=tcp
add action=accept chain=forward comment="Allow Mail Server's to Send SMTP" disabled=no \
    dst-port=25 in-interface=WAN_Bridge protocol=tcp src-address-list=Allow_SMTP_Out
add action=log chain=forward comment=\
    "Log all traffic that is attempting to send port 25 except 'Allow_SMTP_Out'" \
    disabled=no dst-port=25 in-interface=!WAN_Bridge log-prefix="SMTP Outbound" protocol=\
    tcp src-address-list=!Allow_SMTP_Out
add action=drop chain=forward comment="Drop All outbound SMTP traffic" disabled=no \
    dst-port=25 out-interface=WAN_Bridge protocol=tcp src-address-list=!Allow_SMTP_Out
add action=accept chain=forward comment=\
    "Allow Kids_Bridge internet from 8am - 10pm, Mon-Sat" disabled=no in-interface=\
    Kids_Bridge time=8h-22h,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=\
    "Allow Kids_Bridge internet from 8am to 11:30am on Sun" disabled=no in-interface=\
    Kids_Bridge time=8h-11h30m,sun
add action=accept chain=forward comment=\
    "Allow Kids_Bridge internet from 4:30pm-8pm on Sun" disabled=no in-interface=\
    Kids_Bridge time=16h30m-22h,sun
add action=drop chain=forward comment="Block Kids_Bridge internet." disabled=no \
    in-interface=Kids_Bridge src-address-list="" src-mac-address=!00:00:00:00:00:00 time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=log chain=input comment="Log everything else" disabled=no in-interface=\
    WAN_Bridge log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no in-interface=\
    WAN_Bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin nat for HTTP" disabled=no \
    dst-address=192.168.5.23 dst-port=80 out-interface=LAN_Bridge protocol=tcp \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="Hairpin nat for SSL" disabled=no \
    dst-address=192.168.5.23 dst-port=443 out-interface=LAN_Bridge protocol=tcp \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="" disabled=no dst-address=192.168.5.23 \
    out-interface=LAN_Bridge src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=\
    WAN_Bridge
add action=dst-nat chain=dstnat comment="Remote Desktop to VirtualHost" disabled=no \
    dst-port=3389 protocol=tcp to-addresses=192.168.5.20 to-ports=3389
add action=dst-nat chain=dstnat comment="Only allow inbound SMTP traffic from POSTINI" \
    disabled=no dst-port=25 in-interface=WAN_Bridge protocol=tcp src-address-list=Postini \
    to-addresses=192.168.5.23 to-ports=25
add action=dst-nat chain=dstnat comment="Mail Server" disabled=no dst-port=80,443,993 \
    in-interface=WAN_Bridge protocol=tcp to-addresses=192.168.5.23 to-ports=0-65535
add action=dst-nat chain=dstnat comment=Vipre disabled=no dst-port=18082,18086,18087,1433 \
    in-interface=WAN_Bridge protocol=tcp to-addresses=192.168.5.2 to-ports=0-65535
add action=dst-nat chain=dstnat comment=Utorrent disabled=no dst-port=6000 in-interface=\
    WAN_Bridge protocol=tcp to-addresses=192.168.5.25 to-ports=6000
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=no

fewi · February 23, 2011, 3:52am

add action=dst-nat chain=dstnat comment="Mail Server" disabled=no dst-port=80,443,993 \
    in-interface=WAN_Bridge protocol=tcp to-addresses=192.168.5.23 to-ports=0-65535

Your destination NAT rule doesn’t match traffic entering the router from the LAN interface due to the in-interface=WAN_Bridge property. For that reason traffic to the public server IP sourced from the LAN never gets destination NAT’d to 192.168.5.23. Either refer to the actual public IP address instead of an in-interface, or duplicate the rule and change the in-interface to LAN_Bridge and add dst-address-type=local to only match traffic to any router IP, and not traffic through the router. That dst-address-type=local is also a good idea for the already existing rule, as it makes the NAT matching tighter.

The actual hairpin NAT piece looks fine - your problem is before that even happens.

semperfi89 · February 23, 2011, 1:15pm

fewi:

add action=dst-nat chain=dstnat comment="Mail Server" disabled=no dst-port=80,443,993 \
    in-interface=WAN_Bridge protocol=tcp to-addresses=192.168.5.23 to-ports=0-65535
Your destination NAT rule doesn’t match traffic entering the router from the LAN interface due to the in-interface=WAN_Bridge property. For that reason traffic to the public server IP sourced from the LAN never gets destination NAT’d to 192.168.5.23. Either refer to the actual public IP address instead of an in-interface, or duplicate the rule and change the in-interface to LAN_Bridge and add dst-address-type=local to only match traffic to any router IP, and not traffic through the router. That dst-address-type=local is also a good idea for the already existing rule, as it makes the NAT matching tighter.

The actual hairpin NAT piece looks fine - your problem is before that even happens.

I copied the rule like you suggested and it worked fine. FYI I’ve Removed the hairpin rules (Listed below) that I added and it still works, so they were doing nothing…

add action=masquerade chain=srcnat comment="Hairpin nat for HTTP" disabled=no \
    dst-address=192.168.5.23 dst-port=80 out-interface=LAN_Bridge protocol=tcp \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="Hairpin nat for SSL" disabled=no \
    dst-address=192.168.5.23 dst-port=443 out-interface=LAN_Bridge protocol=tcp \
    src-address=192.168.5.0/24

:Edit
Not sure how it worked without the rules listed above but it stopped working and I had to add them back in…