Hairpin NAT issue

dknuckles · September 16, 2013, 2:24pm

I’m having an issue with what I suspect is a hairpin NAT issue. A client requested moving an e-mail server onto a subnet with an existing e-mail server and the two aren’t able to communicate with each other.

Server 1 : 10.0.0.15/24
Server 2 : 10.0.0.77/24

Noteable interfaces are as follows :

Eth1 : 192.168.0.0/24
Eth3 : 10.0.1.0/24
Eth6 : 10.0.0.0/24
Eth13 : WAN

Note : Eth1,3 and 6 are bridged together

My masquerade rules are as follows :

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=\
    10.0.0.0/24
add action=masquerade chain=srcnat out-interface=ether13

This does not appear to work. Can anyone see the flaw in my logic?

CelticComms · September 16, 2013, 2:49pm

On which addresses are the servers trying to communicate with each other? If they were communicating via the 10.0.0.X/24 addresses the router would not be in path as the devices could communicate directly.

dknuckles · September 16, 2013, 3:01pm

Both servers are on the Eth6 interface. The issue (I believe) is that the mail servers are looking to an external DNS to resolve the mx records. When one server e-mails the other it’s like the first mx record (which is on the same subnet as it) doesn’t even exist and it goes straight to the second mx record.

CelticComms · September 16, 2013, 7:22pm

Looks like you need to pin down which addresses the servers are attempting to connect on.