Dear people that are more clever then me,
I have read:
I am on the following network: 192.168.178.0/24
The goal is that the server with IP 192.168.178.85 should be reachable from the external network (is working) and from the internal network (not working).
This translates in my network to the following rules:
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public ip" in-interface=\
pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT disabled=yes \
dst-address=192.168.178.85 out-interface=pppoe-out1 src-address=\
192.168.178.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
tcp to-addresses=192.168.178.85 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.178.85 to-ports=443
add action=dst-nat chain=dstnat dst-port=51820 in-interface=pppoe-out1 \
protocol=udp to-addresses=192.168.178.85 to-ports=51820
Obviously, I have an error here somewhere and after a full day of staring at them I am at the end of my knowledge.
Your ruleas are little bit wrong, with “in-interface” it will not work as you expected.
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-port=80,443 protocol=tcp src-address=172.16.11.0/24
add action=dst-nat chain=dstnat comment=web dst-address=91.xxx.yyy.zzz dst-port=80,443 protocol=tcp to-addresses=172.16.11.11
anav
March 20, 2023, 11:50pm
3
FIXED:/ip firewall filter
where
Mynetname you get from IP cloud!!about allowed traffic and with drop rules at end 99.999 percent of traffic is handled just fine.
Thanks a lot! I have already dyndns set up, so no Cloud Domain from Mikrotik is needed. This worked instantly after trying it out. Didn’t even need to reset the open connections.
After I messed up my configuration during an experiment I wanted to restore my old working config. It seems the backup I had was not recent enough…
Now the hairpin NAT is not working with the rules that were corrected by @anav .
What part of my config should I post here again other than the firewall that could help narrow down the problem? Or should I just post the full config?
anav
April 8, 2023, 7:41pm
6
always full LOL. Unless you have an effing 5 mile long black list and thus remove blacklist and dhcp server leases…
Capsman and scripts were removed for readability. Otherwise, this should be it…
# apr/08/2023 20:46:11 by RouterOS 7.5
# software id = RHQM-G990
#
# model = CCR2004-16G-2S+
# serial number = HD408E3HNNC
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
use-peer-dns=yes
/interface list
add name=listBridge
/ip pool
add name=dhcp_family_pool ranges=192.168.178.20-192.168.178.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_family_pool interface=bridge1 lease-script=\
dhcp-lease-script-family name=family_server
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=cap3
add bridge=bridge1 interface=cap2
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=listBridge
/ip address
add address=192.168.178.1/24 interface=bridge1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.178.0/24 caps-manager=192.168.178.1 dns-server=\
192.168.178.1 domain=home.lan gateway=192.168.178.1 netmask=24 \
ntp-server=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip dns static
add address=192.168.178.1 comment="Manual: homerack-05-router" name=\
homerack-05-router.home.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=vpn.4seul.de list=public_ip
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public ip" in-interface=\
pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" \
dst-address-list=public_ip dst-port=80,443 protocol=tcp to-addresses=\
192.168.178.85 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS main server" \
dst-address-list=public_ip dst-port=443 protocol=tcp to-addresses=\
192.168.178.85 to-ports=443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
192.168.178.85 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=172.30.0.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.179.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=homerack-05-router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=2.europe.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system script
add dont-require-permissions=no name=dhcp-lease-script-family owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="<<REMOVED>>"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
anav
April 8, 2023, 8:42pm
8
Change this firewall ruleadd action=drop chain=forward comment=
To:add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat add action=accept chain=forward in-interface=listBridge out-interface=pppoe-out1
It is late here in Europe but I believe I applied this as you requested but I am still not being able to call services hosted on the target server from the internal network. Attached config is after applying your suggestion.
I am deeply sorry that I lack the understanding to debug this. My - arguably little - experience tells me to test in the following order:
ping IP
ping DNS
traceroute
ip r get
After that, I am letting a ping run forever and look at the counters of my firewall. If possible I would love to get a bit more knowledgeable about debugging problems like this myself. Any more tips on how to do that?
# apr/08/2023 22:54:09 by RouterOS 7.5
# software id = RHQM-G990
#
# model = CCR2004-16G-2S+
# serial number = HD408E3HNNC
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
use-peer-dns=yes user=0028346329705511387679220001@t-online.de
/interface list
add name=listBridge
/ip pool
add name=dhcp_family_pool ranges=192.168.178.20-192.168.178.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_family_pool interface=bridge1 lease-script=\
dhcp-lease-script-family name=family_server
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=cap3
add bridge=bridge1 interface=cap2
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=listBridge
/ip address
add address=192.168.178.1/24 interface=bridge1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.178.0/24 caps-manager=192.168.178.1 dns-server=\
192.168.178.1 domain=home.lan gateway=192.168.178.1 netmask=24 \
ntp-server=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip dns static
add address=192.168.178.1 comment="Manual: homerack-05-router" name=\
homerack-05-router.home.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=vpn.4seul.de list=public_ip
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=pppoe-out1 log=yes \
log-prefix=!NAT
add action=accept chain=forward comment="Port Forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=listBridge out-interface=\
pppoe-out1
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public ip" in-interface=\
pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" dst-address-list=\
public_ip dst-port=80 protocol=tcp to-addresses=192.168.178.85 to-ports=\
80
add action=dst-nat chain=dstnat comment="HTTPS main server" dst-address-list=\
public_ip dst-port=443 protocol=tcp to-addresses=192.168.178.85 to-ports=\
443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
192.168.178.85 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=172.30.0.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.179.0/24 gateway=192.168.178.85 \
routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=homerack-05-router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=2.europe.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system script
add dont-require-permissions=no name=dhcp-lease-script-family owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="<<REMOVED>>"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
anav
April 9, 2023, 1:34am
10
Here is the issue,/ip firewall nat0 src-address=192.168.178.0 add action=masquerade chain=srcnat comment=HairpinNAT dst-address= ???
Okay good I see the last rule → drop all else, but where are the first two rules??add action=drop chain=forward comment=
anav
April 9, 2023, 2:10am
11
As for the rest of the firewal rules…
/ip firewall address-listadd list=expected-address-from-LAN address=192.168.178.0/24expected-address-from-LAN address =255.255.255.255 comment=“Local” add address=vpn.4seul.de list=public_ip
/ip firewall rawadd action=drop chain=prerouting in-interface-list=WAN src-address-list=not_in_internet ! ! coming from LAN ”
/ip firewall filteradd action=accept chain=input comment=“default configuration”
/ip firewall natadd action=masquerade chain=srcnat comment=HairpinNAT dst-address=
Also You didnt change your config to what I suggested at all in post#8 ???
Okay good I see the last rule → drop all else, but where are the first two rules??add action=drop chain=forward comment=
You should be able to see the rule directly under the disabled rule. I double-checked with my posted config and I am sure that I added them. I was able to spot them immediately.
Edit: After switching the Hairpin NAT Rule the sites showed up in the local network as desired.
Thanks for the help on this side. If I may repeat my question: How would I have been able to debug and find these issues myself? You (and other well-known forum members) provide excellent help with fixing rules but I would rather enable myself to not be dependent on wizards like you.
For example, at the moment my network has no IPv6 enablement and this is something I would like to change in the mid-term. However, the resources there seem a lot more sparse than with IPv4. Unless I am not able to use Google properly again…
anav
April 9, 2023, 10:40am
14
Well in this case, it was easy to spot an incorrectly formatted rule. The subnet was not identified and it was on the key rule for hairpin nat to work!
Thanks for the tips. Router is working as expected and further work will be prepared a lot more thoroughly. I learnt a lot yesterday… Topic can again be seen as solved.