Hairpin NAT not working

RouterOS Beginner Basics
1

Hello everyone, I´m new to Mikrotik and loving it so far,

My ISP is giving me the /29 subnet of public IPs, these are

#   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.5.254/24   192.168.5.0     LAN                                      
 1   1.2.3.4/29   	1.2.3.3  	 WAN                                      
 2   192.168.55.254/24  192.168.55.0    Management                               
 3   192.168.127.254/24 192.168.127.0   Guest                                    
 4   1.2.3.5/29   1.2.3.3   WAN                                      
 5   1.2.3.6/29   1.2.3.3   WAN                                      
 6   1.2.3.7/29   1.2.3.3   WAN                                      
 7   1.2.3.8/29   1.2.3.3   WAN

As you can see I have three networks (LAN, Management and Guest)

I have setup NAT rules

Flags: X - disabled, I - invalid, D - dynamic 
 0    
      chain=srcnat action=accept src-address=192.168.5.0/24 
      dst-address=192.168.0.0/16 log=no log-prefix="" 

 1    
      chain=dstnat action=dst-nat to-addresses=192.168.5.244 protocol=tcp 
      dst-address=1.2.3.4 dst-address-type=local dst-port=80,443,1723 
      log=no log-prefix="" 

 2    
      chain=dstnat action=dst-nat to-addresses=192.168.5.250 protocol=tcp 
      dst-address=1.2.3.4 dst-address-type=local dst-port=8888 log=no 
      log-prefix="" 

 3    
      chain=dstnat action=dst-nat to-addresses=192.168.5.245 to-ports=443 
      protocol=tcp dst-address=1.2.3.4 dst-address-type=local 
      dst-port=10443 log=no log-prefix="" 

 4    
      chain=dstnat action=dst-nat to-addresses=192.168.5.249 protocol=tcp 
      dst-address=1.2.3.5 
      dst-port=80,443,49443,3260,8080,8443,8880,8843,6789,2301,2381 log=no 
      log-prefix="" 

 5    
      chain=dstnat action=dst-nat to-addresses=192.168.5.249 protocol=udp 
      dst-address=1.2.3.5 dst-address-type=local dst-port=3478 log=no 
      log-prefix="" 

 6    
      chain=srcnat action=masquerade out-interface=all-ethernet log=no 
      log-prefix=""

My primary outgoing interface is WAN 1.2.3.4

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.2.3.3             1
 1 ADC  1.2.3.1/29   	1.2.3.4   	WAN                       0
 2 ADC  192.168.5.0/24     192.168.5.254   LAN                       0
 3 ADC  192.168.55.0/24    192.168.55.254  Management                0
 4 ADC  192.168.127.0/24   192.168.127.254 Guest                     0

DST NAT is working from outside fine, that means when someone is trying to access port 8080 on WAN address 1.2.3.5 it gets translated correctly, problem is, when someone from 192.168.5.0/24 (WAN: 1.2.3.4) is trying to access something on WAN 1.2.3.5 address via specific port. I tried all combinations listed here with masquerade action but it does´nt work :frowning:

I tried article from hairpin NAT on Wiki but whatever I define it doesn´t work

2

Do you really have received 1.2.3.4/29 adresses?
Examples from wiki: https://wiki.mikrotik.com/wiki/Hairpin_NAT DO REALLY WORK if applied carefully.
Try them for one address and then extend to WAN’s your range.

3

The very first NAT rules says that when source is 192.168.5.0/24 and destination 192.168.0.0/24 (which is true for what you’re trying to do), the packet should be accepted, i.e. processing in srcnat chain should be stopped. So unless you add srcnat rule for haipin before this one, it’s the explanation why it doesn’t work.

4

Thank you! :slight_smile:

I added

ip firewall nat chain=srcnat action=masquerade src-address=192.168.5.0/24 dst-address=192.168.5.0/24 log=no log-prefix=""

And it works now :slight_smile: