Hairpin NAT Not Working

jyln · March 16, 2021, 12:28am

I have been attempting to get this hairpin NAT to work for a while now. I have looked at countless forum posts and I cannot seem to find the solution to my problem. I have followed the Hairpin NAT Wiki manual and still no luck.

For reference, my network has 2 MikroTiks, an RB2011 and a hEx S. My devices are plugged into the hEx S which is acting as a switch as the main RB2011 is handling the routing/internet traffic. I have a NAS with the local IP of 192.168.1.36. My computer’s local IP is 192.168.1.32. I had my DST-NAT rule log so that I could see where it is getting stuck. This is the output of the log when attempting to access the NAS over WAN IP:

dstnat: in:local(ether5 JayTik) out:(unknown 0), src-mac 70:85:c2:f0:8a:b4, proto TCP (SYN), 192.168.1.32:61399->[WAN IP and PORT omitted], len 52

My hairpin NAT is setup in a mangle configuration where packets meant for hairpinning are marked with “HAIRPIN” and then SRC-NAT’d with the HAIRPIN mark. Does this work? I have attempted solely using the SRC-NAT rule without the marked packets and letting the LAN subnet in src-address and dst-address and the log still presents the same result. I feel the main cause is due to my firewall filter rules being out of order or configured improperly. Below is my firewall filter, NAT, and mangle rules, please let me know if there is any more information that is needed.

Firewall Filter Rules:

/ip firewall filter
add action=accept chain=input comment=\
    "Accept to established, related connections" connection-state=\
    established,related
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
    log-prefix=LAN_!LAN src-address-list=!allowed_users src-address-type=""
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp

Firewall NAT Rules:

/ip firewall nat
add action=masquerade chain=srcnat comment="Autogenerated Hairpin NAT" \
    connection-mark=HAIRPIN ipsec-policy=out,none
add action=masquerade chain=srcnat out-interface=MTW src-address-list=\
    allowed_users
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=VCN \
    src-address-list=allowed_users
add action=dst-nat chain=dstnat comment="MTW VNC For Gaming Computer" \
    dst-address=MTW dst-port=5900 protocol=tcp to-addresses=\
    192.168.1.2 to-ports=5900
add action=dst-nat chain=dstnat comment="MTW VNC for Blue Iris Server" \
    dst-address=MTW dst-port=5901 protocol=tcp to-addresses=\
    192.168.1.5 to-ports=5901
add action=dst-nat chain=dstnat dst-address=MTW dst-port=554 \
    protocol=tcp to-addresses=192.168.1.50 to-ports=554
add action=dst-nat chain=dstnat comment="VCN VNC For Gaming Computer" \
    dst-address=VCN dst-port=5900 protocol=tcp to-addresses=\
    192.168.1.2 to-ports=5900
add action=dst-nat chain=dstnat comment="VCN VNC For Blue Iris Server" \
    dst-address=VCN dst-port=5901 protocol=tcp to-addresses=\
    192.168.1.5 to-ports=5901
add action=accept chain=srcnat disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.3.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.3.0/24 \
    src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Operator SECURE HW Provisioning" \
    dst-address=VCN dst-port=465 protocol=tcp to-addresses=\
    192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="Operator UDP SIP" dst-address=\
    VCN dst-port=5060 protocol=udp to-addresses=192.168.1.3 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="Operator TCP SIP" dst-address=\
    VCN dst-port=5060 protocol=tcp to-addresses=192.168.1.3 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="Operator UDP SIP" dst-address=\
    VCN dst-port=5061 protocol=udp to-addresses=192.168.1.3 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="Blue Iris 5 HTTP Server" dst-port=\
    65526 protocol=tcp to-addresses=192.168.1.2 to-ports=65526
add action=dst-nat chain=dstnat comment="Blue Iris 4 HTTP Server" dst-port=\
    65527 protocol=tcp to-addresses=192.168.1.5 to-ports=65527
add action=dst-nat chain=dstnat comment="Operator TCP SIP" dst-address=\
    VCN dst-port=5061 protocol=tcp to-addresses=192.168.1.3 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="Operator TCP HW Provisioning" \
    dst-address=VCN dst-port=80 protocol=tcp to-addresses=\
    192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="Operator Media UDP" dst-address=\
    VCN dst-port=18000-19001 protocol=udp to-addresses=192.168.1.3 \
    to-ports=18000-19001
add action=dst-nat chain=dstnat dst-address=VCN dst-address-type=\
    "" dst-port=6069 log=yes protocol=tcp to-addresses=192.168.1.36 to-ports=\
    6069
add action=dst-nat chain=dstnat dst-address=VCN dst-port=25 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=25
add action=dst-nat chain=dstnat dst-address=VCN dst-port=587 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=587
add action=dst-nat chain=dstnat dst-address=VCN dst-port=465 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=465
add action=dst-nat chain=dstnat dst-address=VCN dst-port=143 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=143
add action=dst-nat chain=dstnat dst-address=VCN dst-port=993 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=993
add action=dst-nat chain=dstnat dst-address=VCN dst-port=80 \
    protocol=tcp to-addresses=192.168.1.36 to-ports=80

Firewall Mangle Rules:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="VCN Conn Mark" \
    connection-mark=no-mark in-interface=VCN new-connection-mark=VCN_conn \
    passthrough=yes
add action=mark-routing chain=prerouting comment="Synology -> VCN Route Mark" \
    new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.36
add action=mark-routing chain=prerouting comment="JayPC -> VCN Route Mark" \
    new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.32
add action=mark-routing chain=prerouting comment="TrevPC -> VCN Route Mark" \
    new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.1.2
add action=mark-routing chain=prerouting comment="ServPC -> VCN Route Mark" \
    new-routing-mark=to_VCN passthrough=yes src-address=192.168.1.5
add action=mark-routing chain=prerouting comment="Wireless -> VCN Route Mark" \
    in-interface=local_wireless new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="VCN Route Mark" \
    connection-mark=VCN_conn new-routing-mark=to_VCN passthrough=yes
add action=mark-connection chain=forward comment="Autogenerated Hairpin NAT" \
    connection-nat-state=dstnat connection-state=new dst-address=\
    192.168.1.0/24 new-connection-mark=HAIRPIN passthrough=yes src-address=\
    192.168.1.0/24
add action=mark-connection chain=forward comment="Autogenerated Hairpin NAT" \
    connection-nat-state=dstnat connection-state=new dst-address=\
    192.168.2.0/24 new-connection-mark=HAIRPIN src-address=192.168.2.0/24

Any help that can be provided would be greatly appreciated and thank you in advance for taking a look and helping me.

anav · March 16, 2021, 3:17pm

Get rid of mangle rules for hairpin nat for starters.
The easy solution is to put the Server on its own subnet or vlan.
Then hairpin nat is not required and normal masquerade and dst-nat rules suffice.

If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24
Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).

If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
“myWANIP”. The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP

(2) Another gucci method, from Sob (didnt know he was italian is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment=“wan1ip”] address=$“lease-address” disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment=“wan1ip”] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP

The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there’s NAT 1:1 and router itself doesn’t have public address, plus tis simple and easy to do!!

(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=!192.168.1.1
protocol=xx dst-port=yyyy to-addresses=LANIP

sjoram · March 16, 2021, 3:38pm

My hairpin NAT is done entirely within /ip firewall nat…

First is an action=accept for traffic over IPsec tunnel, but in my case I don’t think that’s being used since I changed my setup to run routing as OSPF via GRE over IPsec (counter shows 0).
Then the dstnat rules for dst-address=public ip dst-port=public port action=dstnat to-address=private ip to-ports=private port
Then the hairpin NAT src-address=10.0.0.0/8 dst-address=public ip dst-port=public port action=masquerade
Then the srcnat for Internet access src-address=10.x.x.x/16 out-interface=“Uno FTTC” action=srcnat to-address=public IP

erkexzcx · March 16, 2021, 9:21pm

http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1

anav · March 17, 2021, 4:55pm

Sorry your method didn’t make it to my list of MTUNA approved loopback methods.
Having to mangle traffic is redonkulous! ;-).

gotsprings · March 18, 2021, 1:22am

Firewall address lists can make this easier than the good old days.

But as others stated in
/Ip firewall nat
Src-address=localnet dst-address=localnet out-interface=(bridge?) Action=masqurade

jyln · April 29, 2021, 12:26am

Thank you all for your suggestions. It seems that the primary fix is not one I would’ve thought of probably ever. The solution I found was when I was searching for a way to ping between subnets when policy routing takes place (I have separate devices mangled to route to specifically use one of my dual ISPs rather than attempt to load balance between the two of them due to the functionality of the devices). I had setup a loopback interface in the MikroTik and I was unable to ping to the IP of the loopback interface due to my machine being mangled to the other ISP. To fix this issue, I needed to add a routing rule for my subnet(s):

/ip route rule add action=lookup-only-in-table dst-address=192.168.0.0/22 table=main

Once this was added and I re-inserted my Hairpin NAT, the Hairpin NAT now works successfully. Thank you all again for your insight!

charifch · December 15, 2021, 4:42pm

Good afternoon all.
I have tried the cloud method on my config and the tricking router method on my config 1 and 3 (kindly provided by anav) but could not have the hairpin to work.
I can access my nas from outside no problem, but nothing from inside my LAN or from the BASE_VLAN.
Could you please assist? PLease find my firewall rules below…

Many thanks

/ip firewall address-list
add address=e1f10fac4c39.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access”
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=forward comment=“VLAN Internet Access”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=
GUEST_VLAN
add action=accept chain=forward comment=“Allow forwarded ports”
connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment=“Default masquerade”
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5006 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.10 to-ports=5006
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 in-interface-list=
WAN protocol=tcp to-addresses=192.168.0.10 to-ports=5000
add action=dst-nat chain=dstnat dst-port=6690 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.10 to-ports=6690
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.10 to-ports=5001
add action=dst-nat chain=dstnat dst-port=9025-9040 in-interface-list=WAN
protocol=tcp to-addresses=192.168.0.10 to-ports=9025-9040
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=16881 in-interface-list=WAN
protocol=tcp to-addresses=192.168.0.10 to-ports=16881
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=WAN
protocol=tcp to-addresses=192.168.0.10 to-ports=32400
add action=dst-nat chain=dstnat dst-port=1194 in-interface-list=WAN protocol=
udp to-addresses=192.168.0.10 to-ports=1194
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=
tcp to-addresses=192.168.0.10 to-ports=5000
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.0.1
dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.0.10
to-ports=80
add action=masquerade chain=srnat comment=“hairpin NAT” disabled=yes
dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.0.1
dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.0.10
to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5000 in-interface=BASE_VLAN protocol=tcp src-address-type=“”
to-addresses=192.168.0.10 to-ports=5000
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5006 in-interface=BASE_VLAN protocol=tcp to-addresses=192.168.0.10
to-ports=5006
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5006 in-interface=BASE_VLAN in-interface-list=WAN port=“” protocol=tcp
to-addresses=192.168.0.10 to-ports=5006
add action=src-nat chain=srcnat disabled=yes dst-address=!192.168.0.1
dst-address-type=local dst-port=“” protocol=tcp to-addresses=192.168.0.10
to-ports=80
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.10
out-interface=BASE_VLAN protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-list=myWANIP
dst-port=80 protocol=tcp to-addresses=192.168.0.10
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=
192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-list=myWANIP
dst-port=5000 protocol=tcp to-addresses=192.168.0.10
add action=src-nat chain=srcnat dst-address=!192.168.0.1 dst-address-type=
local dst-port=5000 protocol=tcp to-addresses=192.168.0.10

gotsprings · December 24, 2021, 11:56am

/IP firewall nat
add action=dst-nat chain=dstnat dst-port=5006 dst-address-list=MyWANIP protocol=tcp to-addresses=192.168.0.10

anav · December 24, 2021, 3:51pm

Okay lets fix up that ruleset for NAT

COMMENT ONE, put the source nat rules together at the top for easy reading in the following order!
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=\ {note put this one at the top and ENABLE IT for gods sake}
192.168.0.0/24
add action=masquerade chain=srcnat comment=“Default masquerade”
out-interface-list=WAN

COMMENT2: FOR THE SERVERS WHERE YOU WANT TO HAVE hairpin nat effective DO NOT USE in-interface-list=WAN
but instead use dst-address-list=MYWANIP (as shown by gotsprings)

COMMENT3: If the to-port is the same as the destination port it need not be identified.

COMMENT3: AS AN EXAMPLE of FORMAT: If one of the dstnat rule requiring hairpin functionality is this one incorrectly setup according to the IP cloud method
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.0.1
dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.0.10
to-ports=80

IT should be
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp
dst-address=MYWANIP to-addresses=192.168.0.10

COMMENT 4. Its messy with duplicates I also see… Clean it up!! need far less rules easier to read too. Only need three rules from what I understand!

add action=dst-nat chain=dstnat dst-port=443,1194,5001,5006,6690,16881,32400
protocol=tcp in-interface-list=WAN to-addresses=192.168.0.10

add action=dst-nat chain=dstnat dst-port=9025-9040 protocol=tcp
in-interface-list=WAN to-addresses=192.168.0.10

add action=dst-nat chain=dstnat dst-port=80,5000 protocol=tcp
dst-address-list=myWANIP to-addresses=192.168.0.10
NOTE: You seemed to have some conflicts with port 80 and 5000 hopefully they are resolved by the above. Assuming these are the two ports requiring hairpin nat (access by LAN users via WANIP)

These need to be removed _ but what were you trying to accomplish with them???

add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5000 in-interface=BASE_VLAN protocol=tcp src-address-type=“”
to-addresses=192.168.0.10 to-ports=5000
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5006 in-interface=BASE_VLAN protocol=tcp to-addresses=192.168.0.10
to-ports=5006
add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=
5006 in-interface=BASE_VLAN in-interface-list=WAN port=“” protocol=tcp
to-addresses=192.168.0.10 to-ports=5006

Not sure what you meant to do with this rule either should be removed for now.
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.10
out-interface=BASE_VLAN protocol=tcp src-address=192.168.0.0/24

charifch · March 16, 2022, 5:48pm

Hello and thank you for your reply. I have trimmed and it seems to work like this. Can anyone please confirm that this is the correct implementation?

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    !192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10

Many thanks

anav · March 16, 2022, 10:58pm

From this
add action=masquerade chain=srcnat comment=“hairpin nat” dst-address=
!192.168.0.1 src-address=192.168.0.0/24

To this
add action=masquerade chain=srcnat comment=“hairpin nat” dst-address=
192.168.0.0/24 src-address=192.168.0.0/24

anav · March 16, 2022, 11:06pm

Why do you have duplicates in your firewall rules???
Clean them up and then repost your config here.

charifch · March 18, 2022, 10:16am

I am not aware of these dupliates, I have added some, can you please tell me which ones seem duplcates for you and which ones I should remove?
I am scared to touch something and brake it.

anav · March 18, 2022, 11:29am

I will show you ONE, you have to do the work for the rest.
It would be easier to spot if you organized your firewall chains…
ALL rules of chain together typically all input first and then forward!!!

For example see where you have the rule DROP for input chain in BLUE
Every input rule you see after this is useless…
example of duplicate rule in purple,there are others

Get organized and these things become obvious…

/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow LAN” in-interface-list=LAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access”
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment=“Allow Estab & Related”
connection-state=established,related
add action=accept chain=forward comment=“VLAN Internet Access”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“LAN Internet Access”
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Base VLAN Access to Guest VLAN”
in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment=“Allow forwarded ports”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=Drop