HairPin NAT not working

adispy · March 4, 2024, 3:51pm

Hello everyone,
I am trying to set up my hairpin NAT but no matter what I do can’t seem to make it work. I have two PPPOE WAN IPs and I have tried using:

0    chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""

0    chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=!192.168.10.254 log=no log-prefix=""

I also tried variants by putting the out interface or the in interface on the above rules, but nothing is working.

Any idea how can I configure this?

Thanks,

anav · March 4, 2024, 8:39pm

Yes, with proper config…
https://help.mikrotik.com/docs/display/ROS/NAT
https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT

TheCat12 · March 4, 2024, 8:45pm

The second rule is almost correct, provided that dst-address is the one to which you want to hairpin nat and you’ve made the rest of your configurarion properly as @anav already said:

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.254 out-interface=LAN

anav · March 4, 2024, 8:57pm

out-interface=LAN is not required.

adispy · March 5, 2024, 10:21am

Thanks for the reply, but it’s still not working.

 0    ;;; HairPin NAT
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.254 log=no log-prefix=""

I have also tried putting 192.168.10.10 as the dst-address which is my internal proxy and where the traffic needs to go, but still no luck.
Like I have said, I tried all the ins-and-outs over the internet and can’t seem to make it work. I think it has something to do with my policy based routing, just saying, I don’t know.

DeadStik · March 5, 2024, 3:38pm

More likely your DST-NAT rule is not working as you intended. Using in-interface or in-interface-list limits the rules to those interfaces which local users do not reach.

anav · March 5, 2024, 10:50pm

Yes its your config, which we know nothing about and thus cannot comment on

adispy · March 6, 2024, 6:22am

Sorry about that. Here it is.
PUBLIC IP 1 - main IP for internet connection
PUBLIC IP 2 - second public IP for my email and web services

 0    ;;; HairPin NAT
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=RDS_PPOE_01 log=no log-prefix="" ipsec-policy=out,none 

 2    ;;; Sophos UTM9 Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=443,80,8080,8443 log=no log-prefix="" 

 3    
      chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=50100 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=50100 log=no log-prefix="" 

 4    ;;; OPNSense
      chain=dstnat action=dst-nat to-addresses=192.168.10.61 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=8400,8600,8511 log=no log-prefix="" 

 5    ;;; SMTP on ROCLJVKRSMTP
      chain=dstnat action=dst-nat to-addresses=192.168.10.55 protocol=tcp dst-address=<PUBLIC IP 2> in-interface=RDS_PPOE_02 dst-port=25,465,587 log=no 
      log-prefix="" 

 6    chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.55 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix="" 

 7    ;;; VPS Blog
      chain=dstnat action=dst-nat to-addresses=192.168.10.7 protocol=tcp dst-address=<PUBLIC IP 2> connection-mark="" in-interface=RDS_PPOE_02 dst-port=80,443 
      log=no log-prefix="" 

 8    chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.7 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix=""

Here are the Mangle rules

 0    ;;; Policy based routing for VPS Blog on RDS_PPPOE_02
      chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.7 in-interface=bridge_LAN log=no log-prefix="" 

 1    ;;; Policy based routing for ICMP on RDS_PPPOE_02
      chain=input action=mark-connection new-connection-mark=PPPOE_02_WAN-Connection passthrough=no connection-state=new protocol=icmp in-interface=RDS_PPOE_02 
      log=no log-prefix="" 

 2    chain=output action=mark-routing new-routing-mark=PPPOE_02 passthrough=no protocol=icmp connection-mark=PPPOE_02_WAN-Connection log=no log-prefix="" 

 3    ;;; Policy based routing for SMTP Server on RDS_PPPOE_02
      chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.55 in-interface=bridge_LAN log=no log-prefix=""

TheCat12 · March 6, 2024, 2:12pm

Firstly, when you have specified dst-ports in the dst-nat rule for the server it is good practice to add them to the to-ports section:

chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443,80,8080,8443 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=443,80,8080,8443 log=no log-prefix=""

Secondly, I think the problem is that the Hairpin NAT rule is before the dst-nat rule whereas it should be the opposite because rules in Mikrotik are processed in ascending order (from top to bottom)

adispy · March 6, 2024, 3:07pm

Thank you very much for your help guys.
In the end I followed DeadStik advice and by removing the In. Interface from the DST-NAT rule, the HairPin NAT started working.

@TheCat12 just curious how you manage to put those ports in the to-ports section of the rule, because it does not let me. I can go with one port or a range but not ports separated by a comma.

TheCat12 · March 6, 2024, 3:13pm

@adispy My bad, it’s not possible to list out separate ports in the to-ports section. You can leave it blank and the rule will work as intended.