hairpin nat not working

littlebill · November 4, 2011, 10:39pm

Pulling my hair out slightly, hairpin nat rules are not working any idea?

all my services are on 10.0.1.21

[root@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=10.0.1.0/24 
     dst-address=10.0.1.21 

 1   ;;; default configuration
     chain=srcnat action=masquerade out-interface=WAN 

 2   ;;; FTP
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=21 
     protocol=tcp dst-address-list="" in-interface=WAN dst-port=21 

 3   ;;; FTP Passive
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=1500-1510 
     protocol=tcp dst-address-list="" in-interface=WAN dst-port=1500-1510 

 4   ;;; Website
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=80 
     protocol=tcp in-interface=WAN dst-port=80 

 5   ;;; Ventrilo
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=3784 
     protocol=tcp in-interface=WAN dst-port=3784 
[root@MikroTik] /ip firewall nat>

fewi · November 4, 2011, 11:08pm

Those rules look correct.

Investigate other root causes. Like the router firewall, or a host firewall on 10.0.1.21, or 10.0.1.21 being misconfigured otherwise.

littlebill · November 4, 2011, 11:58pm

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established in-interface=WAN 

 2   ;;; default configuration
     chain=input action=accept connection-state=related in-interface=WAN 

 3   ;;; default configuration
     chain=input action=drop in-interface=WAN

pretty default

there is no issue with the firewall on the server

fewi · November 5, 2011, 12:09am

Going by what you posted it isn’t the router, either.

Time to get packet sniffers going on both machines to check whether traffic is leaving the source machine and arriving at the destination machine as expected. From what you posted all is well - it obviously isn’t, but nothing you have posted gives any indication whatsoever of what the issue could be. Time for you to dive into some deeper troubleshooting.

Also check the router connection tables, and make use of the built in packet sniffer as well as the torch tool to look at the connections are you investigate them on the hosts. Are the packet counters on the NAT rules increasing as you build connections from internal hosts? And so on.

littlebill · November 5, 2011, 1:23am

yea it was the router, apparently i needed more rules

[root@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=WAN 

 1   ;;; FTP
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=21 protocol=tcp 
     dst-address-list="" in-interface=WAN dst-port=21 

 2   ;;; FTP Passive
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=1500-1510 protocol=tcp 
     dst-address-list="" in-interface=WAN dst-port=1500-1510 

 3   ;;; Website
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=80 protocol=tcp 
     in-interface=WAN dst-port=80 

 4   ;;; Ventrilo
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 to-ports=3784 protocol=tcp 
     in-interface=WAN dst-port=3784 

 5   ;;; harpin
     chain=srcnat action=masquerade protocol=tcp src-address=10.0.1.0/24 

 6   ;;; harpin
     chain=dstnat action=dst-nat to-addresses=10.0.1.21 protocol=tcp 
     dst-address=!10.0.1.0/24 dst-address-type=local dst-port=80,3784,21,1500-1510

this actually fixed my problem.

not sure y, but i guess im happy

fewi · November 5, 2011, 1:52am

Duh!

I’m terribly sorry to have misled you. I somehow managed to completely read past the fact that you weren’t destination NATing to 10.0.1.21 based on IP address, but based on in-interface.

FWIW, you can now remove all the other destination NAT rules as well and just keep the last one…it’ll cover both WAN and LAN clients.

Sorry again. Should have caught that.

littlebill · November 5, 2011, 2:43pm

no problem fewi

fewi can you explain my last rule please and why the “local” is needed? and why it works for both local and wan users?

i do have one additional question

in those rules i have a port opening for ventrilo server, its a voice communication server.

that rule does not work with the client, it never connects only if i browse locally to the ip. but all remote users can connect fine???

fewi · November 5, 2011, 2:53pm

chain=dstnat action=dst-nat to-addresses=10.0.1.21 protocol=tcp 
     dst-address=!10.0.1.0/24 dst-address-type=local dst-port=80,3784,21,1500-1510

That means, in English: look at all traffic destined to an IP address that resides on the router itself as long as that IP isn’t within 10.0.1.0/24, and if it’s TCP traffic to ports 80,3784,21,1500-1510 change the destination IP address to 10.0.1.21.

This works, then, for traffic sourced from the LAN and WAN to the WAN IP of the router. The ‘dst-address-type=local’ is needed so that this is only done for traffic to a router IP address - otherwise, for example, you’d be sending ALL tcp/80 traffic to 10.0.1.21, including a LAN host trying to get to www.google.com.

I don’t know anything about ventrilo, I’m afraid.