Hi all,
I’m trying to configure an access from the internet to a RadioRepeater using a MikroTik RB750 with hairpin NAT.
I tried everything I could but it just doesn’t want to work.
Modem local Lan IP = 10.10.10.1
RB750 Local Lan IP = 192.168.88.1
RB750 Internet Port IP = 10.10.10.2
RadioRepeater IP =192.168.88.20
Port = 50000 UDP
I can’t copy my configuration just because I don’t know how to do it 'cause I used Winbox.
Can someone help me suggesting NAT rules that could actually work?
Thanks for reading
-Pier
can someone help me please?
Please provide a paste of
/ip firewall nat print detail
from the terminal.
EDIT: here’s a working SIP forward rule for you;
/ip firewall nat
add action=dst-nat chain=dstnat comment="SIP 5060" dst-address=1.1.1.1 dst-port=5060 in-interface=ether1 \
protocol=udp to-addresses=192.168.1.253 to-ports=5060
Change where needed to match your setup.
Hi Milotop,
my configuration is this.. I followed your tip but still… it doesn’t work, maybe I’m doing something wrong, tell me if you can.
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=50000
protocol=udp dst-address=“Public IP” in-interface=all-ethernet
dst-port=50000 log=no log-prefix=“”
1 chain=srcnat action=masquerade out-interface=ether1
Thanks for your reply.
-Pier
All is correct except in-interface. You shouldn’t point all interfaces. Point only ISP’s one.
P.S.: And it isn’t hairpin nat, it is just port dstnat’ing. Hairpin nat is access from the inside to a global IP of your local device.
thanks for your reply,
I need a DST NAT rule in order to connect an outside PC to the radio repeater.
The hairpin NAT is also needed because all the “slave” repeaters that connect to the master have to show up when the monitoring program connects to the Master.
I used your tip, correcting the “in-interface parameter” but it is still not working.
-Pier
your one rule is only for port forwarding.
for hairpin you need 2 more:
ip fire nat
add chain=dstnat in-interface=“your local interface to 192.168.88.20” dst-address=“your global IP” dst-port=50000 protocol=udp action=dst-nat to-address=192.168.88.20 to-ports=50000
add chain=srcnat out-interface=“your local interface from 192.168.88.20” src-address=“LAN hosts network that want to access your 192.168.88.20” dst-address=192.168.88.20 dst-port=50000 protocol=udp action=masquerade
Please, read this: http://forum.mikrotik.com/t/port-forwarding-problem/93224/14
It’s the same I wrote.
Ok guys,
I tried to hairpin but I had some problems with the interfaces (errors referring to the “not master” interface so I installed a switch between the repeaters and the mikrotik.
The Port Forwarding rule works but I can’t see the peers (slaves) while checking on the radio network from another wan, I would like to specify the fact that I can see the peer while I’m connected LOCALLY to the radio network.
master = 192.168.88.20
peer = 192.168.88.25
The peer has been configured, in its local firmware, to connect to the master via IP (Master IP: 192.168.88.20) but the problem remains… I’m using the RB750 can you please tell me how to hairpin without having errors?
Thanks guys!
in-interface and out-interface must be from master-port interface, not slave. If you need input in slave interface or output from him, you should unmerge them from master-port or bridge.
ok but can you write to me a functioning hairpin rule? sorry if I’m being super dummy but I really can’t figure it out…
I already done this. Try it, then write succeed or not.
“Couldn’t add new NAT Rule - incoming interface matching not possible in output and postrouting chains (6)” this is what I get when I do the masquerade…
Do masq on out-interface. Why you do it on in-interface? I didn’t write it.
Sorry, my bad on reading… I tried this configuration but it doesn’t work… probably I did something wrong.. what do you mean by “your local interface TO 192.168.88.20” and “your local interface FROM 192.168.88.20”?
Also the lan client who wants to acces my 192.168.88.20 is 192.168.88.25
EDIT: I was using a switch on ether 2 (master) but I felt like it could have created problems with the interface parameters so I removed the switch and connected the 88.25 directly on ethernet3 while leaving 88.20 on ether 2… Now I’m getting a red error message on the masquerade rule telling me that ether3 is a slave and in/out interface matcher is impossible cause of that.
Right. You need to figure out how to assign masquerade on main interface. Masq works only on bridge interface, master-port or on interface with option master-port:none, and only on out direction.
P.S.: “your local interface TO 192.168.88.20” means interface, which leads traffic from rouer to host 192.168.88.20. “your local interface FROM 192.168.88.20” means interface which leads traffic from host 192.168.88.20 to router. I just don’t know how you named it =)
Ok, I’ll be clearer, I’m using a monitoring program called RDAC which connects to the master via port 50099, I made a DST-NAT rule that changes that 50099 to 50000 and it works, this means that my master repeater ( 88.20) shows up on RDAC.
My Peer repeater (88.25) shows up only when I connect RDAC locally to the network but not when I connect remotely… The peer is configured to look for the master on 88.20, the fact that while using rdac locally I can see both, when I check RDAC remotely only the Master shows up…
I think the problem is in your nat rules, in case of out-interface for masquerading. Just look one more time in my hairpin nat rules and try to adjust them to you case.