Hairpin Nat Question

I setup a hairpin nat that works with a cctv camera system to allow me to use the public ip address both inside and outside the network.

Here it is:
add action=dst-nat chain=dstnat comment=“CCTV Port Forward” disabled=yes
dst-port=7000 in-interface=ether1-gateway protocol=tcp src-port=“”
to-addresses=192.168.1.100 to-ports=7000
add action=masquerade chain=srcnat comment=“Hairpin Nat” disabled=yes
dst-address=192.168.1.100 dst-port=7000 out-interface=ether2-master-local
protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=“Hairpin Nat” disabled=yes
dst-address-type=local dst-port=7000 protocol=tcp to-addresses=192.168.1.100However, on another system, 2 more ports needs to be forwarded: 67 & 68. And, both ports need both tcp & udp.

Is there a way to combine tcp & udp, or do you need to have a command for both?

Also, do I need to set up some type of hairpin for ports 67 & 68 like I did above for port 7000?

It is not working right now, and so far I have ports 7000, 67 & 68 forwarded to 192.168.1.100, with 67 & 68 using both tcp & udp, along with the hairpin nat for port 7000.

Thanks for any help.

Hello,

hairpin NAT is not needed for this set up, as I am seeing it.

Set up your router, create a DMZ zone and then you will be able to reach the cam over the internet and from
your local network (LAN) but the entire LAN is not affected by internet access of the cam.

By creating a dmz, is that in any way opening up to attack any more than a port forward?

If not, can you point me in the right direction on how to dmz with mikrotik?

Thanks.

Ok, it may not be the hairpin after all.

I just tried to log in to the dvr remotely, and it doesn’t work.

The instructions are to forward ports 7000, 67 and 68 tcp, and 67 and 68 udp also.

Can someone let me know how to forward these ports. I have done it as I described in my first post, but it is not working.

Thanks.

Hello!
It is very simple to forward port by using MikroTik

say your router public IP 202.202.123.25

and your DVR IP in local network is 192.168.100.20

login in to your router by using winbox

open new Terminal

copy and paste following commands and you are DONE !!!

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=202.202.123.25 dst-port=7000 protocol=tcp to-addresses=192.168.100.20 to-ports=7000
add action=dst-nat chain=dstnat dst-address=202.202.123.25 dst-port=67 protocol=tcp to-addresses=192.168.100.20 to-ports=67
add action=dst-nat chain=dstnat dst-address=202.202.123.25 dst-port=68 protocol=tcp to-addresses=192.168.100.20 to-ports=68

Don’t forget to give karma if it helps you

Just to make you alert : before copy and paste in your router update the Public IP of your router and Local IP of your DVR.

If you have forwarded the other ports as shown for the port 7000, then it is ok, unless the Public IP is not assigned on ether1 interface.

I don’t have a static wan ip. It’s dynamic from the cable co. I don’t think what you posted will work because of that.

Also, when forwarding upd ports, is it exactly the same as tcp ports?

Thanks.

The wan IP is dynamic how, by dhcp, by pppoe? What I mean is ether1 the wan interface or is there a pppoe interface?

It’s a cable modem. The wan is assigned by dhcp and it changes every so often. It’s dynamic, and not static. It can change.

Then your configuration as posted on the first post, should work. You should see counters running on your forwarding rules when you try to connect remotely. This is about port forwarding.
About hairpin nat, your config is not going to work, because you have specified ether1 as incoming interface, while your request is incoming from another interface. To make it work you should leave the incoming interface empty, so that router can capture and then forward requests from all interfaces.

action=dst-nat chain=dstnat comment="CCTV Port Forward" disabled=yes \
    dst-port=7000 protocol=tcp to-addresses=192.168.1.100 to-ports=7000

and so on for the other ports and protocols

Here core problem is he don’t have static IP, but every time dynamically he get public IP. So my friend as long as you know your public IP you can access your DVR from public network otherwise you can’t

Guys you’re making this really confusing. I have everything working fine. The only problem I’m having is with ports 67 and 68 udp. Something is not working. On other dvr’s with only one tcp port forwarded it works great.

Of course you can access your dvd remotely using dyndns. It keeps track of your wan ip.

Read other posts of mine on hairpin nat and you’ll see what type of setup I have.

Sorry about that . Ok then, here is what I would have done:

/ip firewall nat
action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=7000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100 to-ports=7000

Now port 67 and 68 are very strange to be needed because these ports are used by DHCP server and DHCP client, so you need to verify that imho.

For hairpin nat to work, you need to add another rule where you would specify the in-interface=LAN interface, or just leave empty the in-interface in the above rule. This because the requests are coming from the LAN interface. And, as you already mentioned (which I forgot to note on the previous post) you can reach your router by dynamic dns since your IP is Public Dynamic.

Yes, ports 67 and 68 have to be forwarded with BOTH tcp and udp.

Is forwarding udp any different than forwarding tcp?

No, it is not different, it is the same:

/ip firewall nat
action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=67 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100 to-ports=67
action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=68 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.100 to-ports=68
action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=67 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.100 to-ports=67
action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=68 in-interface=ether1-gateway protocol=udp to-addresses=192.168.1.100 to-ports=68