hairpin nat/routing

RouterOS Beginner Basics
1

Hi all,

I have successfully forwarded RB2011 from WAN ports to a web server at 192.168.88.179. It is reachable from outside the LAN using domain name.

If I try to reach the web site from within the LAN, I can do so with IP address. However, using the domain name, I can only reach the WebFig login screen.
I’ve studied the Wiki re hairpin, as well as several other offered solutions…no joy. Here’s the config:

myconfig3.rsc (4.74 KB)
The firewall is essentially defcon though I deleted fastrak rules
Thanks,

Chandoz

2

Have a watch through this. Will explain everything you need.
https://www.youtube.com/watch?v=_kw_bQyX-3U&t=1s

3

Is that all you could find LOL!
I tried but I couldn’t get through that horrible accent. :stuck_out_tongue_winking_eye:

However, awesome providing decent material!!

4

Thanks, Steveocee,

Your accent’s no worries, mate. Rooting is cool, afaik…But seriously, a very clear and easy to track video.

But I already tried the config you describe and the it gives the same result as before. I have a static WAN ip, so I did not bother with any of the dynamic stuff. WAN comes in on eth1 and all other ports are bridged, so that’s the LAN/local. I just can’t seem to get the hairpin all the way back through the router to the web server.

I do appreciate the help. Any further thoughts?

chandoz

5

  1. Your dstnat rules are not compatible with hairpin. If you have in-interface=ether1, they will only match packets coming from ether1. But packets from inside are coming from bridge. Remove in-interface=ether1, it’s enough to have dst-address=###.###.###.107.

  2. You forward four ports, but you only have harpin (srcnat) rule for one. You may not need 53, but if you want 80, I guess you probably want 443 too. You don’t need to add multiple individual srcnat rules, you can leave out protocol and port and have single universal one.

6

Thanks Sob. That solution worked beautifully. I had followed some credible-looking config suggestions for port forwarding after trying several others…obviously, there’s a lot of different ideas out there. Yours was the right one.

I do want 443. The 53 udp/tcp protocols are for a private name server, but I’ll see how well it works w/o them. Haven’t seemed to need additional srcnat rules so I won’t add them.

Mikrotik has been challenging, but support from experts is very reassuring.

Thanks again,
chandoz

.

7

That’s a spot-on answer but what is we do this for example for port 443? When you change the dst-nat rule and remove the in-interface, all outbound traffic coming from the insode to 443 outside matches this rule as well and so no traffic is possible.

8

That’s usually not a problem if DST-NAT rule has some other filter which picks out only traffic which needs to be DST-NATed. In OPs config, where DST-NAT rule looks like

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=###.###.###.107 dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.179 to-ports=443

its then the dst-address=###.###.###.107 setting which makes sure that only traffic targeting router’s (WAN) address is getting DST-NATed. LAN traffic towards internet will have different dts-address hence the rule won’t interfere …

Sure enough, a rule

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.88.179

would effectively disable all https traffic from LAN towards WAN.

9

And if you don’t have static WAN address, you can use dst-address-type=local. If additionally it’s for a port that might be used on router too (e.g. 80 for WebFig), also add dst-address=!<router’s LAN address> (don’t forget the “!”, it means “not”) to exclude router’s LAN address.

10

many thanks for the video Steve. it help me with my WebServices and API problem in LAN interface.
i never thought that Hairpin Nat will help this through.