Hi all.
I having a strange behavior of hairpin nat. Even if I don’t enable masquerade rule in nat section of firewall I can access to my forwarded ports via external ip only from wireless clients. But no access from wired. When I enable masquerade rule I have access both from wired and wireless.
Short config: ether5-master and both wlan interfaces are in one bridge. Hw is hap ac lite. Tried with latest rc and stable. What’s wrong? As far as I understand without masquerade rule I can’t have access to my forwarded ports from external ip to my lan hosts.
It sounds like one big common LAN, so either it should work for all clients or for none. There must be something that’s not apparent from your description. Try posting your config and everything should be clear.
Here is my config
[root@MikroTik] > /export hide-sensitive
# feb/20/2017 08:22:31 by RouterOS 6.38.1
# software id = IW7X-FBCR
#
/interface bridge
add name=br-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether5 ] poe-out=off
/ip neighbor discovery
set ether1-wan discover=no
/interface ethernet
set [ find default-name=ether2 ] master-port=ether5 name=ether2-pc
set [ find default-name=ether3 ] master-port=ether5 name=ether3-tv
/interface ethernet switch
set 0 name=switch
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa2 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n channel-width=20/40mhz-Ce country=ukraine disabled=no distance=indoors frequency=auto \
frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan2 security-profile=wpa2 ssid=MikroTik-hap wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=ukraine disabled=no distance=indoors \
frequency=auto frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan5 security-profile=wpa2 ssid=MikroTik-hap \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan2 enable-polling=no
set wlan5 enable-polling=no
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,3des pfs-group=none
/ip pool
add name=pool-1 ranges=172.16.69.2-172.16.69.14
add name=pool-vpn ranges=172.16.69.34-172.16.69.44
/ip dhcp-server
add address-pool=pool-1 disabled=no interface=br-lan lease-time=1w name=dhcp-1
/ppp profile
add change-tcp-mss=yes dns-server=172.16.69.1,8.8.8.8 local-address=172.16.69.33 name=vpn remote-address=pool-vpn
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=pool-vpn name=l2tp remote-address=pool-vpn
/system logging action
set 3 remote=172.16.69.2
/interface bridge port
add bridge=br-lan interface=wlan5
add bridge=br-lan interface=wlan2
add bridge=br-lan interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp use-ipsec=yes
/interface ovpn-server server
set certificate=vpn-srv-cert cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn enabled=yes keepalive-timeout=30 port=65535 require-client-certificate=yes
/interface sstp-server server
set certificate=vpn-srv-cert default-profile=vpn enabled=yes
/ip address
add address=xx.xx.xx.xx/27 interface=ether1-wan network=xx.xx.xx.xx
add address=172.16.69.1/27 interface=br-lan network=172.16.69.0
/ip arp
add address=172.16.69.30 interface=br-lan mac-address=FF:FF:FF:FF:FF:FF
/ip dhcp-server lease
add address=172.16.69.2 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
add address=172.16.69.4 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
/ip dhcp-server network
add address=172.16.69.0/27 dns-server=172.16.69.1,8.8.8.8 domain=lan gateway=172.16.69.1 netmask=27
/ip dns
set allow-remote-requests=yes servers=172.16.69.1,8.8.8.8
/ip dns static
add address=172.16.69.1 name=mikrotik.lan
add address=172.16.69.2 name=vmunix.lan
add address=172.16.69.3 name=ps3.lan
add address=172.16.69.4 name=tv.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=input comment="allow established connections" connection-state=established
add action=accept chain=input comment="allow new connections" connection-state=new
add action=accept chain=input comment="allow related connections" connection-state=related
add action=accept chain=input comment="allow ICMP ping" protocol=icmp
add action=accept chain=input comment=vpn dst-port=443,65535 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=webfig-ssl dst-port=8444 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=rossh dst-port=8443 in-interface=ether1-wan protocol=tcp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=drop chain=input comment="drop everything else" in-interface=ether1-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=172.16.69.0/26
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
add action=netmap chain=dstnat comment=rossh dst-address=172.16.69.1 dst-port=22 in-interface=br-lan protocol=tcp to-addresses=172.16.69.1 to-ports=8443
add action=netmap chain=dstnat comment=wol dst-address=xx.xx.xx.xx dst-port=9 protocol=udp to-addresses=172.16.69.30 to-ports=9
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-port=6881,6890-6999 protocol=udp to-addresses=172.16.69.2
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-address-type="" dst-port=4443,6890-6999,9999 protocol=tcp to-addresses=172.16.69.2
/ip ipsec peer
add address=0.0.0.0/0 compatibility-options=skip-peer-id-validation enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes
/ip proxy
set max-client-connections=1000 max-server-connections=1000 port=3128
/ip route
add distance=1 gateway=xx.xx.xx.xx
/ip service
set telnet address=172.16.69.0/26
set ftp address=172.16.69.0/26
set www address=172.16.69.0/26
set ssh port=8443
set www-ssl certificate=webfig port=8444
set api address=172.16.69.0/26
set winbox address=172.16.69.0/26
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-wan type=external
add interface=ether2-pc type=internal
add interface=ether3-tv type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=br-lan type=internal
/ppp secret
add name=solnote profile=vpn
add name=iphone profile=vpn service=ovpn
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Kiev
/system leds
add interface=br-lan leds=user-led type=interface-activity
/system logging
add action=remote topics=dns
/system ntp client
set enabled=yes server-dns-names=0.ua.pool.ntp.org,1.ua.pool.ntp.org,2.ua.pool.ntp.org,3.ua.pool.ntp.org
/system routerboard settings
set init-delay=0s silent-boot=yes
/system watchdog
set automatic-supout=no
/tool e-mail
set address=smtp.gmail.com from=mikrotik@home port=587 start-tls=yes user=sergey.bobrov83@gmail.com
/tool graphing interface
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
This is really strange because
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
is in disabled state and i can reach NAT-ed port outside
from work network to home -
[root@SolCGW1 ~]# telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
from laptop connected to mikrtotik via VPN
solnote-c6gk-2 ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
^]
telnet> Connection closed.
as I mentioned before I can reach this port from wireless device
BUT, I cant from wired connected PC
vmunix ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
^C
What a hell???
It’s just a single question for Mikrotik experts: how it can be possible that devices in the same network have different access to single resource without any filter rules?
2 wired devices - pc & tv
dst-nat to some port to tv - i can’t reach port from pc via wan_ip but can from wlan or vpn
dst-nat to some port to pc - i can’t reach port from pc via wan_ip but can from wlan or vpn
dst-nat to some port to vpn connected laptop - i can reach port from pc via wan_ip but can’t from laptop
dst-nat to some port to wireless device - i can reach port from pc via wan_ip and from laptop
No Mikrotik experts on Mikrotik forum?
BTW if I enable masquerade rule all my connections from lan to wan_ip “come” with source-ip of router. How to avoid this?
In Linux it works with a few simple rules. Hairpin nat is like a “duct tape”.
This happens to my case as well. But in my problem it is more for traffic shaping. I can’t answer, for the life of me, how to avoid filtering my own traffic speed from my LAN that comes through WAN IP that goes to my own internal server.
It’s been years, but nobody can answer me. So yeah, good luck to you. 
It’s a shame to Mikrotik… 3 years of “v7 beta” with promises of new functionality and fixing current v6 bugs and still nothing. Unusable PIM, openvpn…
I’m really disappointed in Mikrotik. I never saw such problems in *wrt and similar devices like Zyxel or so.
This is wonderful that the support shy away from this topic and says nothing
Its very hard to work out what is happening when you hide the IPs with XX.XX.XX.XX
Normally to avoid the need for hairpin NAT you use internal static dns to point at the internal IPs instead.
XX.XX.XX.XX is my wan ip
Отправлено с моего iPhone используя Tapatalk
Queues should be on WAN interface only, not on other interfaces. Since hairpin routed packets don’t traverse the WAN interface (dst-nat happens in prerouting), they shouldn’t touch queues.
But if you have a more complex setup, you should be able to use a connection mark on hairpinned traffic to avoid the queues.
Turn this off unless you have a good reason (off is the default). When this is on, it sends all bridged traffic (i.e., wlan→wired) through IP firewall (thus NAT). So replies to your NATted connections from the wlan pass back through the router and get un-NATted, without a hairpin rule. But wired→wired connections are handled by the switch, and thus NATted replies do not reach the bridge or router unless the hairpin rule is enabled.
Turning this off will treat bridged (wlan→wired) and switched (wired→wired) connections equally, requiring a hairpin rule for both.
Yes, this is how hairpinning works. Replies to client which made NATted connection (LAN→WAN→LAN) need to pass back through router, so router can “undo” NAT. Normally the only way to force this is by masquerading source as router IP. Else such replies pass directly through bridge/switch, and the recipient (client) drops them, because they appear to come from “wrong” source (LAN instead of WAN).
The other way to do this is to disable switches (use only bridge) and enable IP firewall (the latter of which you had done). But now all your LAN traffic is flowing through router; even with fasttrack this is not very good.
Thank you for your replies!
But i still can’t understand why I can access nated ports in my wired connected pc from laptop via wifi or from vpn without hairpining?
Yes, it’s possible. See one example down below.
Basically you have two choices which are not specifically related to Mikrotik:
- Use routing for the internal network and bypass the firewall.
- Use NAT to hide or consolidate certain internal services that basically will require:
- a) “hairpin” NAT when used on the same local subnet.
b) “regular” NAT when used between different subnets.
IMO, in general I’m considering hairpin NAT to be messy, error-prone and insecure (if security matter, that is). 
. NAT is NAT, and when used all traffic must pass through the router regardless of type. Personally I’d divide the network to different subnets. Then it’s possible to NAT all internal networks the same way as you would access it from the internet. This also means you only need a single set of NAT rules. (e.g. General NAT access between local networks…)
Because those are forced to flow through the router (and thus NAT) by the bridge with use-ip-firewall=yes. Whereas wired->wired connections use the switch on the return path, bypassing the bridge and NAT, and are dropped by the client due to incorrect source IP.
In short, use-ip-firewall=yes makes bridged traffic behave very differently from switched traffic.
Yeah, it’s basically like forcing the firewall to manage all ethernet traffic to the bridge. When using “use-ip-firewall=no”, all traffic will be transferred directly between the bridge ports in the same way as any other switches.
I still would replace the hairpin nat thot!
No. I disabled firewall in bridge settings. Nothing changed. I can believe that is normal when I can access nated ports via vpn without hairpin (yes, vpn have another subnet - 172.16.69.16/27) but i repeat that I can access nated ports (opened ssh from 172.16.69.2 wired connected pc) via my cell phone or laptop connected via wifi and vice versa. wired and wireless clients are in the same subnet (172.16.69.0/27)
Отправлено с моего iPhone используя Tapatalk
Just curious, why do you want to NAT the internal traffic?