Hairpin NAT When Inbound Port != Destination Port

crosen99 · July 23, 2020, 4:15am

My router has LAN network 192.168.88.0/24. I am forwarding inbound port 8201 to 192.168.88.94:80. I would like to setup hairpin NAT.

The example I see for hairpin NAT looks like this:

/ip firewall nat
	add chain=srcnat action=masquerade protocol=tcp\
	src-address=192.168.88.0/24\
  	dst-address=192.168.88.94 dst-port=80\
  	out-interface=ether2-master-local

The difficultly is that in my case the forwarded port is different from the final destination port. In other words, the router accepts traffic on port 8201 and forwards it to port 80. The example I have for hairpin NAT only works when the two ports (i.e. the one that the router accepts traffic on and the one that the router sends traffic to) are the same.

How can I modify the masquerade rule above to accommodate this? Thank you.

mkx · July 23, 2020, 5:46am

If you want to change dst-port, then you have to do it in dstnat rule (which is also part of whole “hairpin NAT” concept). You can’t do it in src-nat because this NAT only takes care to rewrite src-* fields and dst-port is there actually as selection field (it limits the connections which this rule will affect).

crosen99 · July 23, 2020, 8:29am

I would be very grateful if you could please give me an example of how to structure these commands.

Sob · July 23, 2020, 9:32am

Check this: http://forum.mikrotik.com/t/hairpin-nat-is-there-a-simple-solution/140385/19

crosen99 · July 23, 2020, 12:03pm

I appreciate the help, but please understand that I have very limited knowledge of RouterOS, so this is difficult for me to follow.

So far, I have done the following:

Setup port forwarding using “dst-address-type=local”, rather than “in-interface=ether1”. This is so that the rule applies to traffic initiated from the LAN.

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=8201 action=dst-nat to-address=192.168.88.94 to-port=80

Setup the masquerade rule for local traffic → local traffic:

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade

I am honestly not following this conceptually, so I have no idea if what I did is correct so far nor do I know what else I need to do.

I would so greatly appreciate if someone could provide an example of the actual configuration lines I need to achieve the goal stated in the OP. Thank you.

UPDATE: preliminary tests seem to indicate that the above is working. Have I done anything that may have unintended side effects? Thank you.

Sob · July 23, 2020, 1:33pm

Well, you chose “General” subforum instead of “Beginner Basics”. But seriously, it’s no problem, you can always ask about more details if something is not clear.

The whole concept is described here:

https://wiki.mikrotik.com/wiki/Hairpin_NAT

It explains all steps that happen, what’s the problem, solution, and what exactly it does.

The page has different srcnat rule, which includes protocol, port, outgoing interface and only one destination address. It’s not wrong, but if you’d need it for other port(s) too, you’d have to add duplicate rule(s). Which is unnecessary, because the simplified rule you have now can cover all ports. It may seem too broad, but normally you won’t have any packets from LAN subnet back to same LAN subnet, because devices in LAN communicate directly, their traffic doesn’t pass through router.

crosen99 · July 24, 2020, 7:35am

Thank you, I had actually read and understood that page, so I guess I do get the concept. It’s the syntax and semantics of the configuration commands that I am unsure about.

At this point, I do believe the two configuration lines from my previous post has established the results I need. Thanks for the help.