Hairpin NAT with R0S 6.12/RB2011 and Dynamic Public IP

JamesC · May 22, 2014, 5:40pm

Hello all,

I have searched many times, read many posts, read and re-read the wiki page, but I unable to get Hairpin NAT working with a dynamic public IP.

This is for a RB2011 with default settings. I disabled the dhcp-client on ether1-gateway and statically assign the IP so it is easier to change during testing.
ether1-gateway: 10.1.1.1/24 (Once testing is complete this will be a real public IP)
bridge-local: 192.168.88.1/24
Server: 192.168.88.254 with MySQL configured and working.
Workstation: 192.168.88.48
[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade
out-interface=sfp1-gateway

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

2 ;;; Public MySQL (by interface)
chain=dstnat action=dst-nat to-addresses=192.168.88.254
protocol=tcp in-interface=ether1-gateway dst-port=3306

3 X ;;; Public MySQL (by IP)
chain=dstnat action=dst-nat to-addresses=192.168.88.254
protocol=tcp dst-address=10.1.1.1 dst-port=3306

4 ;;; Hairpin NAT MySQL
chain=srcnat action=masquerade protocol=tcp
src-address=192.168.88.0/24 dst-address=192.168.88.254
out-interface=bridge-local dst-port=3306With rule 2 active I am unable to connect from 192.168.88.48->10.1.1.1 and have it redirect (hairpin NAT) to 192.168.88.254. It I disable rule 2 and enable rule 3, then hairpin NAT works. The problem with rule 3 is it does not work if the IP on ether1-gateway changes.

Can someone point out my problem? I am stuck.

Thank you,
James

efaden · May 22, 2014, 5:54pm

JamesC:

Hello all,

I have searched many times, read many posts, read and re-read the wiki page, but I unable to get Hairpin NAT working with a dynamic public IP.

This is for a RB2011 with default settings. I disabled the dhcp-client on ether1-gateway and statically assign the IP so it is easier to change during testing.
ether1-gateway: 10.1.1.1/24 (Once testing is complete this will be a real public IP)
bridge-local: 192.168.88.1/24
Server: 192.168.88.254 with MySQL configured and working.
Workstation: 192.168.88.48
[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade
out-interface=sfp1-gateway

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

2 ;;; Public MySQL (by interface)
chain=dstnat action=dst-nat to-addresses=192.168.88.254
protocol=tcp in-interface=ether1-gateway dst-port=3306

3 X ;;; Public MySQL (by IP)
chain=dstnat action=dst-nat to-addresses=192.168.88.254
protocol=tcp dst-address=10.1.1.1 dst-port=3306

4 ;;; Hairpin NAT MySQL
chain=srcnat action=masquerade protocol=tcp
src-address=192.168.88.0/24 dst-address=192.168.88.254
out-interface=bridge-local dst-port=3306With rule 2 active I am unable to connect from 192.168.88.48->10.1.1.1 and have it redirect (hairpin NAT) to 192.168.88.254. It I disable rule 2 and enable rule 3, then hairpin NAT works. The problem with rule 3 is it does not work if the IP on ether1-gateway changes.

Can someone point out my problem? I am stuck.

Thank you,
James

You can either write a script to update the rule or you can use dst-address-type=local instead of dst-address in rule 3…

-Eric

JamesC · May 22, 2014, 6:11pm

That worked! Thank you so much. Now that I have read the wiki for dst-address-type it makes perfect sense. For others searching, here is my complete NAT rules:
[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=sfp1-gateway

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

2 X ;;; Public MySQL (by interface)
chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp
in-interface=ether1-gateway dst-port=3306

3 ;;; Public MySQL (by any local IP)
chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp
dst-address-type=local dst-port=3306

4 ;;; Hairpin NAT MySQL
chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24
dst-address=192.168.88.254 out-interface=bridge-local dst-port=3306NOTE: Rule 2 is not needed. I just left it in for completeness.

Thank you,
James

tmorrison88 · May 6, 2015, 4:32am

here’s another working example.. this is assuming you have a dhcp-client on your WAN interface which in my case is ether5-gateway. I have two internal port forwards for examples. RouterOS version 6 you can specify “all ethernet” so if running older version your local interface should be the LAN interface(s) of your router.

And of course you still need your traditional WAN port forwarding that is not shown below inbound via WAN interface.

/ip firewall nat
add action=masquerade chain=srcnat comment=“hairpin nat” out-interface=
ether5-gateway src-address-list=use_hairpin_nat to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=“hairpin nat” dst-address-type=local
dst-port=5000 protocol=tcp to-addresses=10.19.88.2 to-ports=5000
add action=masquerade chain=srcnat comment=“hairpin nat” dst-address=
10.19.88.2 dst-port=5000 out-interface=all-ethernet protocol=tcp
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000
add action=dst-nat chain=dstnat comment=“hairpin nat” dst-address-type=local
dst-port=2210-2211 protocol=tcp to-addresses=172.19.88.2 to-ports=
2210-2211
add action=masquerade chain=srcnat comment=“hairpin nat” dst-address=
172.19.88.2 dst-port=2210-2211 out-interface=all-ethernet protocol=tcp
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000
add action=dst-nat chain=dstnat comment=“hairpin nat” dst-address-type=local
dst-port=80 protocol=tcp to-addresses=10.19.88.2 to-ports=80
add action=masquerade chain=srcnat comment=“hairpin nat” dst-address=
10.19.88.2 dst-port=80 out-interface=all-ethernet protocol=tcp
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000