hi all,
I am having a strange problem with hairpin NAT. I’m using dst-nat rules to forward ~15 ports to various server apps on my LAN. In order to be able to reach them from systems on the LAN using the WAN address I have set up a hairpin rule.
All of the port forwards obviously work fine from outside. The problem I have is that the hairpin works with all of them except two. Both go to port 80 on two different hosts.
One is a forward from external port 80 to internal port 80 on Server 1, the other from 8888 to 80 on Server 2. The other ones in the example use the same port numbers externally and internally, they work fine.
Below is an excerpt from my configuration, showing the NAT rules for the same ports as in the diagram.
[admin@VL-RTR] > export
# nov/03/2014 08:22:19 by RouterOS 6.20
# software id = 2LTM-VK69
#
/interface bridge
add admin-mac=4C:5E:0C:30:26:4B auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] mac-address=E0:91:F5:CC:7F:9B name=\
ether1-gateway
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=sfp1 ] master-port=ether2
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether6
/ip firewall address-list
add address=192.168.2.0/24 list=LocalNet
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=\
bridge-local src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment="Vera Lite" dst-address=\
xxx.xxx.xxx.xxx dst-port=8888 protocol=tcp to-addresses=192.168.2.14 \
to-ports=80
add action=dst-nat chain=dstnat comment="WSE2012R2 Web" dst-address=\
xxx.xxx.xxx.xxx dst-port=80 protocol=tcp to-addresses=192.168.2.2 \
to-ports=80
add action=dst-nat chain=dstnat comment="WSE2012R2 SSL" dst-address=\
xxx.xxx.xxx.xxx dst-port=443 protocol=tcp to-addresses=192.168.2.2 \
to-ports=443
add action=dst-nat chain=dstnat comment="Xprotect Web" dst-address=\
xxx.xxx.xxx.xxx dst-port=8089 protocol=tcp to-addresses=192.168.2.2 \
to-ports=8081
add action=dst-nat chain=dstnat comment="Media Browser" dst-address=\
xxx.xxx.xxx.xxx dst-port=8096 protocol=tcp to-addresses=192.168.2.2 \
to-ports=8096
Hopefully someone can help me understand why the hairpin does not work with these two ports, when all the others are fine.
I suspect it has something to do with the fact that both go to internal port 80. But there are no firewalls or other software that could be blocking those ports.