Hairpin NAT

DiamondIT · October 21, 2017, 8:41am

Hi All,

I know there are many posts on hairpin nat and i cannot for the life of me get it to work

I have 3 wan connections
WAN 11.11.11.11
WAN2 55.55.55.55
WAN3 22.22.22.22-44.44.44.44

LAN 10.0.0.0/8

here is a print of my nat, where am i going worng

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; RDP
      chain=dstnat action=dst-nat to-addresses=10.10.10.103 protocol=tcp dst-address=11.11.11.11 dst-port=3389 
      log=no log-prefix="" 

 1    ;;; RDWEB
      chain=dstnat action=dst-nat to-addresses=10.10.10.103 to-ports=443 protocol=tcp dst-address=11.11.11.11 
      dst-port=443 log=no log-prefix="" 

 2    ;;; Remove after migration
      chain=dstnat action=dst-nat to-addresses=10.10.10.101 to-ports=445 protocol=tcp 
      src-address=178.23.131.118 dst-address=11.11.11.11 dst-port=445 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.10.10.101 to-ports=139 protocol=tcp src-address=178.23.131.118 
      dst-address=11.11.11.11 dst-port=139 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.10.10.101 to-ports=21 protocol=tcp dst-address=11.11.11.11 
      dst-port=21 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.10.10.101 to-ports=990 protocol=tcp dst-address=11.11.11.11 
      dst-port=990 log=no log-prefix="" 

 6    ;;; Demo Test RDWEB
      chain=dstnat action=dst-nat to-addresses=10.10.12.1 to-ports=443 protocol=tcp dst-address=11.11.11.11 
      dst-port=444 log=no log-prefix="" 

 7    ;;; Hosted Exchange 2016 Forwarding
      chain=dstnat action=dst-nat to-addresses=10.10.11.101 to-ports=80 protocol=tcp dst-address=22.22.22.22 
      dst-port=80 log=no log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=10.10.11.100 to-ports=25 protocol=tcp dst-address=22.22.22.22 
      dst-port=25 log=no log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=10.10.11.100 to-ports=443 protocol=tcp dst-address=33.33.33.33 
      dst-port=443 log=no log-prefix="" 

10    chain=srcnat action=src-nat to-addresses=33.33.33.33 src-address-list=Hosted 2016 log=no log-prefix="" 

11    ;;; 
      chain=dstnat action=dst-nat to-addresses=10.10.11.10 to-ports=9001 protocol=tcp dst-address=33.33.33.33 
      dst-port=9001 log=no log-prefix="" 

12    ;;; Data Migration
      chain=dstnat action=dst-nat to-addresses=10.10.11.100 to-ports=443 protocol=tcp dst-address=55.55.55.55 
      dst-port=443 log=no log-prefix="" 

13    ;;; 
      chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=443 protocol=tcp dst-address=44.44.44.44 
      dst-port=443 log=no log-prefix="" 

14    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=5001 protocol=tcp dst-address=44.44.44.44 
      dst-port=5001 log=no log-prefix="" 

15    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=5060 protocol=tcp dst-address=44.44.44.44 
      dst-port=5060 log=no log-prefix="" 

16    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=5060 protocol=udp dst-address=44.44.44.44 
      dst-port=5060 log=no log-prefix="" 

17    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=9000-9499 protocol=udp dst-address=44.44.44.44>
      dst-port=9000-9499 log=no log-prefix="" 

18    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=5090 protocol=tcp dst-address=44.44.44.44 
      dst-port=5090 log=no log-prefix="" 

19    chain=dstnat action=dst-nat to-addresses=10.10.16.1 to-ports=5090 protocol=udp dst-address=44.44.44.44 
      dst-port=5090 log=no log-prefix="" 

20    chain=srcnat action=src-nat to-addresses=44.44.44.44 src-address=10.10.16.1 log=no log-prefix="" 

21    ;;; Masquerade Rules
      chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" 

22    chain=srcnat action=masquerade out-interface=WAN2 log=no log-prefix="" 

23    chain=srcnat action=masquerade out-interface=WAN3 log=no log-prefix=""

MLubbe · October 21, 2017, 9:02am

Hi there, are you doing any sort of mangle rules to mark the connections so that replies go out corrent route instead of taking default route?

DiamondIT · October 21, 2017, 12:13pm

i am, i am using address lists

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; OBR Out
      chain=prerouting action=mark-routing new-routing-mark=to_WAN passthrough=yes src-address-list=OBR log=no 
      log-prefix="" 

 1    ;;; management Out
      chain=prerouting action=mark-routing new-routing-mark=to_WAN passthrough=yes src-address-list=Management 
      log=no log-prefix="" 

 2    chain=prerouting action=mark-routing new-routing-mark=to_WAN passthrough=yes src-address-list=Router log=no 
      log-prefix="" 

 3    ;;; Hosted 2016 Out
      chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes 
      src-address-list=Hosted 2016 log=no log-prefix="" 

 4    ;;; 3CX Out
      chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes src-address-list=3cX log=no 
      log-prefix="" 

 5    chain=prerouting action=accept log=no log-prefix=""

MLubbe · October 21, 2017, 3:19pm

Are you currently experiencing the problem when an IP on your 10.0.0.0/8 network tries to access, for example: 11.11.11.11:3389 for remote desktop?

If that is the case all you need to do is to force the local traffic to NAT so that the server thinks the Mikrotik is the client instead of the local LAN device.

/ip firewall nat
add chain=srcnat src-address=10.0.0.0/8 dst-address=10.10.10.103 protocol=tcp dst-port=3389 out-interface=LAN action=masquerade

This article explains how it works nicely, however took me a while to really understand it: http://wiki.mikrotik.com/wiki/Hairpin_NAT

DiamondIT · October 21, 2017, 3:32pm

Unfortunately still nothing, im getting packets hitting the rule, but no response on the page.

I put that rule in position 3 just under the original masquerade rules.

Michael

DiamondIT · October 21, 2017, 3:34pm

Actually… i just disabled the mangle rule and it worked… but i need the mangle rule to force traffic out the right line.

Any ideas

MLubbe · October 21, 2017, 5:36pm

So in other words the mangle rules are forcing traffic out the incorrect route. To get around that try add the following rule above the rest of your mangle rules.

/ip firewall mangle
add chain=prerouting src-address=10.0.0.0/8 dst-address=10.0.0.0/8 action=accept comment="Accept LAN -> LAN"

DiamondIT · October 21, 2017, 5:58pm

Worked a treat, thanks.

I also changed the first rule you send to

/ip firewall nat
add chain=srcnat src-address=10.0.0.0/8 dst-address=10.0.0.0/8 protocol=tcp out-interface=LAN action=masquerade

and thats working perfect