Hairpin NAT

kapnos · April 20, 2018, 9:51am

Hi,

I need help setting up hairpin NAT. I have a PPPoE Connection, named Out with No-IP dynamic DNS (let’s say test.ddns.net) and I have set up port forward for my FreePBX. I need hairpin NAT for the roaming clients, in & out of LAN. These are the NAT rules I have now:

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=Out log=no log-prefix="" 
 1    chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=5060 protocol=udp in-interface=Out 
      dst-port=6050 log=no log-prefix="" 
 2    chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=10000-10100 protocol=udp 
      in-interface=Out dst-port=10000-10100 log=no log-prefix=""

Steveocee · April 20, 2018, 10:12am

Shameless self plug but the situation will suit you really well;
https://www.youtube.com/watch?v=_kw_bQyX-3U

My written guide with small script file to download, edit and automate here;
https://www.steveocee.co.uk/mikrotik/hairpin-nat/

Uses the built in MikroTik DDNS as well so effectively no 3rd party involvement.

solar77 · April 20, 2018, 10:52am

your question is ?

from that I can see.
rule 1, dst-port=6050 is this a typo?

kapnos · April 20, 2018, 11:00am

No, I redirect the port for security reasons, WAN Port 6050 → LAN Port 5060
What NAT rules do I have to set up for hairpin NAT so that I can access my FreePBX from LAN & WAN using the dynamic dns hostname test.ddns.net?

solar77 · April 20, 2018, 11:27am

lots of useful tips here:
http://forum.mikrotik.com/t/freepbx-asterisk-firewall-and-nat-rules/91299/1

as for dynamic DNS, as long as the traffic can reach your router, the current NAT rule should work as it’s got in-interface=Out
turning off SIP helper in IP - Firewall - Service Ports, SIP

PS: mikrotik has it’s own DDNS which is very handy, IP → cloud, enable DDNS

CZFan · April 20, 2018, 11:51am

As per solar77, the below rule is wrong, the standard port for SIP on internet is 5060, how will other SIP providers, etc know that they must now point to your PBX on port 6050?

chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=5060 protocol=udp in-interface=Out 
      dst-port=6050 log=no log-prefix=""

If you want your PBX to listen on a different port, then you need tpo configure it in your PBX and then change the rule to:

chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=6050 protocol=udp in-interface=Out 
      dst-port=5060 log=no log-prefix=""

IOW, it then comes in on standard SIP port 5060, your PBX 192.168.1.3 listens on 6050 and will be translated accordingly

kapnos · April 20, 2018, 12:14pm

Everything is working perfect with my freepbx and sip clients, I just need the hairpin NAT settings.

solar77 · April 20, 2018, 12:17pm

HI CZFan,

Many SIP clients allows you to specify the signalling port so you can use other ports than 5060.

However a simple port scan on the public IP will expose your PBX, the other post has got some useful tips. Use VPN or at least Access List to restrict access to your PBX

Steveocee · April 20, 2018, 2:07pm

Have a look at the video I posted. Will show you how to do it as there is no “simple” option to tick.