Hi all
I have some issues when trying to get hairpin nat to work. I have 2 vlans comming into the Mikrotik 1272 (WAN) and 3524 (MGMT). I have created vlan 30,40,50,60 for my customers with NAT. Vlan 30,50,60 is for all users and vlan 40 is for a specific customer, that wants it own puplic IP and portforwarding options. I have 2 IP adresses on vlan 1272 x.x.x.3 and x.x.x.4, x.x.x.3 is for all and x.x.x.4 is for the specific customer (10077777).
My issue is that i cannot get Hairpin nat to work, it works fine when i try to access the external IP x.x.x.4 outside on port 23 (a test setup) but when i try to access it from the LAN (192.168.40.x) on the outside IP, it dosen’t work. I’ve attached all my config below.
RouterOS 6.43.4
model = CCR1036-8G-2S+
/interface bridge
add name=br3524 protocol-mode=none
/interface vlan
add interface=sfp-sfpplus1 name=eth1-10GE.30 vlan-id=30
add interface=sfp-sfpplus1 name=eth1-10GE.3524 vlan-id=3524
add interface=sfp-sfpplus1 name=eth1-10GE.40 vlan-id=40
add interface=sfp-sfpplus1 name=eth1-10GE.50 vlan-id=50
add interface=sfp-sfpplus1 name=eth1-10GE.60 vlan-id=60
add interface=ether2 name=eth2.1272 vlan-id=1272
add interface=ether2 name=eth2.3524 vlan-id=3524
/ip pool
add name=dhcp_pool0 ranges=192.168.30.10-192.168.30.254
add name=dhcp_pool1 ranges=192.168.40.10-192.168.40.254
add name=dhcp_pool2 ranges=192.168.50.10-192.168.50.254
add name=dhcp_pool3 ranges=192.168.60.10-192.168.60.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=eth1-10GE.30 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=eth1-10GE.40 lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=eth1-10GE.50 lease-time=1d name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=eth1-10GE.60 lease-time=1d name=dhcp4
/interface bridge port
add bridge=br3524 interface=eth1-10GE.3524
add bridge=br3524 interface=eth2.3524
/ip address
add address=10.1.51.120/24 interface=br3524 network=10.1.51.0
add address=X.X.X.3/25 interface=eth2.1272 network=X.X.X.0
add address=X.X.X.4/25 interface=eth2.1272 network=X.X.X.0
add address=192.168.30.1/24 interface=eth1-10GE.30 network=192.168.30.0
add address=192.168.40.1/24 interface=eth1-10GE.40 network=192.168.40.0
add address=192.168.50.1/24 interface=eth1-10GE.50 network=192.168.50.0
add address=192.168.60.1/24 interface=eth1-10GE.60 network=192.168.60.0
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.1
/ip firewall address-list
add address=192.168.30.0/24 list=All
add address=192.168.50.0/24 list=All
add address=192.168.40.0/24 list=10077777
add address=192.168.60.0/24 list=All
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_All passthrough=yes src-address-list=All
add action=mark-routing chain=prerouting new-routing-mark=to_10077777 passthrough=yes src-address-list=10077777
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.40.0/24 src-address=192.168.40.0/24
add action=src-nat chain=srcnat comment=“Nat til All” out-interface=eth2.1272 routing-mark=to_All src-address-list=All to-addresses=X.X.X.3
add action=src-nat chain=srcnat comment=“Nat til 10077777” dst-address=!192.168.40.1 out-interface=eth2.1272 routing-mark=to_10077777 src-address-list=10077777 to-addresses=X.X.X.4
add action=dst-nat chain=dstnat comment=“Portforward port 23” dst-address-type=local dst-port=23 protocol=tcp to-addresses=192.168.40.2 to-ports=23
/ip route
add distance=1 gateway=X.X.X.1 routing-mark=to_All scope=255
add distance=1 gateway=X.X.X.1 routing-mark=to_10077777 scope=255
add distance=1 gateway=10.1.51.1
