Hairpin NAT?!

RouterOS General
1

Hi!
I am have a 24 port switch, all port bridged.
On port 1 I have the internet connection (pppoe)

I have a single nat rule:
0 chain=srcnat action=masquerade out-interface=pppoe-out1 log=no
log-prefix=“”

So I have internet connection.
I have a hikvision DVR.

I have a port forward rule:
1 chain=dstnat action=dst-nat to-addresses=192.168.10.189 protocol=tcp
in-interface=pppoe-out1 dst-port=8000,8001 log=no log-prefix=“”

I have capsman service with 3 CAP, same subnet 192.168.10.0/24

I have turned on IP:CLOUD and I have set it up under my domain name as a CNAME record.

I can access to the DRV from 4G, but I cannot access to it from LAN by using the cname subdomain record. I know its because of the bad firewall rule.

https://wiki.mikrotik.com/wiki/Hairpin_NAT
I have read several posts on this forum about the same situation, but I cannot figure out what to do.

I have made an address list where the target is the IP cloud dns name, because I have dynamic WAN IP.

/ip firewall nat add chain=dstnat dst-address=DWANIP protocol=tcp dst-port=8000,8001 action=dst-nat to-address=192.168.10.189 add chain=srcnat out-interface=pppoe-out1 action=masquerade
/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.189 protocol=tcp dst-port=8001 out-interface=LAN action=masquerade

If I am trying to copy make the first rule, I am getting error at add chain srcnat part. If I remove the last part of the rule I am getting: value of range expects range of ip addresses .

How can I make it work?

Thaks!

2

Put your Cloud Domain name in as a firewall address entry call it ‘mywanip’

In the DST Nat rule, Use destination-address-list=mywanip (and not in-interface=)
chain=dstnat action=dst-nat protocol=tcp dst-address-list=mywanip
dst-port=8000,8002 to-addresses=192.168.10.189

Keep your original masquerade rule but you need one more the hairpin masquerade rule.
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no

but above this put the the required additional one
chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.0/24

Done!!

3 
#if you are trying a Hairpin NAT try this:

/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.0/24 action=masqurade comment=HNAT

#And for Port Forwarding:

/ip firewall nat add chain=dstnat dst-address=DWANIP in-interface=pppoe-out1 protocol=tcp dst-port=8000,8001 action=dstnat to-address=192.168.10.189

Hope this Helps you!!! :slight_smile:

4


No I dont think it will help and in fact probably gets in the way (but who knows I have been wrong before…)

(1) The additional masquerade rule is correct
(2) However in the destination nat rule, is not correct.
There is no requirement to identify the in-interface as far as I know, and in fact it is replaced by (depending upon which of 3 possible solutions for dynamic IP are selected) different versions of dst-nat, NONE of them including in-interface=pppoe-out1
(3) Further, it is not clear what the heck you are referring to by dst-address=DWANIP??? There is no IP address I am aware of that looks like that???

So if you note on my previous post you referring to a dst-address**-list** which points to a firewall address list entry!!!

5

Hi anav,

The DWANIP is what i refered WAN IP which topic author mentioned in his post.

I think he is refering to Dynamic WAN IP.

In case if he is getting dynamic when ip then he can use cloud feature in mikrotik. similar to ddns

6

Yes but its not in the right format.
INCORRECT dst-address=firewall_address_list_name
CORRECT dst-address**-list**=firewall_address_list_name (this is in addition to removing the in-interface=, as its not required)