Hairpin NAT?

RouterOS Beginner Basics
1

For some reason I’m having a hell of a time with hairpin NAT. I’ve watch several videos, all of which are about the same and the setup seems pretty straight forward.

I know the NAT is working from the outside as it works from a VPN and when i hotspot from my phone.

I have a webserver running on 33333 on a box inside, i added NAT rules per

https://www.youtube.com/watch?v=1I5FywY6opQ&pp=ygUMaGFpciBwaW4gbmF0

and

https://www.youtube.com/watch?v=_kw_bQyX-3U&t=229s&pp=ygUVaGFpciBwaW4gbmF0IG1pa3JvdGlr0gcJCSIKAYcqIYzv

and

https://www.youtube.com/watch?v=KLu0U6b46fI&pp=ygUVaGFpciBwaW4gbmF0IG1pa3JvdGlr

adjusting for the small differences between.

nothing seems to work, just get an unable to connect.

2
  1. Probably not important but there is no need to manually set mask of 24 on this config line. I would remove it if you added it manually.

/ip dhcp-server network
add address=192.168.69.0/24 comment=defconf dns-server=192.168.69.1 gateway=
192.168.69.1 netmask=24

  1. Modify this rule:
    add action=drop chain=forward comment=
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
    connection-state=new in-interface-list=WAN

TO:

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
   out-interface-list=WAN
add action=accept chain=forward comment="pt forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


3.  Your hairpin sourcenat rule is fine.   However I dont see the purpose of this 
rule. Please explain what it does?

*add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\*
*    192.168.89.0/24*

especially since it may interfere with the hairpin nat..........  but not certain.

4.  NONE of your dstnat rules are formatted properly for a dynamic WANIP address in combination with users coming from the lan.   In-interface=ether1  is not good enough to include LAN users.......
You need to emulate the fixed WANIP  way of destination nat rules and to do that the easiest approach is to use the routers own IP Cloud address.

ex.

/ip firewall address-list
add address=mynetname.net list=MyWAN

/ip firewall nat
.......
add action=dst-nat chain=dstnat comment=http dst-port=80 dst-address=MyWAN \
    protocol=tcp to-addresses=192.168.69.3

To port not required if same as dst-port!

  1. Dont understand this one at all.

add action=dst-nat chain=dstnat comment=veinwebtest dst-address=68.72.135.165
dst-port=33333 in-interface=ether1 protocol=tcp src-port="" to-addresses=
192.168.69.3 to-ports=33333

What the heck is 68.72 etc............. and one doesnt mix both fixed WANIP and in-interface=ether1 generally speaking in the same rule.

  1. Do you really need upnp??