Hairpin NAT

EugeneK · July 21, 2013, 10:06pm

Hello!
I’m newbee here and begging for help.
I have a mail server behind Mikrotik router here is Firewall NAT print
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=wan

1 chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=3389 protocol=tcp in-interface=wan dst-port=33891
2 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=3389 protocol=tcp in-interface=wan dst-port=33892
3 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=44344 protocol=tcp in-interface=wan dst-port=44344
4 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=25 protocol=tcp in-interface=wan dst-port=25
5 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=8888 protocol=tcp in-interface=wan dst-port=8888
6 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=465 protocol=tcp in-interface=wan dst-port=465
7 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=995 protocol=tcp in-interface=wan dst-port=995
8 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=9939 protocol=tcp in-interface=wan dst-port=9939
9 chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=2525 protocol=tcp in-interface=wan dst-port=2525

Pls help me create working Hairpin Rule, because i’ve tried many times and nothing will happen. I need for connection form any hosts from 192.168.1.0/24 to WAN router interface on ports 9939 and 2525. I’ve create rule from manual http://wiki.mikrotik.com/wiki/Hairpin_NAT - but have no chance.

PS
Sorry for bad english

efaden · July 22, 2013, 9:55am

Post your filter rules also. Specifically the forward table.

Sent from my SCH-I545 using Tapatalk 2

EugeneK · July 22, 2013, 10:58am

Thanks for fast answer,
/ip firewall filter> print

jul/22/2013 13:50:20 by RouterOS 6.1

Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp
1 chain=input action=accept connection-state=established
2 chain=input action=accept connection-state=related
3 chain=input action=accept protocol=tcp in-interface=wan dst-port=18291
4 chain=input action=accept protocol=tcp in-interface=wan dst-port=22222
5 ;;; L2TP
chain=input action=accept connection-state=new protocol=udp in-interface=wan dst-port=500
6 chain=input action=accept connection-state=new protocol=udp in-interface=wan dst-port=1701
7 chain=input action=accept connection-state=new protocol=udp in-interface=wan dst-port=4500
8 chain=input action=accept connection-state=new protocol=ipsec-esp in-interface=wan
9 chain=input action=drop in-interface=wan
10 chain=forward action=accept connection-state=established
11 chain=forward action=accept connection-state=related
12 chain=forward action=drop protocol=tcp src-address=192.168.1.8 out-interface=wan dst-port=443
13 chain=forward action=drop src-address=0.0.0.0/8
14 chain=forward action=drop dst-address=0.0.0.0/8
15 chain=forward action=drop src-address=127.0.0.0/8
16 chain=forward action=drop dst-address=127.0.0.0/8
17 chain=forward action=drop src-address=224.0.0.0/3
18 chain=forward action=drop dst-address=224.0.0.0/3
19 chain=tcp action=drop protocol=tcp dst-port=69
20 chain=udp action=drop protocol=udp dst-port=69
21 chain=tcp action=drop protocol=tcp dst-port=111
22 chain=udp action=drop protocol=udp dst-port=111
23 chain=tcp action=drop protocol=tcp dst-port=135
24 chain=udp action=drop protocol=udp dst-port=135
25 chain=tcp action=drop protocol=tcp dst-port=137-139
26 chain=udp action=drop protocol=udp dst-port=137-139
27 chain=tcp action=drop protocol=tcp dst-port=445
28 chain=tcp action=drop protocol=tcp dst-port=2049
29 chain=udp action=drop protocol=udp dst-port=2049
30 chain=tcp action=drop protocol=tcp dst-port=3133
31 chain=udp action=drop protocol=udp dst-port=3133
32 chain=tcp action=drop protocol=tcp dst-port=12345-12346
33 chain=tcp action=drop protocol=tcp dst-port=20034
34 chain=forward action=drop connection-state=invalid

efaden · July 22, 2013, 11:21am

Your missing the SNAT rules.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=9939 out-interface=LAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=2525 out-interface=LAN action=masquerade

EugeneK · July 22, 2013, 12:40pm

thanks, try it later.

EugeneK · July 22, 2013, 7:16pm

efaden:

Your missing the SNAT rules.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=9939 out-interface=LAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=2525 out-interface=LAN action=masquerade

I’ve add this rules and put them on up, but nothing changes - I can’t access this ports using domain.name %(

efaden · July 22, 2013, 7:20pm

Use the following rules get rid of everything else except a default masq if your using it. Also put your WANIP in there…

/ip firewall nat
add chain=dstnat dst-address=WANIP protocol=tcp dst-port=9939 action=dst-nat to-address=192.168.1.8
add chain=dstnat dst-address=WANIP protocol=tcp dst-port=2525 action=dst-nat to-address=192.168.1.8
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=9939 out-interface=LAN action=masquerade
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.8 protocol=tcp dst-port=2525 out-interface=LAN action=masquerade