I am struggling with hairpin nat. I have never had this issue before until I started using Mikrotik. I have tried all suggestions on this forum and searched google, but nothing has worked for me, and I’m not sure if I have a total understanding of it.
What I am trying to do it access my security cameras from inside my lan with my dyndns address. It works fine from the outside, but not at all from the inside. I don’t want to have to create another local login address.
Do I need to do something specific to handle the dyndns address that changes?
If anyone has done this before and can help me out I would appreciate it.
efaden
August 4, 2013, 5:02pm
2
tabate47:
I am struggling with hairpin nat. I have never had this issue before until I started using Mikrotik. I have tried all suggestions on this forum and searched google, but nothing has worked for me, and I’m not sure if I have a total understanding of it.
What I am trying to do it access my security cameras from inside my lan with my dyndns address. It works fine from the outside, but not at all from the inside. I don’t want to have to create another local login address.
Do I need to do something specific to handle the dyndns address that changes?
If anyone has done this before and can help me out I would appreciate it.
Post your configuration… My guess is that your missing the snat
Sent from my SCH-I545 using Tapatalk 2
Here is my entire firewall:
/ip firewall address-list
For some reason, it is working now. Why is it working without my external public address?
efaden
August 4, 2013, 7:22pm
4
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="hairpin cctv" disabled=no dst-port=8181 protocol=tcp to-addresses=10.0.1.4 to-ports=8181
add action=masquerade chain=srcnat disabled=no dst-address-list=Localnet out-interface=ether2-master-local src-address-list=Localnet
They are in the wrong order… your general masq should be after your hairpin masq.
Ok, I’ll adjust that, but, why is this working without putting in my wan ip address? Am I opening myself up too much on the firewall?
Also, if I do need to input my wan ip address, how do I keep it updated? My isp does not give me a static ip.
Thanks.
efaden
August 4, 2013, 10:47pm
6
tabate47:
Ok, I’ll adjust that, but, why is this working without putting in my wan ip address? Am I opening myself up too much on the firewall?
Also, if I do need to input my wan ip address, how do I keep it updated? My isp does not give me a static ip.
Thanks.
You don’t actually need your WAN IP if you only have one. Your rules need a fix though… it should look something like this/.
add action=masquerade chain=srcnat src-address=10.0.1.0/24 dst-address=10.0.1.4 protocol=tcp port=8181 out-interface=bridge-local
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=8181 protocol=tcp to-addresses=10.0.1.4 to-ports=8181
Do you mean only one wan, not Dual wan, or a static wan ip?
How come my rules work?
Are yours better?
Thanks
efaden
August 5, 2013, 11:18am
8
The rules I posted will work with multiple WAN, but will dst-nat ALL public IPs. If you only want to dst-nat a single one you have to put it into the rule.
Your rules work because you are MASQ ALL traffic to the server from the internal network.
Mine aren’t necessarily better… just depends on your goal. I would prefer to only masq the port I needed… but doing all traffic works fine too.
Ok, I understand. Is it safe to allow all public ip’s? What I am trying to do is to make it work the safest way possible. Is your way the safest?
Thanks.
efaden
August 5, 2013, 12:52pm
10
Safe is all relative. Your allowing public access to your internal server. So really the security depends on that internal server. Really it would be more secure to allow only a VPN and then use a VPN to connect to the server.
That’s true.
I tried the config you posted, but it did not work. I think it may have something to do with out-interface=bridge-local. What is bridge-local? I don’t seem to have that option.
efaden
August 5, 2013, 1:06pm
12
You have to use whatever your local interface is.
For whatever reason, it is not working. I will have to look at it some more.
Once I nail down this hairpin nat, I have solved most of my basic learning curve with Mikrotik.
Then I can get into more detail.
Thanks.
I was not able to get this working.
Here is my firewall and rules:
/ip firewall filter
At this point I have tried so many different combinations, I am not sure what I am doing wrong.
efaden
August 5, 2013, 10:22pm
16
tabate47:
I was not able to get this working.
Here is my firewall and rules:
/ip firewall filter
At this point I have tried so many different combinations, I am not sure what I am doing wrong.
What part doesn’t work? Can you post your bridge and interface configurations? Also is there anything in the forward chain in the firewall?
I cannot access my cctv cameras with my dyndns address from inside my network while on my own lan. I can access them while I’m on another network.
Here is the info you wanted:
/interface bridge settings
/interface ethernet
efaden
August 5, 2013, 11:12pm
18
Whoops… sorry.. I had an error in mine… To make it work for now just use your WAN IP
add action=dst-nat chain=dstnat comment="CCTV Port Forward" disabled=no dst-port=8181 in-interface=ether1-gateway protocol=tcp to addresses=10.0.1.4 to-ports=8181
add action=dst-nat chain=dstnat disabled=no dst-addresses=WANIP to-addresses=10.0.1.4
add action=src-nat chain=src-nat disabled=no src-addresses=10.0.1.4 to-addresses=WANIP
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gateway
I know I can use my wan… but that’s my point. I want to be able to do this without using my wan, because when my wan changes, I lose connection!
Isn’t there a way to do this without using my wan? I don’t have a static wan ip from my isp, so I need to find a way to do this without using my wan address.
efaden
August 5, 2013, 11:28pm
20
tabate47:
I know I can use my wan… but that’s my point. I want to be able to do this without using my wan, because when my wan changes, I lose connection!
Isn’t there a way to do this without using my wan? I don’t have a static wan ip from my isp, so I need to find a way to do this without using my wan address.
I just can’t seem to figure it out right this second… What you could do is write a script to update the rules if your WAN IP changes.