Hairpin NAT

Ommand · September 5, 2013, 9:38pm

So I recently bought a RB2011UAS-2HnD-IN and I guess I’m in a bit over my head, I’m having a difficult time getting this to work.

My goal is to forward some ports to various devices on my network and then use the external addresses to access them regardless of where I happen to be connected, be it at home on my local network or across the country through my cell phone. In order to do this I’m fairly certain I need to use Hairpin NAT.

My configuration is as follows:

Router has a dynamic WAN IP
Router’s internal ip is 192.168.10.1
Desktop pc on ether3 with ip 192.168.10.10
Server (forward target) on ether2 with ip 192.168.10.15

I tried the following:

/ip firewall nat add chain=dstnat in-interface=ether1-gateway protocol=tcp dst-port=22 action=dst-nat to-address=192.168.10.15
/ip firewall nat add chain=srcnat out-interface=ether1-gateway action=masquerade
/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.10.15 protocol=tcp dst-port=22 out-interface=ether3 action=masquerade

Which resulted in the port forward working externally, but if I tried to use the external address from within my network the connection was directed to my router and not forwarded beyond that.

Any help would be much appreciated.

CelticComms · September 6, 2013, 12:25pm

With these rules the DST NAT is only occurring on traffic with in-interface Ether 1. You can either add another DST NAT rule to cover the locally originated traffic or change the selection criteria to cover both. e.g. if you have a static IP use that to select rather than in-interface.

pcunite · September 6, 2013, 1:35pm

Congratulations on buying a MikroTik, I'm having so much fun with mine. Understand that there are several ways to accomplish the same thing, and based on how you start will determine how you finish up. I like to do as much matching on interfaces as possible before delving into IP address and whatnot. However, I'm new to RouterOS so keep that in mind.

Using the GUI tool, go to Files and make a backup of your system. Then go to /ip firewall filter and /ip firewall nat and delete all your existing rules. Inspect these rules I've made for you below, then copy and paste them in from a New Terminal screen. Do change ether-LAN to match your interface name (which is probably ether2 in your case) and ether-WAN (which look like ether1-gateway).

Understand that should you ever want to port forward to 22 from 52 the meaning of dst-port and to-port change based on the chain (forward, prerouting, etc) when you have masquerade turned on. So, reverse things if you can't make it work in those situations. However, what you're doing here is a 1:1 so it will work.
#Router and internal network protection, with an internal server, LAN is considered friendly
/ip firewall filter
add chain=input action=drop connection-state=invalid comment="Disallow weird packets"
add chain=input action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to the router itself"
add chain=input action=accept connection-state=established comment=" ^^ that originated from LAN"
add chain=input action=accept connection-state=related comment=" ^^ that originated from LAN"
add chain=input action=accept protocol=icmp comment="Allow ping ICMP from anywhere"
add chain=input action=drop comment="Disallow anything from anywhere on any interface"
add chain=forward action=drop connection-state=invalid comment="Disallow weird packets"
add chain=forward action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to move through the router"
add chain=forward action=accept connection-state=established comment=" ^^ that originated from LAN"
add chain=forward action=accept connection-state=related comment=" ^^ that originated from LAN"
add chain=forward action=accept protocol=tcp dst-port=22 comment="Filter exception for port mapped server"
add chain=forward action=drop comment="Disallow anything from anywhere on any interface"

Port Forward (map) to an internal LAN server.

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether-WAN comment="Turn on masquerading"
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-address=1.2.3.4 dst-port=22 to-port=22 comment="Create an incoming port map rule"

pcunite · September 6, 2013, 2:04pm

I forgot to mention one other thing … port 22 is a service port listed at /ip services and thus you may need to change it to be something else.

Ommand · September 6, 2013, 2:10pm

Thanks for the replies.

pcunite: I did as suggested which resulted in no internet connectivity, I’m guessing because of the 2 default rules that were just disabled?

admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

thearakh · December 14, 2014, 10:11am

Hi Ommand,

I am having the same issue with yours. did you manage to solve the issue?

myhot spot user are able to authenticate but they cannot access the internet.

ROUTER HAS NO SOFTWARE KEY

You have 11h52m to configure the router to be remotely accessible,
and to enter the key by pasting it in a Telnet window or in Winbox.
Turn off the device to stop the timer.
See www.mikrotik.com/key for more details.

Current installation "software ID": NGTX-GNXG
Please press "Enter" to continue!

[admin@MikroTik] >
[admin@MikroTik] >
[admin@MikroTik] >
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""

1 ;;; Turn on masquerading
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=10.10.1.0 log=no log-prefix=""
[admin@MikroTik] >
[admin@MikroTik] >

Firewall rule

export

dec/14/2014 10:09:27 by RouterOS 6.23

software id = NGTX-GNXG

/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes
add chain=input comment="Allow access to Router from 10.10.1.0 network"
src-address=10.10.1.0/24
add action=drop chain=input comment="Disallow wierd packet" connection-state=
invalid disabled=yes
add chain=input comment="Allow hotspot user access to router and Internet"
connection-state=new in-interface=Hotspot
add chain=input comment="Allow connections that originated from hotspot"
connection-state=established
add chain=input comment="Allow connections that originated from hotspot"
connection-state=related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=forward comment="Disallow weird packets"
connection-state=invalid disabled=yes
add chain=forward comment="Allow LAN access to router and Internet"
connection-state=new disabled=yes in-bridge-port=Hotspot
add chain=forward comment="Allow connections that originated from hotspot"
connection-state=established
add chain=forward comment="Allow connections that originated from hotspot"
connection-state=related
add chain=forward comment="Open port 80 for Web Server" dst-address=0.0.0.0
dst-port=80 protocol=tcp
add action=drop chain=forward disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
disabled=yes
add action=masquerade chain=srcnat comment="Turn on masquerading"
out-interface=WAN
add action=dst-nat chain=dstnat to-addresses=10.10.1.0
[admin@MikroTik] /ip firewall>

thanks if someone can help on this issue.

Regards,

Sotheara