PsYcH
September 12, 2019, 8:43am
1
Hello, so trying to make hairpin in my network for port 2222 which runs on IP 192.168.1.203, but just cant make it work… Here is my rules:
add action=dst-nat chain=dstnat comment="testinis 2222" disabled=yes dst-port=\
2222 in-interface=bridge1 protocol=tcp src-address=192.168.1.0/24 \
to-addresses=192.168.1.203 to-ports=2222
add action=masquerade chain=srcnat dst-address=192.168.1.203 dst-port=2222 \
out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Allow ESXI " dst-port=\
52960,80,443 in-interface=ether1 protocol=tcp src-address=some public IP \
to-addresses=192.168.1.200
add action=dst-nat chain=dstnat comment="ESMC" disabled=yes dst-port=\
2222,2223,3128 in-interface=ether1 protocol=tcp to-addresses=192.168.1.203
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 \
protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="RDP" disabled=yes \
dst-address=88.119.49.142 dst-port=3389 protocol=tcp src-address=\
192.168.1.0/24 to-addresses=192.168.1.202
add action=add-dst-to-address-list address-list="" address-list-timeout=\
none-dynamic chain=srcnat disabled=yes dst-address=Some public IP dst-port=\
3389 log=yes protocol=tcp src-address=192.168.1.12 to-ports=3389
Modify this to work as you need it:https://www.youtube.com/watch?v=_kw_bQyX-3U
PsYcH
September 13, 2019, 2:08pm
3
ok so I have added the rule to the top of my NAT rules:
Sob
September 13, 2019, 2:30pm
4
Even your original config should work (if you enable first rule). So make sure that packets are really passing through router (you can add logging rules in prerouting and postrouting) and if not, see where they are blocked.
You clearly haven’t done everything it says to then. There is more than just 1 line of srcnat.
PsYcH
September 14, 2019, 9:23am
6
if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.
He / I am quite sure if done properly it will work.
PsYcH
September 17, 2019, 9:31am
8
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.
He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 → 192.168.1.203:2222 it work, then if i try 192.168.1.201 —> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this
Sob
September 17, 2019, 9:50am
9
Trace the packets, you need to see what exactly happens. Add something like (at the top):
/ip firewall mangle
add chain=prerouting protocol=tcp dst-port=2222 action=log log-prefix=step1
add chain=postrouting protocol=tcp dst-port=2222 action=log log-prefix=step2
add chain=prerouting protocol=tcp src-port=2222 action=log log-prefix=step3
add chain=postrouting protocol=tcp src-port=2222 action=log log-prefix=step4
Step1 is incoming request, step2 means that it passed through router (dstnat works and forward filter does not block it), step3 is response from server, finally step4 is response going back to client. In your case, something will be missing and it will tell you where to look for problem.
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.
He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 → 192.168.1.203:2222 it work, then if i try 192.168.1.201 —> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this
DNS has nothing to do with this. Stop getting hung up on it, you’re clearly not understanding the key elements here.
Don’t use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
PsYcH
September 17, 2019, 3:45pm
11
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.
He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 → 192.168.1.203:2222 it work, then if i try 192.168.1.201 —> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this
DNS has nothing to do with this. Stop getting hung up on it, you’re clearly not understanding the key elements here.
Don’t use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
That was clearly the problem that i missed that part about destination IP and its quite logic :slight_smile: Thank you! Now from LAN i can resolve with my external IP, BUT, now I cant reach it from external network. I have added the rules in mangle as Sob said, and it gets stuck on phase 2, phase 3 wont appear, looks like router makes some kind of loop inside. the step 2says:
add action=dst-nat chain=dstnat dst-address=routerExternalIP dst-port=2222 \
protocol=tcp to-addresses=192.168.1.203
says go to 192.168.1.203 and we get looped?
That was clearly the problem that i missed that part about destination IP and its quite logic :slight_smile: Thank you! Now from LAN i can resolve with my external IP, BUT, now I cant reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?
Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.
PsYcH
September 18, 2019, 6:24am
14
That was clearly the problem that i missed that part about destination IP and its quite logic :slight_smile: Thank you! Now from LAN i can resolve with my external IP, BUT, now I cant reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?
Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="ESXI" dst-port=52960,80,443 in-interface=ether1 protocol=tcp src-address=someIP to-addresses=192.168.1.200
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
RDP on 3389 is working.
You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.
PsYcH
September 18, 2019, 10:20am
16
You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.
Tried to disable one rule, then another, then both, nothing helps, here is my firewall:
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward dst-address=192.168.1.200 dst-port=52960,80,443 protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input comment="WINBOX only from VPN" disabled=yes dst-port=8291 protocol=tcp src-address=!192.168.99.0/24
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=forward comment=UPTIMEROBOT dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address-list=UPTIMEROBOT
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward comment="Eimantas" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=drop chain=forward comment="drop RDP" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp
Sob
September 18, 2019, 11:31am
17
The public address routerWAN_IP is directly on this router (you’d see it in IP->Addresses), not on some other router, modem or whatever, right?
PsYcH
September 18, 2019, 1:05pm
18
The public address routerWAN_IP is directly on this router (you’d see it in IP->Addresses), not on some other router, modem or whatever, right?
yes, correct, we get this IP directly through our ISP by WAN (eth1) port.
Sob
September 18, 2019, 3:57pm
19
Everything looks like it should work. I’d do some things differently, but that’s not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.
PsYcH
September 19, 2019, 8:09am
20
Everything looks like it should work. I’d do some things differently, but that’s not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.
Sob, the problem was with HairPin, so that it was not working from inside using external IP, but it was working from external, but now it`s not working from outside but working from inside. Your logging rules is still enabled and yes i get till step 2, but step 3 and 4 wont appear when reaching it from outside, and service is definately working and running(testing it from inside network). BTW, on server side (192.168.1.203) nothing changed, like firewall, etc., server should be not blocking it either.
