Hairpin or DNS

iviyan · May 2, 2016, 9:00pm

If you have web server for example or ftp server ect. Wich is better:

Enable DNS, forcse LAN clients to use router’s DNS and make static record www.test.com to 192.168.0.10

or use

Hairpin and two rules dstnat for port na mascquerade for srcnat for each port?

IntrusDave · May 2, 2016, 10:03pm

I prefer hairpin just because so many users have notebooks that come and go now. DNS will get cached and can cause you not to be able to connect.

Sob · May 3, 2016, 9:51am

It depends. DNS is probably more proper solution, while haipin NAT is more like a dirty trick (well, the whole NAT is sort of dirty trick).

On the other hand, hairpin NAT is easier to maintain and in some ways works better. You can add one universal hairpin NAT rule and forget about it, knowing that it will work with any future forwarded port, with any hostname, or even without one with just numeric address.

DNS is better if you know there will be a lot of traffic between internal clients and internal server. Setting DNS record to internal address will allow them to communicate directly, instead of all traffic bouncing through router.

iviyan · May 3, 2016, 1:41pm

Universal hairpin NAT rule, what do you mean, something like this:

add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.238 protocol=tcp dst-port=80
out-interface=brigde-local action=masquerade
but not to use specified port?

IntrusDave · May 3, 2016, 2:16pm

I use the following - it’s a “set it and forget it” rule.

/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=PrivateIPS out-interface=lan0 src-address-list=PrivateIPS

/ip firewall address-list
add address=10.0.0.0/8 list=PrivateIPS
add address=172.16.0.0/16 list=PrivateIPS
add address=192.168.0.0/16 list=PrivateIPS

Sob · May 3, 2016, 2:22pm

I mean something like this, masquerade anything going from LAN back to LAN (exclude router itself talking to LAN):

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 src-address-type=!local \
    dst-address=192.168.88.0/24

My favourite is to make the connection look like it comes from public WAN address (is there’s a static one):

/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.88.0/24  src-address-type=!local \
    dst-address=192.168.88.0/24 to-addresses=<public WAN address>

It probably makes no real difference, but when I have public server, it feels more right to me when it sees the public address instead of router’s LAN address. But it’s really just a personal preference.

IntrusDave · May 3, 2016, 3:11pm

The problem with that is that your log files will not show you where access is coming from. It’s better to do the other way.

Sob · May 3, 2016, 3:26pm

If you mean the variant with WAN address as source, I wrote it’s a personal preference. At the same time, it’s the choice between all connections from same LAN showing as from 1.2.3.4 (WAN address) or 192.168.88.1 (router’s LAN address), which does not really make much difference. In either case, you won’t be able to tell client 192.168.88.10 from 192.168.88.50, it’s common for all hairpin NAT variants.

If you care about telling internal clients from each other, you need to play with DNS.

IntrusDave · May 3, 2016, 3:31pm

I think you may be mistaken, as my logs show the local PC’s IP address.

Sob · May 3, 2016, 3:41pm

I think your local PCs may talk to your local server directly. It’s the whole point of hairpin NAT to change the source address of LAN → LAN (more precisely LAN → Own_WAN_Public_IP → Same_LAN) connections. As described nicely in wiki with step by step what happens with packet.