Hairpin problem with double NAT

th0massin0 · October 18, 2016, 9:29am

Hello!
I have a problem with configuring hairpin NAT when double NAT is present.

Look at following scenario:

PC1 that connects to DVR by external IP (ddns domain) can’t connect.

I tryied configuration below:

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" src-address=172.22.100.0/24 dst-address=172.22.100.0/24 out-interface=br0 
add action=dst-nat chain=dstnat comment="dvr" dst-address-type=local dst-port=8000 protocol=tcp to-addresses=172.22.100.10

but without success. Clould you help me please?

Sob · October 19, 2016, 1:35am

You need to catch packets going to your public IP:

/ip firewall address-list
add address=yourddns.example.net list=myip
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=myip dst-port=8000 protocol=tcp to-addresses=172.22.100.10

th0massin0 · October 19, 2016, 1:36pm

Thank you very, (very) much for your reply. I it’s not a problem I have two more questions:
Your one rule is enough to make it working, or should I use “hairpin NAT” rule too?
The rule doesn’t contain dst-address-type=local . Is it intentional?

Sob · October 19, 2016, 3:37pm

You still need srcnat hairpin rule. And it can’t look for local address, because it’s not the original destination of packet. It’s going to public address, which is on another router.

th0massin0 · October 20, 2016, 8:29am

Your patience should be national treasure To sum it up, if I understand correctly, the rules should be as below:

/ip firewall address-list
add address=yourddns.example.net list=myip

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" src-address=172.22.100.0/24 dst-address=172.22.100.0/24 out-interface=br0 
add action=dst-nat chain=dstnat comment="dvr from LAN" dst-address-list=myip dst-port=8000 protocol=tcp to-addresses=172.22.100.10

What about the port forwarding from WAN (when the client address is unknown)? Will it be working or will be needed third firewall nat rule like:

add action=dst-nat chain=dstnat comment="dvr from WAN" in-interface=eth-WAN dst-port=8000 protocol=tcp to-addresses=172.22.100.10

?

Sob · October 20, 2016, 2:44pm

Yes, rules look correct.

Port forwarding depends on how it’s done:

a) If ISP’s router doesn’t know anything about your LAN and just forwards ports to 192.168.1.2, then you need another dstnat rule. What you wrote would work.

b) ISP’s router could have static route to 172.22.100.0/24 via 192.168.1.1 and forward ports directly to internal addresses. In this case it would work without additional NAT rules. But it’s probably not set up like this.