On the microtik I have a /IP/Filewall/NAT rule so that everything that comes in on port 5522 to a the WAN side is routed to port 22 towards a particular LAN IP. This is working as expected.
I have a laptop that needs to access this service both from within the network as well as when it it outside. My problem is that when I specify the LAN IP address (192.168.88.x) this fails when on the outside and when I specify the WAN (Fixed) IP I am having problems when connected to the local LAN.
I am thinking of using Hairpin but am not sure how to do this to have flexibility.
It is unclear what you mean by “outside”. Do you mean Internet? From the Internet you cannot connect to such an internal/private IP like 192.168.x.x.
Do you have a WAN router?
Is there NAT enabled?
If the answer to the above questions is Yes, and your device is one that is connected to that WAN router, then there should normally be no problem.
But you have to disable NAT on the second device to avoid the “Double NAT Problem”.
If you have more than 1 LAN then you need to set a static route to the other.
You better should make a simple drawing of your network, can also be a simple ASCII drawing.
FYI: I’m using a WAN router with NAT (it’s not an MT device) and there doing simple port-forwarding w/o any “hairpin” thing.
My destination server gets the original public IP of the connecting peer, not a NATted local IP. This is important not only in logs…
I personally have no experience with this “hairpin” thing, but here’s a wiki page about it: https://wiki.mikrotik.com/wiki/Hairpin_NAT
(2) Does not compute because in (1) you have stated that the Dst Nat rule works as expected so one assumes you have successfully gained entry to your server from an external location.
One does not use a private IP to access a server from an external site (i suppose if coming to the router via a VPN tunnel it may then be appropriate?)
(3) Need an additional source nat rule (first in order I believe).
/ip firewall nat
add chain=srcnat src-address= dst-address= action=masquerade
Dst nat rule may need to be adjusted but need to know what your curren scrnat and dstnat rule looks like.
Hi
The diagram above should help explain what I would like to achieve.
When the laptop is within the LAN it accesses the SFTP server via 192.168.88.4 Port 22 and this works
When the laptop is taken out of the LAN it accesses the SFTP server via 88.xx.xx.xx Port 5522 and this works.
My question is:
Can I have one setting on my laptop that works irrespective of whether the laptop accessing the SFTP server from LAN or WAN. I have other Hairpin settings but all of them retain the same IP address.
Can someone please share terminal script settings to achieve this.
Not sure what you mean by one setting on the laptop?
Do you mean one rule on your SFTP, then yes.
Simply use the WANIP (or dyndns name URL) which will work externally, or internally.***
Create the extra source nat rule as prescribed in the previous post
Create the dstnat rule as such.
add chain=dst-nat action=dstnat protocol=tcp dst-port=5522
dst-address-list=router_cloud to-addresses=192.168.88.4 to-ports=22
The firewall address list is as follows go to ip firewall, go to address lists, create a new address list name: router_cloud,
under address put the cloud DNS name (see below) for the router address: “xdyyetetetete0.sn.mynetname.net” {example only}|
*** You will need to go to IP Cloud on the router and enable it (check box next to text DDNS enabled).
You will need to copy the DNS name for the firewall address list above.
Thusly, the destination address will always be accurate (will be your current WANIP), and the hairpin source nat rule will ensure that the internal usage of the DYNDNS url or actual WANIP in the single STFP rule will work fine.
Yes Solar, I came to that conclusion, but where he wants to apply that is in his SFTP program, which is where he/she puts the HOST IP etc.
He wants to avoid have two logins and justs wants one login no matter where he is located.
That was my assumption moving forward and thus the hairpin sourcenat rule and the dstnat rule.
I just realized that what I was saying was already covered in the video - Steve is EXCELLENT!!
What we dont know is if the Ops WANIP is static (in which case the normal dstnat rule need not be changed (where dst-address=WANIP) or dynamic, in which case Steves technique is golden.
Sorry for not explaining myself better but this is exactly what I want to do. Thank you to everyone, I was tripping over myself because port 5522 had to change to port 22. I had a couple of hairpin rules for strait port management but Steve’s video got it to work.
I will need to figure out why the port forwarding rule works (when the Dst. Address is the public IP) Hairpin rule is on top (cascade mechanism for sure).
>
I think specifying the **"dst-address="** was the key for the success. But most examples in the wiki pages don't use it.
I would suggest to try it out.
But OTOH maybe it works b/c I use 2 routers in series. The above setting was done on the 2nd router. More details in the above link.
Use of dst-nat is the correct method of port forwarding when one has static/fixed WANIP.
It is also works when one needs hairpin nat in that no change is needed to the dst-nat rule (one still needs the extra source-nat masquerade rule).
If you have a dynamic WANIP, the usual dst-nat rule states instead in-interface-list=WAN for example.
But if you have hairpin it needs to be modified and the above in bold removed.
The cleanest method makes use of destination-address-list=(name of your IP cloud ddns name)
