Hairpin won't work, but why?

Hello!

I have the following configuration:

I want to reach with the normal clients the internet and the server from extranal and subnet 192.168.1.0/24 under the external server address. Beside that I want to reach the modem on its internal address for configuration, etc. The addresses of PPPoE (internal/external) are dynamic.

My routes looks like this

[admin@Router-HH] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          62.52.200.132             0
 1 ADC  62.52.200.132/32   85.176.64.82    PPPoE-ALICE               0
 2 ADC  192.168.0.0/24     192.168.0.1     ether23-MODEM             0
 3 ADC  192.168.1.0/24     192.168.1.254   ether1                    0

The firewall rules like this:

/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW

If I don’t have the next-to-last rule, I can’t reach the mikrotik (192.168.1.254) from the LAN 192.168.1.0/24. That already is strange.

and the NAT like this:

/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=!192.168.1.254 out-interface=ether1 out-interface-list=all protocol=\
    tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses=192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses=192.168.1.252 to-ports=22

Everything works fine, except the connection from LAN Hosts to the server by its extrnal address. I already tried:

add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" dst-port=443 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=443

My setup seems very common to me, so there must a simple solution for that.

Thanx in advance

Holger


PS: the export of the Mikrotik:

# feb/04/2017 13:49:30 by RouterOS 6.38.1
# software id = D5X7-MT4X
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
    04102981391
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=ether23-MODEM network=192.168.0.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=4.4.4.4
/ip firewall address-list
add address=192.168.1.1-192.168.1.200 list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
    \n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=new disabled=yes in-interface=PPPoE-ALICE
add action=accept chain=forward comment="Forward auf Server" connection-state=established,related,new disabled=yes dst-address=\
    192.168.1.252 dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" connection-state=established,related,new disabled=yes dst-address=\
    192.168.1.254 dst-port=444 protocol=tcp
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.0.0 OK" disabled=yes dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input comment="von 192.168.0.0 -> 192.168.1.0 OK" disabled=yes dst-address=192.168.1.0/24 src-address=\
    192.168.0.0/24
add action=accept chain=input comment="von 192.168.1.0 -> 192.168.1.0 OK" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address=!192.168.1.254 out-interface=ether1 out-interface-list=all protocol=\
    tcp src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses=192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses=192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 in-interface=PPPoE-ALICE port="" protocol=tcp \
    to-addresses=192.168.1.254 to-ports=444
add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" disabled=yes dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" disabled=yes dst-port=443 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.1.252 to-ports=443
/ip service
set telnet address=192.168.1.0/24
set ftp disabled=yes
set www address=192.168.1.0/24 port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp=192.53.103.104 secondary-ntp=192.53.103.103
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"lange-\
    online.net\"\
    \n:global ddnspass \"masorfc1\"\
    \n:global theinterface \"PPPoE-ALICE\"\
    \n:global ddnshost hh.lange-online.net\
    \n:global ddnsserver dyndns.strato.com\
    \n:global protocol https\
    \n:global ipddns [:resolve \$ddnshost];\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n   :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n} else={\
    \n   :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n      :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n    :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n      } \
    \n}\
    \n \
    \n:if (\$ipddns != \$ipfresh) do={\
    \n    :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n    :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n   :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n   :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
    \n   /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$ddnsuser \\\
    \n         password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
    \n    :delay 1\
    \n    :global str [/file find name=\"DynDNS.\$ddnshost\"];\
    \n    /file remove \$str\
    \n    :global ipddns \$ipfresh\
    \n  :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n    } else={\
    \n#     :log info \"DynDNS: dont need changes\";\
    \n    }\
    \n} "
/tool graphing interface
add interface=PPPoE-ALICE

I would put the dst-address of your hairpin nat rule being the server only
dst-address=192.168.1.252
Also I don’t know what the parameter out-interface-list=all does
Last but not least, leave out the protocol parameter

Ok, I tried that one:

/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=192.168.1.254
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log=yes log-prefix=FW80 protocol=tcp \
    to-addresses=192.168.1.252 to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 \
    to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses=192.168.1.252 \
    to-ports=22
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.1.252 dst-address-type=local log=yes log-prefix="HP MSAK;" src-address=\
    192.168.1.0/24

and with HAIRPIN-Rule as the second one in the list. It doesn’t work…

use code on conclusion page of this presentation https://goo.gl/35GBvK , it’s work both single wan and multi-wan

credit : https://www.facebook.com/mikrotiktutorial/videos/1234626126599365/

I can’t see the difference to what I am doing…

Yes it is, order of rules are matter.

So how this thread differs from your previous one?

Is there any specific reason why you refuse to acknowledge that it can’t work with dstnat rules that have in-interface=PPPoE-ALICE?

Because the first one is more general and now only the hairpin is the problem.

I have under stand that, but

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.252 protocol=tcp dst-port=80 \
  out-interface=ether1 action=masquerade

does not work neither…

I mean dstnat, you still have the interface there:

add action=dst-nat chain=dstnat comment=“Portforwarding HTTP zum Server” dst-port=80 > in-interface=PPPoE-ALICE > log=yes log-prefix=FW80 protocol=tcp to-addresses=192.168.1.252 to-ports=80

Ok, that’s the point.

I changed it now to

/ip firewall nat
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 log=yes log-prefix=FW80 protocol=tcp \
    src-address=!192.168.1.0/24 to-addresses=192.168.1.252 to-ports=80

So that rule only works, if the source is not the local network. But the still hairpin does not work

Good direction, but with “src-address=!192.168.1.0/24” it can’t work either.

Instead of that, use one of following:
a) “dst-address-type=local” - if you don’t care about accessing given service on router itself
b) “dst-address-type=local dst-address=!192.168.1.254” - if you want service on router accessible from LAN

Since you moved web administration to different ports, a) is enough for you.

Correct me, but I masqueraded the request with the external address, why shouldn’t match that with !192.168.1.0/24?

But it works now, thanks for ur help.

If you have src-address=!192.168.1.0/24, it can’t match connections coming from LAN, because they do have 192.168.1.x as source.