Hairpinning problem (maybe!)

steffen · October 7, 2015, 6:59pm

Hi. I hope that you folks could help me out a little here.

After a few days of fooling around with the router I am now trying to port forward to a web server (Apache).
I am able to manage it when someone enters from the wan side. But no locally.
I have mapped a domain - lets call it “example.com” - to my public ip. Under “example.com” I have many sub domains. When I used my apple router this was not a problem, but now I am not able to make it work.
When I enter “example.com” from outside I end up on my page. But locally I end up on the mikrotik router config login page, just like when you enter the router address.

192.168.1.2 - web server
84.208.100.100 - public ip

Some nat config:

 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    ;;; Port forwarding 
      chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address=84.208.100.100 
      dst-address-type=local in-interface=ether1-gateway dst-port=80 log=no log-prefix="" 
      
	;;; Hairpin. Or what ever
 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0 dst-address=192.168.1.2 
      out-interface=bridge-local dst-port=80 log=no log-prefix=""

PaulsMT · October 8, 2015, 8:15am

Your NAT rule no masqurades only one src IP: 192.168.1.0
Try to change it with src-address=192.168.1.0/24

Here is Hairpin manual for same scenarion.
http://wiki.mikrotik.com/wiki/Hairpin_NAT

steffen · October 8, 2015, 7:05pm

Hi.
Thanks for your help. Now my rule is:

 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.2 
       out-interface=bridge-local dst-port=80 log=no log-prefix=""

Still I get my webfig when entering “example.com” in my browser.
Just to be sure that I understood you. If I only use 192.168.1.0 that means that only the ip source of 192.168.1.0 will be masqueraded? But when entering 192.168.1.0/24 it means the whole range 192.168.1.0-255 will be masqueraded? I have even tried to enter the source ip of the client pc I use to brows “example.com” but still nothing. I have also tried to enter source and destination ip to 192.168.1.0/24 but still I end up on webfig page.

Any other sugestions? Starting to wonder if there is something else.

hmmm… this I forgot.
My web server is connected to a netgear wifi extender, and the extender is connected to mikrotik through wifi. My client pc is connected through wifi to mikrotik. Again I can access webserver through internal ip. Can this be a source of headache?

Steffen

skuykend · October 9, 2015, 10:01pm

The in-interface filter on your port forward is causing your problem since it’s not actually comming thru that interface. Take it off and leave your type local. Put a dst addr filter of your WAN ip if you wish. Hairpin needs both rules working together.