Hellow,
i have a problem between two mikrotiks, i need to do hairpin nat, but it doesnt work, this is the escenario:
mikrotik 1 → 192.168.1.1/24
mikrotik 2 → 192.168.130.2/24
Two router are connected by ethernet on bridge configuration
I don’t have acces to mikrotik2(another service form another company), so my router is mikrotik 1.
/ip firewall nat add action=dst-nat chain=dstnat comment=“port fordward” dst-port=6111 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=6111(works from outside)
/ip firewall nat add action=masquerade chain=srcnat comment=“NAT HAIRPIN” dst-address=192.168.1.3 out-interface=br1.lan protocol=tcp src-address=192.168.130.0/24 to-addresses=192.168.1.3
Thanx!
vingjfg
November 11, 2023, 5:05pm
2
Can you post a diagram? That will be easier to understand.
vingjfg
November 12, 2023, 10:58am
3
Thinking of the configuration you sent and your explanations, I think the issue is not a hairpin NAT.
But first, does this accurately represent what you have?mikrotik 1 , in which interface-list is it?
Hi,
it is correct, i need to acces to server web in 192.168.1.0/24 througt a lan address from mikrotik2 but connecting to a public IP address, and the comunication between mikrotik1 and 2 is 192.168.130.0/24, so if is not hairpin nat, what should i have to do?
thanks in advance,
Ca6ko
November 14, 2023, 3:32pm
5
Describe the problem in as much detail as possible and display a schematic. Personally, with my poor English, I didn’t understand anything.
vingjfg
November 15, 2023, 7:46am
6
As Ca6ko wrote, it is a bit difficult to create a config without more elements.
First:
/ip firewall nat add action=masquerade chain=srcnat comment="NAT HAIRPIN" dst-address=192.168.1.3 out-interface=br1.lan protocol=tcp src-address=192.168.130.0/24 to-addresses=192.168.1.3
Remove this as it makes no sense. Why are you using masquerade and at the same time passing a to-addresses ?
Note: untested configurations so check before deploying.
Considering that is the interface that goes to the Mikrotik_2.
If your external interface has a static IP , something like this should work:
/ip firewall nat add chain=dstnat action=dst-nat to-address=192.168.1.3 dst-address=<WANIP> in-interface=<mt2int> dst-port=6111 to-port=6111 comment="NAT for Mikrotik_2 users"
/ip firewall filter add chain=forward in-interface=<mt2int> dst-address=192.168.1.3 dst-port=6111 protocol=tcp action=accept place-before=<...>
If it does not have a static IP but has a dynamic name, use an address-list to resolve your external name first. Something similar to:
/ip firewall address-list add address=<myname.on.ddns.net> list=MyExternalIP
/ip firewall nat add chain=dstnat action=dst-nat to-address=192.168.1.3 dst-address-list=MyExternalIP in-interface=<mt2int> dst-port=6111 to-port=6111 comment="NAT for Mikrotik_2 users"
/ip firewall filter add chain=forward in-interface=<mt2int> dst-address=192.168.1.3 dst-port=6111 protocol=tcp action=accept place-before=<...>
If your external IP is dynamic AND you do not have a dynamic DNS, the question is how do you access it. Nevertheless, this is possible with scripting. I will look into this later tonight.
