hAP ac3 NAT forwarding issues

Petarcho · August 19, 2024, 4:39am

Hello guys,
I have a TP-Link Archer C6 router that for some reason started behaving strangely lately (random hangs out of the blue), so I decided to “upgrade” to Mikrotik hAP ac3.
The set-up I have is a GPON from the ISP, one of the ports on the GPON is bridged and I have connected my own router to it.
I have various services on the PC that I was able to configure with the TP-Link (port forwarding) and were working fine, like the web server.
Now with the Mikrotik it doesn’t work, or it works somehow I should say. When I tried to access the web server via the domain that is managed by Cloudflare it doesn’t load, when I access it by the IP it loads the router’s login page instead of the web server, so no forwarding.
Attached you can find screenshots of the settings, can someone help me figure out what am I doing wrong?

Petarcho · August 21, 2024, 3:55am

up I guess

rplant · August 21, 2024, 4:52am

Hi,
A couple of points,

The screenshot doesn’t really show what you are doing.
Mikrotik doesn’t do hairpin nat by default, so it might work from outside but not from inside your network.

You could open a terminal window (from webfig, up the top near rhs), and export the entire config, or just the firewall part.

/ip firewall nat export file=anynameyoulike

/export file=anynameyoulike

Remove serial and any other private info, (router id, external ip’s, mac addresses)

http://forum.mikrotik.com/t/forum-rules/173010/5

To do hairpin nat you need to add an appropriate srcnat/masquerade rule.

Something like the following might work for you.

/ip firewall nat
add action=masquerade chain=srcnat comment=“HairPin NAT @ LAN to Server on LAN” dst-address=192.168.88.0/24 src-address=192.168.88.0/24

There are other options.

own3r1138 · August 21, 2024, 6:43am

A wild guess, the MT local web server is configured on the same port number as the dst-nat rule in the firewall.

 ip service set www port=81

mkx · August 21, 2024, 7:28am

So we’re guessing … until @OP provides exported config as per instructions in post by @rplant … I’m guessing that the “dst-address” property setting (which seems to be set, but @OP blacked it out) is wrong. The thing with DST-NAT is that dst-address property normally doesn’t have to be set at all (except in certain specific use cases), however the “to-address” property has to be set (to the internal IP address). The later property is not shown in screenshot posted, hence requirement for full text export of config.

Petarcho · August 21, 2024, 12:04pm

# 2024-08-21 14:42:57 by RouterOS 7.15.3
# software id = ***
#
# model = RBD53iG-5HacD2HnD
# serial number = ***
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Apache 80" dst-address=<PUBLIC IP> \
    protocol=tcp src-port=80 to-addresses=192.168.88.22 to-ports=80
add action=dst-nat chain=dstnat comment="Apache 443" dst-address=\
    <PUBLIC IP> protocol=tcp src-port=443 to-addresses=192.168.88.22 \
    to-ports=443

When I hit the 192.168.88.22 in the browser, it opens the web page (it’s on the same exact machine, so I’m using localhost anyway)
When I hit the on the same machine, it opens router’s login page
When I hit the from the phone using mobile data, doesn’t load
When I hit the 192.168.88.22 from the phone connected to the router’s Wi-Fi, it opens the web page.
When I try the domain, I get Error code 522 (host error)

I’m completely new to MikroTik, so any help is appreciated.

mkx · August 21, 2024, 1:16pm

With corrections above, it should work for access from internet. If you want to use WAN IP when inside LAN, then you have to implement hairpin NAT.

Petarcho · August 27, 2024, 1:42pm

Quick question about the HairpinNAT, cuz I’m struggling to make it work. Do I need both rules configured from the article, or only 2?

1. /ip firewall nat add chain=dstnat action=dst-nat dst-address=172.16.16.1 dst-port=443 to-addresses=10.0.0.3 to-ports=443 protocol=tcp
2. /ip firewall nat add action=masquerade chain=srcnat dst-address=10.0.0.3 out-interface=LAN protocol=tcp src-address=10.0.0.0/24

mkx · August 27, 2024, 2:59pm

You already have implemented the first rule (two in your case, one per port). You still need the second one (one will cover all the dst-nat rules), but with correct addresses …

You can actually make it even more general and it likely won’t bite your back:

/ip firewall nat 
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

This rule will perform src-nat on all traffic from LAN to LAN if it happens to pass the router. And most likely cause for LAN2LAN traffic to pass router (actually its IP stack) is hairpin NAT.
Instead of setting “dst-address=192.168.88.0/24 src-address=182.168.88.0/24” you can write also “in-interface-list=LAN out-interface-list=LAN” if that’s more convenient for you (but mind the potential differences in both variants).

Petarcho · August 27, 2024, 4:45pm

You already have implemented the first rule (two in your case, one per port). You still need the second one (one will cover all the dst-nat rules), but with correct addresses …

You can actually make it even more general and it likely won’t bite your back:
/ip firewall nat 
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

I’m pretty sure I did it before, and it wasn’t working, maybe I had a typo somewhere.
Anyway, it’s working for both LAN/WAN.