Harpin NAT between two VLANs

RouterOS General
1

Hi,

I have a webserver in IP Range 192.168.100.0/24 and I have a client in 192.168.0.0/24.

I can’t connect over my domain address to my webserver from inside my network, that’s why I would like to make a Hairpin NAT. I tried to do it after this tutorial: https://www.youtube.com/watch?v=_kw_bQyX-3U&feature=youtu.be but it doesn’t work. I entered as Src. Address 192.168.100.0/24 and as Dst. Address 192.168.0.0/24.

I have a Filter Rule that drops every contact between both nets (and this I would like to keep: block every traffic between these two networks). I would like to make it work this way: PC ↔ Internet ↔ Webserver. This worked before, but now I have got a static IP and it won’t work anymore…

What can I do?

Hairpin nat & 2 Vlans
2

You need 4 rules per hairpin. This tutorial worked for me: https://wiki.mikrotik.com/wiki/Hairpin_NAT

Or you can override DNS in the Mikrotik to repoint your website url to the LAN IP of your webserver.

3

4 rules? which do I need? The wiki only tells about one and the tutorial as well.

DNS: I’m using pi hole as a DNS for my Client, and 1.1.1.1 for my webserver. Should I modify my piHole?
Will this work even if I block all traffic between 192.168.100.0 and 192.168.0.0 with a firewall rule?

4

Export your
/IP firewall nat

5

Or just add that domain address in the dns cache of mikrotik pointing to the internal ip → no need for natting

6

Overriding www.yoursite.com would be less complicated. Do it in pi-hole if possible. If not, you can catch DNS requests in the Mikrotik, repoint the domains to your Mikrotik’s DNS and override there.. You’d have to override yoursite.com and www.yoursite.com. You will need to allow port 80/443 to your webserver in your firewall between the two LANs.

For hairpin, I had to read that article a few times and in the end I implemented at a few places then I rolled it back as using DNS was so much easier. For the 4 rules, I meant 4 steps. You may have to follow it closely a few times to understand the 4 steps.

7

when adding the static dns cache entry to Tik, only the relevant address needs to be added, no need for parent domains.

8

Hairpin NAT is only required when both client and server are in same subnet. You have two subnets => you don’t need hairpin NAT. You do not need to override hostname either, that’s useful intead of hairpin NAT to save packets trip to router and back. But if they are going through (I assume) same router anyway, it won’t make things easier.

No matter what you do, you will have to allow this traffic in firewall filter… in some way. What you need is (example for web):

/ip firewall nat
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80,443 action=dst-nat to-adresses=192.168.100.x
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Second rule must be before the one used to block traffic between the two subnets. It allows previously dstnatted packets, so connection from 192.168.0.x to forwarded to server 192.168.100.x will succeed, but direct connections from 192.168.0.x to 192.168.100.x will be still blocked by your original rule.

9

If you go lazy and do the DNS thing… You can only port forward to one IP. Not good if you have different services on different devices.

Sob left out the
Subenet back on subnet on interface rule.

10

If you mean the srcnat rule with same src/dst-address=/ used with hairpin NAT, that’s not needed here. It’s needed when client thinks that it communicates with some external address, but server would see client’s real address from same subnet, would reply directly and that would not work, because client expects reply from that external address. But in this case, even if server sees client’s real address, the reply will still be sent to router, because the address is in another subnet. And it will work.

11

Stated in his initial post that it doesn’t work on his network.

Seems he would need to see that rule to get a concept for why it works.

12

My guess is that it’s because firewall filter. We didn’t see the config, but if it unconditionally blocks traffic between two LANs, it can’t work no matter what’s done with NAT.

13

Thanks so far guys!
I added a static DNS entry to my mikrotik and made and forward dstnat accept filter rule. But it still won’t work.

Here is my exports:

export hide-sensitive 
# mar/12/2019 13:48:21 by RouterOS 6.44
# software id = XXX
#
# model = RB760iGS
# serial number = XXX
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether3 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 name=dhcp4
/dude
set enabled=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=XXX/30 interface=ether1 network=YYY
/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=00:00:00:00:00:00 server=server1
add address=192.168.0.113 allow-dual-stack-queue=no mac-address=00:00:00:00:00:00 server=server1
add address=192.168.0.26 client-id=00:00:00:00:00:00 mac-address=00:00:00:00:00:00 server=server1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.113,192.168.0.3 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.100.110 name=test.com
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-address=192.168.0.0/24 dst-port=80,443 protocol=tcp src-address=192.168.100.110 src-port=80,443
add action=accept chain=forward dst-address=192.168.100.110 dst-port=80,443 protocol=tcp src-address=192.168.0.0/24 src-port=80,443
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=XXX dst-port=80,443 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.100.110 to-ports=443
add action=dst-nat chain=dstnat dst-address=XXX dst-port=8444 in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 \
    to-ports=443
add action=dst-nat chain=dstnat comment="HTTP an reverse proxy" disabled=yes dst-address=XXX dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.100.110 to-ports=80
add action=dst-nat chain=dstnat dst-address=XXX dst-port=50000 in-interface=ether1 protocol=tcp to-addresses=192.168.100.52 \
    to-ports=50000
add action=dst-nat chain=dstnat dst-address=XXX dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat dst-address=XXX dst-port=1195 in-interface=ether1 protocol=udp to-addresses=192.168.0.250 \
    to-ports=1195
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.11 dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.117 to-ports=26065
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=XXX dst-port=26065 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.117 to-ports=32400
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=XXX dst-port=26070 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.136 to-ports=32400
add action=masquerade chain=srcnat disabled=yes dst-address=XXX dst-port=443 out-interface=ether4 protocol=tcp src-address=\
    192.168.0.0/24
/ip firewall service-port
set ftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=YYY
/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24
set ssh address=192.168.0.0/24
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes
/ip ssh
set allow-none-crypto=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add type=internal
add interface=ether1 type=external
/snmp
set enabled=yes trap-generators=""
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether5
add interface=ether2
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10
/tool mac-server ping
set enabled=no
14

I tried to disable the filter rule which blocks the traffic between both networks, but this didn’t change anything. Still no access to my domain.

edit: If I add my domain and the IP of my reverse Proxy to the /etc/hosts file of my Win 10 computer AND if I disable the filter rules THEN it will work.
Now I know two things:

  1. the static DNS entry into RouterOS doesn’t work
  2. the accept forward rule doesn’t work either
15

Gotta use the EXTERNAL IP… interface won’t do it.

Like SOB put it…
/ip firewall nat
add chain=dstnat dst-address= protocol=tcp dst-port=80,443 action=dst-nat to-adresses=192.168.100.x

PUBLIC IP.

16

Okay so if this is all true, and not some sad sob story LOL, then shouldn’t the rule include a source address list for added security??
add chain=dstnat dst-address= protocol=tcp dst-port=80,443 action=dst-nat to-addresses=192.168.100.x
source-address-list=Internal_Access

17

This dst Nat is already running, otherwise I won’t have access from outside.
Here:
add action=dst-nat chain=dstnat comment=“HTTPS an reverse proxy” dst-address=XXX dst-port=80,443 in-interface=ether1
protocol=tcp to-addresses=192.168.100.110 to-ports=443

XXX is my external IP.

18

No in interface.

The external IP is what you need.
A separate rule deals with local-address list to local-address list on Local interface.

19

You can drop these, no real-world connection will ever have both source and destination ports 80/443:

/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.0/24 dst-port=80,443 protocol=tcp src-address=192.168.100.110 src-port=80,443
add action=accept chain=forward dst-address=192.168.100.110 dst-port=80,443 protocol=tcp src-address=192.168.0.0/24 src-port=80,443

This rule is enough to allow any forwarded ports from anywhere to anywhere:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

And you should probably read some more about setting up useful firewall, because now you only block selected traffic between local subnets, but everything else is wide open. If someone in your ISP’s network decided to connect to any of your 192.168.x.x devices, your routed would happily let them.

Next, I don’t think you want dst-port=80,443 and to-ports=443 in same dstnat rule, because it will send both port 80 and 443 to port 443. If you don’t forward outside port to different inside port, just leave to-ports blank.

And as was already pointed out, use only dst-address=XXX, not in-interface=ether1. I don’t know why people always use in-interface for port forwarding, it will bite them sooner or later. :slight_smile:

20

I removed the In-Port but still no connection.

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 name=dhcp4
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=EXTERNAL IP/30 interface=ether1 network=AAA
/ip dhcp-server lease
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.100.110 name=domainA
add address=192.168.100.110 name=domainB
add address=192.168.100.110 name=domainC
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=EXTERNAL IP dst-port=80,443 protocol=tcp to-addresses=\
    192.168.100.110
add action=dst-nat chain=dstnat dst-address=EXTERNAL IP dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=EXTERNAL IP dst-port=26070 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.136 to-ports=32400
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=YYY

Where is the problem?
And as I understand my firewall, it will block everything except 1194, 26070, 443 and 80, which will be forwarded to the specific servers?

and what does this one does exactly:
“add action=accept chain=forward connection-nat-state=dstnat” ?