[Help]Dual WAN with load balancing and dst-nat trough bridge

ivaylosp · August 28, 2014, 9:00am

Hi Everyone,

I have a Mikrotik setup with two ADSL routers in bridge mode and also a bridge on the LAN side with ETH2 and ATH0 connected in the Bridge. The bridge interface has an internal IP of 10.0.1.254/16. All computers and servers get IP’s from the 10.0.0.0/16 range> I have setup a dst-nat to port 80 for one of the servers in the LAN and it works perfectly if you are accessing it from a public network. However i can not get the hairpin NAT to work so if a client from within the LAN tries to access the server via DynDNS host. I have read the Mikrotik suggested Hairpin NAT setup but none of the setups fit in with my scenario. On top of all of that i also use the two ADSL lines to load balance using IP ranges and mangle route marks. One thing to consider is that the WAN interfaces get different public IP’s but they utilize the same gateway as they are in the same ADSL exchange.

So far i have the Dual WAN with the load balancing and the dst-nat from outside the network working fine but i can not get the hairpin nat to work. Clients from within the local LAN can access the server using its IP but they can not access it using the xxx.dyndns.org host.

My RouterOS version is 6.19

I have attached a diagram of the setup to make it easier to put togather. Does anyone have any idea how a hairpin nat would work in this scenario

ivaylosp · August 29, 2014, 12:02pm

(BUMP)

kcybulski · August 31, 2014, 10:16am

Hi,

Check this, remember to place this rule before your adsl nat rules and change out interface, if this is not working, post your configuration.

/ip firewall nat
add chain=srcnat src-address=10.0.0.0/16
dst-address=10.0.3.107 protocol=tcp dst-port=80
out-interface=bridge1 action=masquerade

Krzysiek

ivaylosp · September 1, 2014, 9:49am

I have tried this but unfortunately did not work.

sep/01/2014 11:40:39 by RouterOS 6.19

software id = 4VSQ-8C1W

/interface bridge
add name=WWC-Intranet
/interface ethernet
set [ find default-name=ether1 ] comment=“Primary ADSL ()”
set [ find default-name=ether3 ] arp=proxy-arp comment=
“Secondary ADSL (DGN1000v3-A)”
/ip neighbor discovery
set ether1 comment=“Primary ADSL ()”
set ether3 comment=“Secondary ADSL (DGN1000v3-A)”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=WWC
supplicant-identity=“” wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=
XXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] arp=proxy-arp band=2ghz-b/g/n dfs-mode=
no-radar-detect disabled=no distance=indoors frame-lifetime=50 frequency=
2457 ht-rxchains=1 ht-txchains=1 hw-retries=4 l2mtu=2290 mode=ap-bridge
multicast-helper=disabled name=wlan3 periodic-calibration=disabled
security-profile=WWC ssid=WWC-APPLE wireless-protocol=802.11
/interface wireless nstreme
set wlan3 enable-polling=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=VPN ranges=10.0.3.1-10.0.3.100
add name=Spillover ranges=10.0.4.1-10.0.4.254
add name=Intranet next-pool=Spillover ranges=10.0.1.130-10.0.1.190
/ip dhcp-server
add address-pool=Intranet disabled=no interface=WWC-Intranet lease-time=1w
name=dhcp1
/port
set 0 name=serial0
/ppp profile
add local-address=10.0.3.254 name=VPN remote-address=VPN use-encryption=yes
/interface pppoe-client
add ac-name=“” add-default-route=no allow=pap,chap,mschap1,mschap2
dial-on-demand=no disabled=no interface=ether1 keepalive-timeout=60
max-mru=1480 max-mtu=1480 mrru=disabled name=“AFRIHOST Primary” password=
XXXXXXXX profile=default service-name=“” use-peer-dns=no user=
XXXXXXXXXX
add ac-name=“” add-default-route=no allow=pap,chap,mschap1,mschap2
dial-on-demand=no disabled=no interface=ether3 keepalive-timeout=60
max-mru=1480 max-mtu=1480 mrru=disabled name=“AFRIHOST Secondary”
password=XXXXXXX profile=default service-name=“” use-peer-dns=no user=
XXXXXXXXXX
/interface pptp-client
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=87.236.210.108
dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=
1450 mrru=1600 name=STATIC_IP password=XXXXXXXXXX profile=
default-encryption user=XXXXXXXX
/interface bridge port
add bridge=WWC-Intranet interface=ether2
add bridge=WWC-Intranet interface=wlan3
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
use-ip-firewall-for-vlan=yes
/interface pptp-server server
set default-profile=VPN enabled=yes
/ip address
add address=10.0.1.254/16 interface=WWC-Intranet network=10.0.0.0
add address=10.0.1.254/16 disabled=yes interface=ether2 network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/16 dns-server=8.8.8.8,8.8.4.4,10.0.1.254 gateway=
10.0.1.254 netmask=16
/ip dns
set servers=10.0.1.254,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=197.221.46.188 list=test
add address=10.0.3.45 disabled=yes list=secondary_adsl_user_list
add address=10.0.3.47 list=secondary_adsl_user_list
add address=10.0.3.41 disabled=yes list=secondary_adsl_user_list
add address=10.0.1.41 disabled=yes list=secondary_adsl_user_list
add address=10.0.3.46 list=secondary_adsl_user_list
add address=10.0.1.46 list=secondary_adsl_user_list
add address=10.0.1.40 comment=“##WIFI DEV & HTML” list=
secondary_adsl_user_list
add address=10.0.3.40 comment=“##ETH DEV & HTML” list=
secondary_adsl_user_list
add address=10.0.1.45 list=secondary_adsl_user_list
add address=10.0.1.47 list=secondary_adsl_user_list
add address=10.0.1.59 list=secondary_adsl_user_list
add address=10.0.3.59 list=secondary_adsl_user_list
add address=10.0.1.55 list=secondary_adsl_user_list
add address=10.0.3.55 list=secondary_adsl_user_list
add address=10.0.1.49 list=secondary_adsl_user_list
add address=10.0.3.49 list=secondary_adsl_user_list
add address=10.0.1.43 list=secondary_adsl_user_list
add address=10.0.3.43 list=secondary_adsl_user_list
add address=10.0.1.1-10.0.1.39 list=primary_adsl_user_list
add address=10.0.0.0/16 list=LocalNet
add address=10.0.3.42 list=secondary_adsl_user_list
add address=10.0.1.159 list=secondary_adsl_user_list
add address=10.0.2.58 list=secondary_adsl_user_list
add address=10.0.3.50 list=secondary_adsl_user_list
add address=10.0.1.50 list=secondary_adsl_user_list
add address=54.229.235.11 list=IOL
add address=54.72.120.251 list=IOL
add address=104.28.14.80 list=IOL
add address=54.77.71.166 list=IOL
add address=104.28.15.80 list=IOL
add address=54.77.78.205 list=IOL
add address=54.77.25.114 list=IOL
add address=10.0.1.106 disabled=yes list=secondary_adsl_user_list
add address=10.0.3.107 list=secondary_adsl_user_list
add address=10.0.1.155 list=secondary_adsl_user_list
add address=10.0.1.65 list=secondary_adsl_user_list
add address=107.170.186.111 list=IOL
add address=54.194.87.168 list=IOL
add address=54.194.92.63 list=IOL
add address=54.76.11.125 list=IOL
add address=10.0.3.48 list=secondary_adsl_user_list
/ip firewall mangle
add chain=prerouting in-interface=“AFRIHOST Primary”
add chain=prerouting in-interface=“AFRIHOST Secondary”
add action=mark-routing chain=prerouting comment=“IOL Route mark”
dst-address-list=IOL new-routing-mark=IOL passthrough=no
add action=mark-connection chain=prerouting comment=“## Primary ADSL mark”
connection-state=new new-connection-mark=connection_primary_adsl
protocol=tcp src-address=10.0.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=primary_adsl
passthrough=no src-address=10.0.1.0/24
add action=mark-connection chain=prerouting comment=“## Secondary ADSL mark”
new-connection-mark=connection_secondary_adsl protocol=tcp
src-address-list=secondary_adsl_user_list
add action=mark-routing chain=prerouting connection-mark=
connection_secondary_adsl new-routing-mark=secondary_adsl
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.3.107 dst-port=80
out-interface=WWC-Intranet protocol=tcp src-address=10.0.0.0/16
add action=masquerade chain=srcnat out-interface=“AFRIHOST Secondary”
add action=masquerade chain=srcnat out-interface=“AFRIHOST Primary”
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=105.237.60.11 dst-address-type=
local dst-port=80 protocol=tcp to-addresses=10.0.3.107 to-ports=80
add action=dst-nat chain=dstnat dst-address=105.236.153.39 dst-address-type=
local dst-port=80 protocol=tcp to-addresses=10.0.3.107 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=80 in-interface=
“AFRIHOST Primary” protocol=tcp to-addresses=10.0.3.107 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=80 in-interface=
“AFRIHOST Secondary” protocol=tcp to-addresses=10.0.3.107 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=9418
in-interface=“AFRIHOST Primary” protocol=tcp to-addresses=10.0.3.107
to-ports=9418
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=9418
in-interface=“AFRIHOST Secondary” protocol=tcp to-addresses=10.0.3.107
to-ports=9418
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=60022
in-interface=“AFRIHOST Primary” protocol=tcp to-addresses=10.0.3.107
to-ports=60022
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=60022
in-interface=“AFRIHOST Secondary” protocol=tcp to-addresses=10.0.3.107
to-ports=60022
add action=dst-nat chain=dstnat comment=“## SVN” dst-address-type=“”
dst-port=3690 protocol=tcp to-addresses=10.0.1.106 to-ports=3690
add action=dst-nat chain=dstnat comment=“## Remote Desktop” dst-address-type=
“” dst-port=3389 in-interface=“AFRIHOST Primary” protocol=tcp
to-addresses=10.0.1.106 to-ports=3389
add action=dst-nat chain=dstnat dst-address-type=“” dst-port=3389
in-interface=“AFRIHOST Secondary” protocol=tcp to-addresses=10.0.1.106
to-ports=3389
/ip route
add distance=1 gateway=STATIC_IP routing-mark=IOL
add distance=1 gateway=“AFRIHOST Primary” routing-mark=primary_adsl
add distance=3 gateway=“AFRIHOST Secondary” routing-mark=secondary_adsl
add disabled=yes distance=1 dst-address=54.72.120.25/32 gateway=STATIC_IP
routing-mark=secondary_adsl
add disabled=yes distance=1 dst-address=54.229.161.51/32 gateway=STATIC_IP
routing-mark=secondary_adsl
add disabled=yes distance=1 dst-address=54.229.235.11/32 gateway=STATIC_IP
routing-mark=secondary_adsl
add disabled=yes distance=1 dst-address=54.246.204.200/32 gateway=STATIC_IP
routing-mark=secondary_adsl
add distance=1 dst-address=107.170.186.111/32 gateway=STATIC_IP routing-mark=
secondary_adsl
add distance=1 dst-address=164.88.11.25/32 gateway=STATIC_IP routing-mark=
secondary_adsl
add distance=1 dst-address=164.88.15.29/32 gateway=STATIC_IP routing-mark=
secondary_adsl
add comment=SURFLINE distance=1 dst-address=172.25.38.75/32 gateway=STATIC_IP
routing-mark=secondary_adsl
add distance=1 dst-address=196.7.85.150/32 gateway=STATIC_IP routing-mark=
secondary_adsl
add distance=2 gateway=“AFRIHOST Primary”
add disabled=yes distance=2 gateway=“105.236.5.129%AFRIHOST Secondary”
pref-src=105.237.60.11
add disabled=yes distance=1 dst-address=54.72.120.25/32 gateway=STATIC_IP
add disabled=yes distance=1 dst-address=54.229.161.51/32 gateway=STATIC_IP
add disabled=yes distance=1 dst-address=54.229.235.11/32 gateway=STATIC_IP
add disabled=yes distance=1 dst-address=54.246.204.200/32 gateway=STATIC_IP
add comment=IOL distance=1 dst-address=107.170.186.111/32 gateway=
192.168.250.250
add distance=1 dst-address=164.88.11.25/32 gateway=192.168.250.250
add check-gateway=ping distance=1 dst-address=164.88.15.29/32 gateway=
192.168.250.250
add distance=1 dst-address=172.25.38.75/32 gateway=STATIC_IP
add check-gateway=ping comment=“American Swiss” distance=1 dst-address=
196.7.85.150/32 gateway=192.168.250.250
add check-gateway=ping comment=“IOL Payment Gateway” distance=1 dst-address=
196.28.67.201/32 gateway=192.168.250.250
add check-gateway=ping comment=IOL distance=1 dst-address=196.38.8.244/32
gateway=192.168.250.250
add check-gateway=ping distance=1 dst-address=196.38.8.245/32 gateway=
192.168.250.250
add check-gateway=ping distance=1 dst-address=196.38.8.246/32 gateway=
192.168.250.250
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=no
/lcd
set default-screen=stats time-interval=weekly
/lcd interface
add interface=“AFRIHOST Primary” timeout=1s
set sfp1 disabled=yes
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set wlan3 disabled=yes
/lcd interface pages
add interfaces=“AFRIHOST Primary”
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=WWC
/system ntp client
set enabled=yes primary-ntp=196.21.187.2 secondary-ntp=146.64.58.41

ivaylosp · September 2, 2014, 11:25am

BUMP

ivaylosp · December 5, 2014, 9:44am

BUMP