I cant NAT my second webserver

kd7vea · September 18, 2018, 8:52pm

I have been fighting through some NAT issues and I cant find where the problem is. I just set up My RB3011 a few days ago and finally got my primary webserver NAT/Hairpin configured and working. that webserver is on 192.168.1.10, the issue I am having now is with my Raspbery pi webserver. I follow the same steps but I see that if I try to access it from the wan side, it never touches my NAT/Maq rule. This may or may not be tied to my other issues. I tried to set a static IP on the router to give the Raspberry pi an address of 192.168.1.11, but it will not let go of 192.168.1.209. Does anyone know of issues with the raspberry pi conflicting with the Mikrotik Router? I gave up on changing the static IP, so it is now statically set as 192.168.1.209. My primary webserver(192.168.1.10) is set to port 80, and I am trying to set the raspberry pi(192.168.1.209) server to port 82. Any ideas?

ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="Allow SSTP VPN" dst-address=160.7.249.40 dst-port=443 protocol=tcp
add action=accept chain=input dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=80 protocol=tcp to-addresses=192.168.1.10
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=82 protocol=tcp to-addresses=192.168.1.209
add action=masquerade chain=srcnat dst-address=192.168.1.209 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24

EDIT: while doing some more troubleshooting I noticed that my home desktop isnt grabbing the static IP I set for it iether, so its not just the Raspberry pi. I dont know if these issues are related to the NAT not working, but apparently there is something not right with the DHCP server giving out the static Leases, I tried release/renew, and even restarted the computer and it still comes up with an address from the DHCP pool.

jbarbieri · September 18, 2018, 9:35pm

Is your Pi running on port 82 as well?
If not, you forgot to specify the port in the dst-nat

I have:

chain=dstnat action=dst-nat to-addresses=10.0.0.3 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=8001 log=no log-prefix=""

So in your case you would want:

add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=82 protocol=tcp to-addresses=192.168.1.209 to-ports=80

If your Pi is running on port 80.

Edit: I wouldn’t put your real IP address on the forum. I found your webgui page. At least you are up to 6.43

kd7vea · September 18, 2018, 10:32pm

Thanks for the info, but that still didn’t work. I did find my issue with the Static IP addresses not working. I had to delete the Client IDs on some devices for them to grab the static address. I will switch some things around to see what i can find

jbarbieri · September 19, 2018, 12:08am

Yea whenever I set a static IP, I would then disable it, then re-enable, then do a release/renew, and it would get the new IP.

You dont need to put your dst-address in there, you can just do dst-port and in-interface is WAN

edit: nevermind i think you need that for hairpin.

edit2:

I think you need this:

add action=masquerade chain=srcnat dst-address=192.168.1.209 dst-port=82 out-interface=bridge protocol=tcp src-address=192.168.1.0/24

Not dst-port 80

Sob · September 19, 2018, 2:31am

Srcnat happens after dstnat, so if dstnat was from dst port 82 to 80, srcnat rule needs dst port 80. Well, generally speaking, in this case you can just skip ports completely and use one common hairpin NAT rule for all:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 src-address-type=!local

The src-address-type=!local is to skip unnecessary srcnat if the router itself would be connecting to something in 192.168.1.0/24.

Regarding the main problem, if the RasPi’s webserver works and it has this router as default gateway, forwarded port should work too.

jbarbieri · September 19, 2018, 12:57pm

Srcnat happens after dstnat, so if dstnat was from dst port 82 to 80, srcnat rule needs dst port 80. Well, generally speaking, in this case you can just skip ports completely and use one common hairpin NAT rule for all:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 src-address-type=!local
The src-address-type=!local is to skip unnecessary srcnat if the router itself would be connecting to something in 192.168.1.0/24.

Regarding the main problem, if the RasPi’s webserver works and it has this router as default gateway, forwarded port should work too.

But he is hairpinning, so the source would be from his LAN, destination would be his WAN IP.

That is what the Wiki says:

To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.2 protocol=tcp dst-port=80 out-interface=LAN action=masquerade

Sob · September 19, 2018, 1:40pm

At first, source is some LAN address and destination is WAN address.
Then dstnat happens and new destination is server’s LAN address.
Then srnat (harpin) needs to happen and change the source. But if this srcnat rule uses dst-address or dst-port, it needs to be the new one.

And wiki is correct, it’s just that intead of two rules (one for each server), you can use common one that covers both.