Loopback/Hairpin NAT with masquerade srcnat

vctlzac · July 30, 2024, 5:51pm

I have a mikrotik RB3011UiAS and when it was acquired, the seller set some firewall configs (all config are bellow).
But now, I need make a change in NAT Rules for when an local access (LAN) go to my external fixed IP, it redirect to local IP. Example:

Navigation to EXTERNAL_FIXED_IP:9077 (in browser)
Go to 10.1.1.20:9077

Searching about it, I saw an solution using this config:

add action=masquerade chain=srcnat dst-address=10.1.1.20 \
    out-interface=ether2 protocol=tcp src-address=\
    10.1.1.0/24 to-ports=9077

When I try save this config setting out-interface to ether2, I receive this message:

In/out-interface matcher not possible when interface (ether2) is slave - use master instead (bridge)

Well, so I change out-interface to bridge, no error occurs, but the redirection not work

Full config:

# jul/30/2024 12:26:34 by RouterOS 6.47.9
# software id = 2I0U-YF4H
#
# model = RB3011UiAS
# serial number = AAAAAAAAAAAAAAAAAAA
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=\
    pppoe-out1-fiber-internet password=pwd9999 use-peer-dns=yes user=\
    my.user.internet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ALL-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.15-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=abcsecret612 max-mru=1390 max-mtu=1390 use-ipsec=yes
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1-fiber-internet list=ALL-WAN
/ip address
add address=10.1.1.1/24 comment=defconf interface=ether2 network=10.1.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server alert
add alert-timeout=10s disabled=no interface=bridge valid-server=\
    AA:BB:CC:DD:EE:FF
/ip dhcp-server lease
add address=192.168.88.11 client-id=1:a1:b2:c3:d4:5:e8 mac-address=\
    A1:B2:C3:D4:05:E8
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="ignore rest" dst-port=53 \
    in-interface-list=ALL-WAN protocol=udp
add action=drop chain=input comment="ignore rest" dst-port=53 \
    in-interface-list=ALL-WAN protocol=tcp
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners_list \
    address-list-timeout=4w2d chain=input comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list=port_scanners_list
add action=accept chain=forward comment=\
    "ACCEPT ESTABLISHED CONNECTIONS / RELATED /NEW" connection-state=\
    established
add action=accept chain=forward connection-state=new
add action=accept chain=forward connection-state=related
add action=accept chain=input comment="Allows connections to be established" \
    connection-state=established
add action=accept chain=input dst-port=6915 in-interface-list=ALL-WAN \
    protocol=tcp
add action=accept chain=input in-interface-list=ALL-WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=ALL-WAN protocol=ipsec-ah
add action=drop chain=input comment="Discard Invalid Connections" \
    connection-state=invalid
add action=drop chain=input comment="Ignore rest" \
    in-interface-list=ALL-WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-fiber-internet
add action=dst-nat chain=dstnat dst-port=8080 in-interface=\
    pppoe-out1-fiber-internet protocol=tcp to-addresses=10.1.1.20 to-ports=8080
add action=dst-nat chain=dstnat dst-port=9909 in-interface=\
    pppoe-out1-fiber-internet protocol=tcp to-addresses=10.1.1.20 to-ports=9909
add action=dst-nat chain=dstnat dst-port=9077 in-interface=\
    pppoe-out1-fiber-internet protocol=tcp to-addresses=10.1.1.20 to-ports=9077
    
add action=masquerade chain=srcnat dst-address=10.1.1.20 \
    out-interface=bridge protocol=tcp src-address=\
    10.1.1.0/24 to-ports=9077
    
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=6915
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.100.1 name=user1 password=somethingpw579 profile=\
    default-encryption remote-address=192.168.100.3 service=l2tp
/system clock
set time-zone-name=America/Sao_Paulo
/system scheduler
add interval=1d name="Reiniciar 6 AM" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/24/2022 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sob · July 30, 2024, 6:14pm

It’s because of in-interface=pppoe-out1-fiber-internet in dstnat rule, such rule works only from outside. Replace it with either dst-address= (if you have one) or dst-address-type=local.

vctlzac · July 30, 2024, 7:52pm

Thanks for your answer.

I need that both rules work. External access and internal access. So, instead replace, I created a new rule with:

add action=dst-nat chain=dstnat dst-port=9077 in-interface=\
    pppoe-out1-fiber-internet protocol=tcp dst-address=MY_EXTERNAL_IP to-addresses=10.1.1.20 to-ports=9077

It not worked, so, I tryed change in-interface from fiber-internet to bridge (below). In this test browser is loading, loading and says timeout:

add action=dst-nat chain=dstnat dst-port=9077 in-interface=\bridge protocol=tcp dst-address=MY_EXTERNAL_IP to-addresses=10.1.1.20 to-ports=9077

No success.

About “dst-address-type=local”, I not found this option in grafic interface.

Thanks.

Sob · July 30, 2024, 8:13pm

I meant to replace the in-interface option. You most likely don’t need it at all, no in-interface means that it works from all.

Dst-address should work. Well, at least from LAN. From WAN it wouldn’t if MY_EXTERNAL_IP is not directly on this router (NAT 1:1 or something from another router).

In WinBox you can find dst-address-type on rule’s Extra tab. And again, the success depends on where exactly MY_EXTERNAL_IP is.

vctlzac · July 31, 2024, 6:38pm

I keep only one entry and remove in-interface. Setted MY_EXTERNAL_IP in dst-address but not worked. Tryed dst-address-type after, but no success too.

add action=dst-nat chain=dstnat dst-port=9077 protocol=tcp dst-address=EXTERNAL_IP to-addresses=10.1.1.20 to-ports=9077

Simple network draw
https://ibb.co/LSJjhzg

Sob · July 31, 2024, 10:31pm

On another look, it’s also your hairpin rule, to-ports is wrong, it should be dst-port. Or it can be simplified as:

/ip firewall nat
add chain=srcnat src-address=10.1.1.0/24 dst-address=10.1.1.0/24 action=masquerade

And it will cover all other ports you might want to access in future.

vctlzac · August 1, 2024, 12:45pm

On another look, it’s also your hairpin rule, to-ports is wrong, it should be dst-port. Or it can be simplified as:
/ip firewall nat
add chain=srcnat src-address=10.1.1.0/24 dst-address=10.1.1.0/24 action=masquerade
And it will cover all other ports you might want to access in future.

I apply this masquerade and remove in-interface=pppoe-out1-fiber-internet in dst-nat and worked.
Thanks so much