Multiple gateway hairpin NAT

itandy · July 8, 2016, 11:47am

I have an rb1100ahx2 which is configured to support two independent server farms with their own public address ranges and gateways.

I have setup a mangle rule to mark the routing on the bridge for the second server group and assigned this route mark to the second gateway.

Despite following multiple web and forum suggestions I cannot get hairpin NAT to work and would be grateful for any suggestions as to where I have gone wrong.

The hairpin NAT required is for the following:

Int IP 192.168.16.100 Ext Ip yyy.yyy.yyy.188 Port 443
Int IP 192.168.16.100 Ext Ip yyy.yyy.yyy.188 Port 80
Int IP 192.168.16.100 Ext Ip yyy.yyy.yyy.188 Port 25
Int IP 192.168.16.101 Ext Ip yyy.yyy.yyy.189 Port 25
Int IP 192.168.16.102 Ext Ip yyy.yyy.yyy.190 Port 25

Any advise much appreciated.

Current config:

# jul/08/2016 12:11:05 by RouterOS 6.28
# software id = 
#
/interface bridge
add name=SensibleTempBridge
/interface ethernet
set [ find default-name=ether1 ] comment="Cohere WAN"
set [ find default-name=ether2 ] comment="Cohere LAN"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] comment="Sensible WAN"
set [ find default-name=ether7 ] comment="Sensible LAN"
set [ find default-name=ether8 ] master-port=ether7
set [ find default-name=ether9 ] master-port=ether7
set [ find default-name=ether10 ] master-port=ether7
/ip neighbor discovery
set ether1 comment="Cohere WAN"
set ether2 comment="Cohere LAN"
set ether6 comment="Sensible WAN"
set ether7 comment="Sensible LAN"
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=SensibleTempBridge interface=ether7
add bridge=SensibleTempBridge interface=ether11
add bridge=SensibleTempBridge interface=ether12
add bridge=SensibleTempBridge interface=ether13
/interface pptp-server server
set enabled=yes
/ip address
add address=xxx.xxx.xxx.146/28 comment="Cohere WAN" interface=ether1 network=\
    xxx.xxx.xxx.144
add address=xxx.xxx.xxx.147/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.148/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.149/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.150/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.151/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.152/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.158/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.157/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.156/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.155/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.154/28 interface=ether1 network=xxx.xxx.xxx.144
add address=xxx.xxx.xxx.153/28 interface=ether1 network=xxx.xxx.xxx.144
add address=10.0.0.1/24 comment="Cohere LAN" interface=ether2 network=\
    10.0.0.0
add address=192.168.16.1/24 comment="Sensible LAN" interface=ether7 network=\
    192.168.16.0
add address=yyy.yyy.yyy.178/28 comment="Sensible WAN" interface=ether6 network=\
    yyy.yyy.yyy.176
add address=yyy.yyy.yyy.180/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.179/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.181/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.182/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.183/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.184/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.185/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.186/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.187/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.188/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.189/28 interface=ether6 network=yyy.yyy.yyy.176
add address=yyy.yyy.yyy.190/28 interface=ether6 network=yyy.yyy.yyy.176
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment="Cohere Safe IP list" list=RemoteAdmin
add address=xxx.xxx.xxx.xxx list=RemoteAdmin
add address=xxx.xxx.xxx.xxx list=RemoteAdmin
add address=10.0.0.0/24 list=RemoteAdmin
add address=xxx.xxx.xxx.xxx comment="Sensible Safe IP List" list=Sensible
add address=192.168.16.0/24 list=Sensible
add address=xxx.xxx.xxx.xxx list=Sensible
add address=xxx.xxx.xxx.xxx list=Sensible
/ip firewall filter
add chain=input comment="Allow LAN + Remote Admin" src-address-list=\
    RemoteAdmin
add chain=input connection-state=established,related
add chain=input comment="Allow LAN + Remote Admin Sensible" src-address-list=\
    Sensible
add action=drop chain=input comment="Drop other traffic" log-prefix=dp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark Network Traffic on LAN (Eth 7) for Sensible gateway" in-interface=\
    SensibleTempBridge new-connection-mark=Sensible
add action=mark-routing chain=prerouting in-interface=SensibleTempBridge \
    new-routing-mark=Sensible
/ip firewall nat
add action=src-nat chain=srcnat comment="Int to Ext IP map Cohere" \
    src-address=10.0.0.2 to-addresses=xxx.xxx.xxx.148
add action=src-nat chain=srcnat src-address=10.0.0.3 to-addresses=\
    xxx.xxx.xxx.149
add action=src-nat chain=srcnat src-address=10.0.0.4 to-addresses=\
    xxx.xxx.xxx.150
add action=src-nat chain=srcnat src-address=10.0.0.5 to-addresses=\
    xxx.xxx.xxx.151
add action=src-nat chain=srcnat src-address=10.0.0.6 to-addresses=\
    xxx.xxx.xxx.152
add action=src-nat chain=srcnat src-address=10.0.0.7 to-addresses=\
    xxx.xxx.xxx.153
add action=src-nat chain=srcnat src-address=10.0.0.8 to-addresses=\
    xxx.xxx.xxx.154
add action=src-nat chain=srcnat src-address=10.0.0.9 to-addresses=\
    xxx.xxx.xxx.155
add action=src-nat chain=srcnat src-address=10.0.0.10 to-addresses=\
    xxx.xxx.xxx.156
add action=src-nat chain=srcnat src-address=10.0.0.11 to-addresses=\
    xxx.xxx.xxx.157
add action=src-nat chain=srcnat comment="Int to Ext IP map Sensible" \
    src-address=192.168.16.10 to-addresses=yyy.yyy.yyy.178
add action=src-nat chain=srcnat src-address=192.168.16.11 to-addresses=\
    yyy.yyy.yyy.179
add action=src-nat chain=srcnat src-address=192.168.16.12 to-addresses=\
    yyy.yyy.yyy.180
add action=src-nat chain=srcnat src-address=192.168.16.30 to-addresses=\
    yyy.yyy.yyy.181
add action=src-nat chain=srcnat src-address=192.168.16.21 to-addresses=\
    yyy.yyy.yyy.182
add action=src-nat chain=srcnat src-address=192.168.16.22 to-addresses=\
    yyy.yyy.yyy.183
add action=src-nat chain=srcnat src-address=192.168.16.23 to-addresses=\
    yyy.yyy.yyy.184
add action=src-nat chain=srcnat src-address=192.168.16.24 to-addresses=\
    yyy.yyy.yyy.185
add action=src-nat chain=srcnat src-address=192.168.16.25 to-addresses=\
    yyy.yyy.yyy.186
add action=src-nat chain=srcnat src-address=192.168.16.26 to-addresses=\
    yyy.yyy.yyy.187
add action=src-nat chain=srcnat src-address=192.168.16.100 to-addresses=\
    yyy.yyy.yyy.188
add action=src-nat chain=srcnat src-address=192.168.16.101 to-addresses=\
    yyy.yyy.yyy.189
add action=src-nat chain=srcnat src-address=192.168.16.102 to-addresses=\
    yyy.yyy.yyy.190
add action=dst-nat chain=dstnat comment="Cohere VSH1" dst-address=\
    xxx.xxx.xxx.148 dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.2 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.148 protocol=icmp \
    to-addresses=10.0.0.2
add action=dst-nat chain=dstnat comment="Cohere Mail Hyper-V Web And DB" \
    dst-address=xxx.xxx.xxx.149 dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.3 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=110 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=110
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=443
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=25 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=25
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=143 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=143
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=995 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=995
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=465 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=465
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 dst-port=993 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.3 to-ports=993
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.149 protocol=icmp \
    to-addresses=10.0.0.3
add action=dst-nat chain=dstnat comment="Cohere Mail Hyper-V Test" \
    dst-address=xxx.xxx.xxx.150 dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.4 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.4 to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 dst-port=21 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.4 to-ports=21
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 dst-port=22 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.4 to-ports=22
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 dst-port=\
    50000-50100 in-interface=ether1 protocol=tcp to-addresses=10.0.0.4 \
    to-ports=50000-50100
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.4 to-ports=443
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.150 protocol=icmp \
    to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="Cohere xxx.xxx.xxx.158" dst-address=\
    xxx.xxx.xxx.158 dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.12 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.158 dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.158 dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.158 dst-port=21 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.12 to-ports=21
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.158 dst-port=\
    50000-50100 in-interface=ether1 protocol=tcp to-addresses=10.0.0.12 \
    to-ports=50000-50100
add action=dst-nat chain=dstnat comment="Cohere Mail Hyper-V Test" \
    dst-address=xxx.xxx.xxx.151 dst-port=3389 in-interface=ether1 protocol=tcp \
    to-addresses=10.0.0.5 to-ports=3389
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.151 dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.0.0.5 to-ports=80
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.151 protocol=icmp \
    to-addresses=10.0.0.5
add action=dst-nat chain=dstnat comment="WEB Host" dst-address=yyy.yyy.yyy.178 \
    dst-port=3389 in-interface=ether6 protocol=tcp to-addresses=192.168.16.10 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.178 protocol=icmp \
    to-addresses=192.168.16.10
add action=dst-nat chain=dstnat comment="Webfiles RDP" dst-address=\
    yyy.yyy.yyy.179 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.11 to-ports=3389
add action=dst-nat chain=dstnat comment="Webfiles - External" dst-address=\
    yyy.yyy.yyy.179 dst-port=80 protocol=tcp to-addresses=192.168.16.11 \
    to-ports=80
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.179 dst-port=443 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.11 to-ports=443
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.179 dst-port=20-21 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.11 to-ports=\
    20-21
add action=dst-nat chain=dstnat comment=Webdata dst-address=yyy.yyy.yyy.180 \
    dst-port=3389 in-interface=ether6 protocol=tcp to-addresses=192.168.16.12 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.180 dst-port=20-21 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.12 to-ports=\
    20-21
add action=dst-nat chain=dstnat comment="PARIO Accounts" dst-address=\
    yyy.yyy.yyy.181 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.30 to-ports=3389
add action=dst-nat chain=dstnat comment="PARIOFILE RDP" dst-address=\
    yyy.yyy.yyy.182 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.21 to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.182 dst-port=3391 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.21 to-ports=3391
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.182 dst-port=443 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.21 to-ports=443
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.182 dst-port=80 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.21 to-ports=80
add action=dst-nat chain=dstnat comment="PARIOAPPS RDP" dst-address=\
    yyy.yyy.yyy.183 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.22 to-ports=3389
add action=dst-nat chain=dstnat comment="PARIO Session Server Hosts" \
    dst-address=yyy.yyy.yyy.184 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.23 to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.185 dst-port=3389 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.24 to-ports=3389
add action=dst-nat chain=dstnat comment="PARIO Session Server VMs" \
    dst-address=yyy.yyy.yyy.186 dst-port=3389 in-interface=ether6 protocol=tcp \
    to-addresses=192.168.16.25 to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.186 dst-port=1027 \
    in-interface=ether6 protocol=udp to-addresses=192.168.16.25 to-ports=1027
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.186 dst-port=27605 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.25 to-ports=\
    27605
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.186 dst-port=5353 \
    in-interface=ether6 protocol=udp to-addresses=192.168.16.25 to-ports=5353
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.187 dst-port=3389 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.26 to-ports=3389
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.187 dst-port=5353 \
    in-interface=ether6 protocol=udp to-addresses=192.168.16.26 to-ports=5353
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.187 dst-port=1027 \
    in-interface=ether6 protocol=udp to-addresses=192.168.16.26 to-ports=1027
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.187 dst-port=27605 \
    in-interface=ether6 protocol=tcp to-addresses=192.168.16.26 to-ports=\
    27605
add action=dst-nat chain=dstnat comment="PARIO Exchange DAG" dst-address=\
    yyy.yyy.yyy.188 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.16.100 to-ports=80
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.188 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.16.100 to-ports=443
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.188 dst-port=25 \
    protocol=tcp to-addresses=192.168.16.100 to-ports=25
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.189 dst-port=25 \
    protocol=tcp to-addresses=192.168.16.101 to-ports=25
add action=dst-nat chain=dstnat dst-address=yyy.yyy.yyy.190 dst-address-type=\
    local dst-port=25 protocol=tcp to-addresses=192.168.16.102 to-ports=25
add action=masquerade chain=srcnat dst-address=192.168.16.100 dst-port=80 \
    log=yes log-prefix=Test out-interface=SensibleTempBridge protocol=tcp \
    src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.100 dst-port=443 \
    log=yes log-prefix=Test out-interface=SensibleTempBridge protocol=tcp \
    src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.100 dst-port=25 \
    out-interface=SensibleTempBridge protocol=tcp src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.101 dst-port=25 \
    out-interface=SensibleTempBridge protocol=tcp src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.102 dst-port=25 \
    out-interface=SensibleTempBridge protocol=tcp src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Sensible NAT" out-interface=\
    ether6 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Cohere NAT" out-interface=ether1 \
    src-address=10.0.0.0/24
/ip route
add comment="Sensible Gateway" distance=1 gateway=yyy.yyy.yyy.177 routing-mark=\
    Sensible
add comment="Default Gateway" distance=1 gateway=xxx.xxx.xxx.145
/ip route rule
add routing-mark=Sensible table=Sensible
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.251 name=mitol password= profile=\
    default-encryption service=pptp
/romon port
add disabled=no
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB-1100-CHIT
/system ntp client
set enabled=yes primary-ntp=85.119.80.232 secondary-ntp=37.123.115.64
/system routerboard settings
set protected-routerboot=disabled

pukkita · July 9, 2016, 11:05am

Have a look at this this presentation (by Tomas Kirnak) to get a proper understanding:
https://www.youtube.com/watch?v=67Dna_ffCvc