NAT HAIRPIN

thompsontech · July 28, 2021, 10:58am

I’m having trouble accessing my internal ftp with my public IP. When accessing outside the internal network, it works correctly.

The mikrotik is configured as follows:

ether-1 - PPPOE >> Public IP >> 127.104.81.xyz
ether-2 - LAN >> 10.10.1.0/24
IP Server FTP: 10.10.1.15
Rules dstnat:

Chain: dstnat
Dst.Addres: 127.104.81.xyz
Protocol: tcp
Dst.Port: 1024
In. Inteface: pppoe
Action: dst-nat
to Address: 10.10.1.15
to ports: 1024

Rules Hairping
Chain: srcnat

Src.Address: 10.10.1.0/24
Dst.Adrres: 10.10.1.15
Protocol: tcp
Dst.Port: 1024
Out.Interface: bridge

action: masquerade

I created some NAT rules but I don’t trust this procedure. My RB is RB951Ui v6.48

anav · July 28, 2021, 11:04am

post your config
/export hide-sensitive file=anynameyouwish

thompsontech · July 28, 2021, 11:16am

my settings are like this:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1024 in-interface=“Vero - Internet”
protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat comment=“# Masquarade” out-interface=
“Vero - Internet”
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1024
protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=1024
out-interface=bridge protocol=tcp src-address=10.10.1.0/24
add action=dst-nat chain=dstnat comment="FTP " dst-port=1024 in-interface=
“Vero - Internet” protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=1024
out-interface=bridge protocol=tcp src-address=10.10.1.0/24
add action=dst-nat chain=dstnat comment=“FTP Passiva” dst-port=5000-5200
in-interface=“Vero - Internet” protocol=tcp to-addresses=10.10.1.15
to-ports=5000-5200
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=5000-5200
out-interface=bridge protocol=tcp src-address=10.10.1.0/24

DarkNate · July 28, 2021, 1:32pm

The answer is right here: http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1

anav · July 28, 2021, 1:40pm

Since you refuse to post the config, others can help sufficiently.
One comes looking for help not knowing what their problem is but arrogantly think they know what they should provide to help.
Dont feel bad, seems to be a common problem.

I also detest others that attempt to help without the complete picture.
As if firewall rules dont have anything to to with port forwarding.

Besides I could always post this link… but that would be lazy on my part.
http://forum.mikrotik.com/t/forward-external-ip-address-of-router-port-22-to-internal-machine/148943/3

rextended · July 28, 2021, 1:49pm

…<

anav · July 28, 2021, 3:02pm

hi rextended I hope using your Cray computer you hacked the password and have added in better security for the chap

rextended · July 28, 2021, 3:07pm

Can’t do that without bill… :))

thompsontech · July 28, 2021, 4:45pm

Thank you all for your help. I used the procedure cited by “darknate” in the link

https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT

The procedure was performed on a client on the network cable. The tests I was doing were over wi-fi. I believe the IP of the Access Point device was interfering with the tests I was running on the notebook.