NAT; opened ports are not reachable from the local network

aomu · February 25, 2013, 2:54pm

Hello,

maybe an easy question.

I set up some NAT rules to foward the ports to appropriate internal servers:

 0   ;;; Handles outgoing traffic
     chain=srcnat action=masquerade out-interface=ether1 

 1   ;;; Incoming SMTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.6 to-port
     protocol=tcp in-interface=ether1 dst-port=25 

 2   ;;; Incoming ActiveSync
     chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-port
     protocol=tcp in-interface=ether1 dst-port=443 

 3   ;;; Incoming HTTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-port
     protocol=tcp in-interface=ether1 dst-port=80 

 4   ;;; Incoming PPTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-port
     protocol=tcp in-interface=ether1 dst-port=1723

The port redirection works for the whole Internet, but not from within the local network. How could I reach the correct port redirection from everywhere?

Yes, I have read the article about Hairpin NAT and tried it - didn’t help.

I appreciate any help. Thank you

CelticComms · February 25, 2013, 3:08pm

Hairpin NAT is what you need so if that hasn’t solved the problem check your forwarding rules to make sure that you are allowing the hairpin traffic.

aomu · February 25, 2013, 3:26pm

Thank you CelticComms. I published all the forwarding rules I have. Any other suggestions?

CelticComms · February 25, 2013, 3:35pm

I did not see any forward chain filters listed.

I suggest that you put the hairpin NAT entries in and then upload the output from /export compact so we can see the total config.

aomu · February 25, 2013, 3:40pm

Sorry, the complete NAT settings are following. The strings were cut on the right.

 1   ;;; Incoming SMTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.6 to-ports=25 
     protocol=tcp in-interface=ether1 dst-port=25 

 2   ;;; Incoming ActiveSync
     chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=443 
     protocol=tcp in-interface=ether1 dst-port=443 

 3   ;;; Incoming HTTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=80 
     protocol=tcp in-interface=ether1 dst-port=80 

 4   ;;; Incoming PPTP
     chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=1723 
     protocol=tcp in-interface=ether1 dst-port=1723

CelticComms · February 25, 2013, 3:45pm

These are only the NAT entries. NAT traffic is also subject to the forwarding chain filters. Try making the entries including the hairpin entries and then upload the config using the output from /export compact.

aomu · February 25, 2013, 3:55pm

Here you are:

[admin@ar] > /export compact 
# feb/25/2013 16:42:39 by RouterOS 5.24
# software id = (SOME_ID)
#
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=192.168.10.254/24 interface=ether2
add address=(Static IP provided by ISP)/30 interface=ether1
/ip dns
set allow-remote-requests=yes servers=(two DNS servers provided by ISP in IP-address-form, divided by comma)
/ip dns static
add address=192.168.10.254 name=(FQN of this router, like ar.domain.local)
add address=192.168.10.1 name=(FQN of the domain controller, like ad.domain.local)
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="Handles outgoing traffic" out-interface=\
    ether1
add action=dst-nat chain=dstnat comment="Incoming SMTP" dst-port=25 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.6 to-ports=25
add action=dst-nat chain=dstnat comment="Incoming ActiveSync" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=443
add action=dst-nat chain=dstnat comment="Incoming HTTP" dst-port=80 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.4 to-ports=80
add action=dst-nat chain=dstnat comment="Incoming PPTP" dst-port=1723 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.1 to-ports=1723
add action=masquerade chain=srcnat dst-address=192.168.10.4 dst-port=80 \
    out-interface=ether2 protocol=tcp src-address=192.168.10.0/24
/ip route
add distance=1 gateway=(IP Address of the gateway provided by ISP)
/ip service
set telnet disabled=yes port=1023
set ftp disabled=yes port=1021
set www disabled=yes port=1080
set ssh disabled=yes port=1022
set winbox address=192.168.10.0/24
/system clock
set time-zone-name=(My time zone)
/system identity
set name=ar
/system ntp client
set enabled=yes mode=unicast primary-ntp=192.168.10.1 secondary-ntp=192.168.10.32
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2

aomu · February 25, 2013, 3:58pm

Forgot to say: I added the only hairpin entry for the port 80 to test the functionality.

CelticComms · February 25, 2013, 4:45pm

The problem is that your original NAT entry is only NATing when the in-interface is Ether1 - presumably your WAN interface. The traffic from your local LAN subnet will never go through that NAT so the hairpin entry will never be triggered.

If you make the original NAT entries dependent on your WAN public IP rather than in-interface it should NAT requests from both external and internal clients and the hairpin entry should then work.

aomu · February 25, 2013, 5:27pm

That’s amazing! It worked! THANK YOU!!!

aomu · February 25, 2013, 8:47pm

There is only one little issue.

The web server behind the router replies to the queries now, but if you connect to it from the local network, it “thinks” - writes into the log - the private IP of the router. I would prefer the public IP to be shown to the server.

Is there a way to do it?

CelticComms · February 25, 2013, 10:54pm

It will show the masqueraded address for queries from the local network but should show the public IPs for external queries.

That is a downside to using this trick. The better fix is to split the servers and local clients into different subnet/masks and force traffic through the router that way.

Kim · March 1, 2013, 7:34pm

Hey. I have been struggling with this problem for a week now. I have followed all examples I could find, but nothing works. Something is wrong and I can’t see through it all - I guess I don’t understand some basic logic that everybody else gets…

I have a web server, and want to forward port 80 to that server. These are my NAT rules:

add action=dst-nat chain=dstnat dst-nat=[WAN address] protocol=tcp dst-port=80 to-addresses=[SERVER IP] to-ports=80
add action=masquerade chain=srcnat src-nat=192.168.0.0/24 dst-nat=[SERVER IP] protocol=tcp dst-port=80 out-interface=bridge-local

I can reach my domains from outside, but not from inside.

Can anybody see what I am doing wrong?

Thanks
/Kim

CelticComms · March 1, 2013, 8:23pm

Add hairpin NAT. See the link in the first post of the thread.

Kim · March 1, 2013, 8:55pm

Hi - thanks for answering.

I did that as one of my first tries, but that’s not doing it…
I have no out-interface called LAN (I’m referring to the masquerade rule), but assume WLAN1 is the right one?

When I hit the domain (from inside that is) - regular http on port 80, I get redirected to https on port 8080 - I have no rules providing that routing…

CelticComms · March 2, 2013, 12:24pm

I suggest that you upload output from /export compact - otherwise we are just guessing.

Kim · March 5, 2013, 6:29pm

Hi Again - thanks for your help! - sorry for the delay.
My setup is as follows:

/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=denmark \
    disabled=no distance=indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 \
    mode=ap-bridge ssid=*** wireless-protocol=802.11
/interface ethernet
set 0 disabled=yes name=sfp1-gateway
set 1 name=ether1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 master-port=ether6-master-local name=ether10-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
    bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.0.1/24 comment="default configuration" disabled=yes \
    interface=ether5
add address=192.168.0.1/24 interface=wlan1
/ip dhcp-client
add comment="default configuration" disabled=no interface=sfp1-gateway
add comment="default configuration" disabled=no host-name=RouterOS interface=\
    ether1-gateway
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=\
    8.8.4.4,8.8.8.8 gateway=192.168.0.1 netmask=24 ntp-server=64.99.80.30
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=HTTP dst-address=**.**.**.** dst-port=\
    80 protocol=tcp to-addresses=[LOCAL SERVER IP] to-ports=80
add action=masquerade chain=srcnat dst-address=[LOCAL SERVER IP] dst-port=80 \
    out-interface=bridge-local protocol=tcp src-address=192.168.0.0/24 to-addresses=\
    [LOCAL SERVER IP] to-ports=80
add action=dst-nat chain=dstnat dst-address=[ROUTER IP] dst-port=443 protocol=\
    tcp to-addresses=[LOCAL SERVER IP] to-ports=443
add action=masquerade chain=srcnat disabled=yes dst-address=[LOCAL SERVER IP] \
    dst-port=443 out-interface=bridge-local protocol=tcp src-address=\
    192.168.0.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.162.32.12
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local