NAT/PAT loopback challenge

petterg · February 18, 2014, 3:13am

I got a challenge with a portforward setup.
lan subnet is 192.168.91.0/24
wan subnet is 84.x.x.192/29

The mikrotik router is setup with 3 public addresses (so far) on the wan interface. From those there are several ports forwarded to 6 servers on lan.

Now, the challenge. Laptops are set to connect to the servers by dns lookup. When they are on public network the dns lookup points them to the wan addresses. On internal DNS the lookup will return internal IP’s. This works good - until the introduction of PAT. Because people travel to hotels with strict outboud rules, I need to use common ports (like port 80) on the public ip forward to the less common ports on internal server. (As on internal network port 80 and others are used for default services.) To avoid that computers need to change their config, I’ll need to make use of the routers portforward even when computers are connected to lan, hence change the internal dns to return public ip for the servernames.

In order to get this to work I created the following rule:

/ip firewall nat
add action=masquerade chain=srcnat comment="Public Loopback" dst-address=\
    192.168.91.16/28 out-interface=ether3 src-address=192.168.91.0/24

(ether3 is master port in switch group)

This kind of works, except that server logs now show that ALL connections from lan to server comes from the router. Is there any way to make make use of the routers portforwards and still let the server see the connections from the computers lan ip?

To summarize:
When connection comes from WAN to wanip, router does dst-nat [wanip:wanport]->[serverLanIp:internalport]
When server replies to connections from WAN, the router does src-nat [serverLanIp]->[wanip]

When connection comes from LAN to wanip, router does dst-nat [wanip:wanport]->[serverLanIp:internalport]
When server replies to connections from LAN, the router does nothing. Hence the computer gets reply from a different ip than it sent request to, and connection fails.

To get around that fail I created the NAT-rule quoted above. Then the behavior became like this:
When connection comes from LAN to wanip, router does dst-nat [wanip:wanport]->[serverLanIp:internalport] and src-nat [laptopLanIp]->[routerLanIp].
When server replies to connections from LAN, it sends packets to routerLanIp, and connTrack makes sure there is dst-nat [routerLanIp]->[laptopLanIp] and src-nat [serverLanIp]->[wanIp]

What I think I need is a rule that does something like this with connections from lan to lanServer:
When connection comes from LAN to wanip, router does dst-nat [wanip:wanport]->[serverLanIp:internalport] but no src-nat.
When server replies to connections from LAN, it sends packets to [LaptopLanIp], router grabs them and do src-nat [serverLanIp]->[wanIp]

Is it possible? (I doubt it. So how can I get around this issue?)

petterg · February 18, 2014, 1:15pm

Would it be possible to set the router to reply with some kind of reroute-information to the laptop on lan, so that it will send new request directly to the serverLanIp with correct port number?

How does other brands solve this? I’m quite sure I’ve done this kind of setups before I discovered mikrotik, just by entering a portforward from wan, and it’s been working also from lan.

marcusses · February 19, 2014, 4:36pm

hello..

Look at http://wiki.mikrotik.com/wiki/Hairpin_NAT, it says there are two solutions..

petterg · February 20, 2014, 11:27pm

Thanks. I didn’t know the term “hairpin nat”. Hence not what to search for.

The link describes the setup I’m currently using. What is the other way (of the two) of doing this?

AlexS · February 22, 2014, 12:01am

No… No way to keep original ipinfo with nat… May be use a transparent proxy ?

petterg · March 1, 2014, 2:56pm

Will a proxy really help in this situation? I’d suppose it would make all connections look like they come from the proxy servers ip?