Hoping someone can assist with the below.
New to RouterOS, gone live on a RB750 today.
Having an issue with one of my NAT rules.
Works great for users on other VLANs or on the Internet, but users on the same VLAN as the server are not connecting.
My old Netgear used to run its NAT rules on internal users going out, need to work out how I can make RouterOS do the same for clients on the same subnet/VLAN as the server.
Any suggestions?
My guess is you need to setup hairpin NAT.
Hmm, looks like what I need but can’t make it work.
The example command on the wiki won’t work for me because the interface has multiple IP addresses assigned so I can’t use masquerade. Tried customising the rule to my situation but no joy.
Essentially for my situation, for example, I have
Web server on 10.0.0.5 port 80 available via NAT on 46.65.209.241
Clients connecting from 10.0.0.0/16 to 46.65.209.241 but then replies from 10.0.0.5 going back directly to 10.0.x.x address not via 46.65.209.241
I’ve tried
/ip firewall nat> add chain=srcnat src-address=10.0.0.0/16 src-port=80 dst-address=10.0.0.5 dst-port=80 protocol=tcp out-interface=VLAN10 action=src-nat to-address=46.65.209.241
I have a feeling the src and dst should be switched and one should not specify a port, but tried what I think and still no luck?
OK today I have tried
Chain srcnat
Src Add 10.0.0.0/16
Dst Add 46.65.209.241
Proto TCP
Dst Port 443
action = src-nat to 46.65.209.241
No joy
Interestingly, I have IIS running on port 80 NAT’ed against one IP address and that works without one of the above rules.
Services directed at port 80 on another public IP don’t work with or without the above. Port 443 for the same IIS that works on Port 80 does not work either.
I posted this response without enough understanding of hairpin NAT.
I removed this response 4/11/2013
If i’ve understood the wiki correctly from the quick read i did of it earlier.
Chain srcnat
Src Add 10.0.0.0/16
Dst Add 46.65.209.241
Proto TCP
Dst Port 443
out interface=
action = Masquerade
Yep, problem I have is I’m not sure I can use masquerade as I have a number of IP addresses assigned to that particular interface, so how would it know which to use for masquerade?
Try this instead. Make sure you move the rule to the top as well.
/ip fi nat add action=masquerade chain=srcnat dst-address-10.0.0.5 src-address=10.0.0.0/16
This is why I don’t think masquerade will work on VLAN10.
Do I actually need the IP addresses assigned to VLAN10 for NAT to work?
I have srcnat rules running to mask external traffic going to the internet behind two IPs (rather than using the default masquerade), one of these is not included on the below and still works, so not sure if I can remove the public IPs from VLAN10 and the NAT rules still pick up traffic for those IPs?
This may just be newbie errors on my part and I might be able to use masquerade if I remove the public IPs from the interface if they are not required?
You would typically have the public IPs to which you are source NATing outbound traffic on your WAN/outside interface - not the LAN/inside interface.
What cbrown indicated above will work if you only have relevant private IPs on the router interface that the server is connected to. If there is more than one IP you could change the action to source NAT and explicitly indicate the IP to be used.
Your inbound destination NAT entry takes traffic bound for (say) port 80 on a public IP and NAT/PATs the traffic to a chosen port on the private IP host.
The hairpin entry looks for traffic from your private network which has been NATed by the first rule (because it met the rules) and performs a further source NAT so that the traffic will appear to your (say) web server as coming from the router itself thus forcing return traffic back via the router.
There as a similar question from aomu this morning so it might be worth reading that short thread too.
This is what I have at the moment. The masquerade issue aside, should the below work?
Yes I know some are disabled - I disabled them after they didn’t work as expected, until I had the chance to look at it again.
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes out-interface=ether1-gateway
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.241 \
dst-port=80 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
to-addresses=46.65.209.241
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=80
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.241 \
dst-port=443 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
to-addresses=46.65.209.241
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=25 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=2525 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=993 protocol=tcp to-addresses=10.0.0.5 to-ports=993
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=9326
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=9443
add action=src-nat chain=srcnat disabled=yes dst-address=46.65.209.242 \
dst-port=143 out-interface=VLAN10 protocol=tcp src-address=10.0.0.0/16 \
to-addresses=46.65.209.242
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.242 \
dst-port=143 protocol=tcp to-addresses=10.0.0.5 to-ports=143
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
dst-port=2525 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.241 \
dst-port=25 protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
dst-port=80 protocol=tcp to-addresses=10.0.0.5 to-ports=6245
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
dst-port=443 protocol=tcp to-addresses=10.0.0.5 to-ports=6443
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
protocol=gre to-addresses=10.0.0.5
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
dst-port=1723 protocol=tcp to-addresses=10.0.0.5 to-ports=1723
add action=dst-nat chain=dstnat disabled=no dst-address=46.65.209.243 \
dst-port=8080 protocol=tcp to-addresses=10.0.0.5 to-ports=8080
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
src-address=10.0.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
src-address=10.1.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
src-address=10.2.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
src-address=10.3.0.0/16 to-addresses=46.65.209.244
add action=src-nat chain=srcnat disabled=no out-interface=ether1-gateway \
src-address=10.4.0.0/16 to-addresses=46.65.209.245
I suggest that you tidy it up to have only current entries present. I don’t know what the IP address allocations are at this point.
Make sure that your public IPs are on the WAN facing interface and make sure that your basic inbound destinations NATs are working.
I only saw one internal server mentioned so the hairpin NAT entry would be:
add action=masquerade chain=srcnat dst-address=10.0.0.5 out-interface=VLAN10 src-address=10.0.0.0/16
If that doesn’t work upload /export compact so we can see the total current config.
Thanks, I’ll wait till the weekend to move the public IPs so I’m on site if things go wrong.
Will then take a look and see what I have.
Thanks all for the input so far.
The above masquerade didn’t work. I’m currently running a f/w version that doesn’t allow export compact (reluctant to upgrade unless I have a particular issue to solve - been a victim of failed firmware upgrades on devices in the past!).
Tell me what sections I need to post from the config and I’ll do so.
Just in case anyone does a search and is reading this thread, I resolved.
http://forum.mikrotik.com/t/hairpin-nat-problem-configuring/79152/1
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=<private IP e.g. 10.0.0.5> to-ports=<private port e.g. 9326> protocol=tcp dst-address=<public IP> dst-port=<public port e.g. 80>
/ip firewall nat
add chain=srcnat action=masquerade protocol=tcp src-address=<private subnet e.g. 10.0.0.0/16> dst-address=<private IP e.g. 10.0.0.5> dst-port=<private port e.g. 9326>