Natting Problem (HairPin Nat)

romself · July 31, 2018, 11:01am

Hi I have a small natting problem

I’ve been trying for ages to sort this hairpin NAT, my mail server is sitting behind a DMZ switch and I can access it externally from another ISP, but can’t see it from inside our network.

For this example:
Vlan 205 is my WAN access
1.1.1.1 is my WAN IP
192.168.20.65 is my mail server IP

add action=masquerade chain=srcnat comment=“Natting Incoming” out-interface=“Vlan 205”

add action=masquerade chain=srcnat comment=“Hairpin NAT” dst-address= 192.168.0.0/16 src-address=192.168.0.0/16 out-interface=ether04

add action=dst-nat chain=dstnat comment=“HTTP/SSL” dst-address=1.1.1.1 dst-address-type=“local” dst-port=443 protocol=tcp to-addresses=192.168.20.65 to-ports=443

Any help appreciated, thank you!

Here’s my network

usdmatt · July 31, 2018, 11:23am

add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address= 192.168.0.0/16 src-address=192.168.0.0/16 out-interface=ether04

You want to be natting traffic going out vlan704 to the server coming from ether04, so that the source gets changed to the router’s IP. That will cause replies from the server to go via the router, which should then undo the masquerade.

Edit, just another note. If you want to be able to access the server via its lan address without triggering any nat, but also handle the hairpin nat, you may be better off using a mangle rule to flag packets coming from 192.168.0.0/16 to 1.1.1.1, then apply a masq nat rule to those packets when going out the server vlan.

Steveocee · July 31, 2018, 1:42pm

You need to remove the “out-interface” from your hairpin rule. The traffic won’t actually go out if you’re NAT’ing it back in.

jacobtoupe · July 31, 2018, 2:39pm

Hello dear,
Unless there is other constraints in your network, you should be able to access your mail server even without NAT being involved with simple routing (without your HairPIN NAT).
But if you want to maintain that NAT Rule, action should be accept.

usdmatt · July 31, 2018, 2:53pm

Unless there is other constraints in your network, you should be able to access your mail server even without NAT being involved with simple routing (without your HairPIN NAT)

I suspect they’re accessing some hostname that resolves to the public IP address of the Mikrotik (1.1.1.1). The router will need to masquerade the source of the packets, otherwise the server will get a packet from a lan address and reply directly, but the client is expecting a reply from 1.1.1.1.

romself · July 31, 2018, 3:08pm

@usdmatt

I tried this

add action=masquerade chain=srcnat comment=" out-interface="Vlan 704" src-address=192.168.0.0/16

If that’s what you meant, it’s not working, sorry if I misunderstood.
If this code is wrong, could you point me in the right direction?

@Steveo

I had tried this after watching your video, it didn’t work for me unfortunately, I had the out-interface in there because of other advice I took, which didn’t help evidently

@jacobtoupe

Thanks for your answer, I can’t see any constraints, if you mean rules/ filters etc

Thanks all

Steveocee · July 31, 2018, 3:20pm

I’ve just re-read your diagram and initial post. As you are running 2 separate networks on independent IP ranges you probably don’t need hairpin NAT in the way that my video implies.

If your port forwards have an “in-interface” then that will be what is tripping you up as you aren’t going in through an “in-interface” coming from your network.

jacobtoupe · July 31, 2018, 3:49pm

Let’s do this, disable the hairpin NAT rule and go to following steps.

How are you accessing the mail server from internal network, and which error does that gives you ?
Are you able to reach other servers correctly in the DMZ or on internet ?
Try it again on a laptop connected to ether04 port on the CCR, what’s the output ?

I hope you’ll reply soon.

Regards,
Jacob

romself · July 31, 2018, 9:49pm

Sorry for the late reply lads!

@Steveo

Thanks for that, but these are my port forwarding rules

add action=dst-nat chain=dstnat comment=SMTP dst-address=1.1.1.1 \
    dst-port=25 protocol=tcp to-addresses=192.168.20.65 to-ports=25
add action=dst-nat chain=dstnat comment="HTTP 80" dst-address=1.1.1.1 \
    dst-port=80 protocol=tcp to-addresses=192.168.20.65 to-ports=443
add action=dst-nat chain=dstnat comment=IMAP dst-address=1.1.1.1 \
    dst-port=993 protocol=tcp to-addresses=192.168.20.65 to-ports=993
add action=dst-nat chain=dstnat comment=POP dst-address=1.1.1.1 dst-port=\
    995 protocol=tcp to-addresses=192.168.20.65 to-ports=995

@Jacob

I can access the mail server through the local IP of the mail server 192.168.20.65 through ether04 and also from the DMZ. I can access the mail server from an external source i.e a different ISP using the Public IP. When I try to connect to 1.1.1.1:443 it just times out

Thanks again for yer help

Steveocee · August 1, 2018, 3:37am

Using a hairpin in its basic format, maybe something like this? Although I would point out that in your diagram you have listed VLAN704 with IP 192.168.20.64/28 which is the network address so I’m not sure if that may be affecting you? Either way try masquerading your /24 at your /28 as theoretically that shouldn’t cause any upset.
And of course it needs to be the top rule.

add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.20.64/28 src-address=192.168.5.0/24

romself · August 1, 2018, 10:03am

My god, you’re a genius, I never thought of using .5.0/24 as my source but sure thats the most logical thing. It seems so simple now. And of course yeah 192.168.20.78/24 is the gateway I marked the diagram wrongly.

Thank you so much for sticking with this and for all your help!!

Steveocee · August 1, 2018, 10:39am

Glad you got it working