Need better hairpin NAT

Steveocee · November 17, 2016, 9:02pm

Hello,

So I currently have a working hairpin NAT however I think it’s not as good as it could be.

Currently I’m using rules as follows;

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.10.10.0/24 src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment=Plex dst-address=MY.WAN.I.P dst-port=32400 protocol=tcp to-addresses=10.10.10.20

My problem is that this only works with a static WAN IP. I am shortly about to move the service to one which only has dynamic WAN IP. Is there any 1 line rule that will work in a similar way? I have tried taking out the dst-address and entering an in-interface=pppoe-out1 however this obviously does not work as the traffic does not end up entering through the ppp interface.

Thanks
Steve

Sob · November 17, 2016, 9:29pm

You can use dst-address-type=local to match any address owned by router and exclude router’s LAN address with dst-address=!10.10.10.x.

Paternot · November 18, 2016, 2:25am

Recent versions of ROS (6.34 onward? Not sure) can use a hostname within address lists. You can always enable the cloud function, create a list with the hostname given to your public address and use it with your corrunt config.

The only change would be from “destination address” to “destination address list”.

Steveocee · November 19, 2016, 7:27pm

You beauty! Worked perfectly