Port forwarding from internal

ryanww · May 2, 2012, 1:27am

Hello all,

I am completely stumped and have tried everything I have found on here.

Here is the situation. I have a camera internal to the network. Nat rule:

action=dst-nat chain=dstnat comment=Camera1Web disabled=no dst-port=8101 in-interface=wan protocol=tcp to-addresses=10.0.1.4 to-ports=443

From an outside network I have no issues getting to it. From an inside network I can’t reach it. For instance I go to http://url.com:8101 and nothing. Everything I have seen on here is hairpin rules for port to port. Since I am changing the devices port on the external URL, what do I change in the nat rule so that it nat’s back to 443?

Thanks for the help in advance,
Ryan

jandafields · May 2, 2012, 2:56am

This is called hairpin nat, because it goes out and back in (think of the shape of a hairpin).
It requires additional NAT rules

This explains how to do that in detail:
http://wiki.mikrotik.com/wiki/Hairpin_NAT

ryanww · May 2, 2012, 6:57am

Hello Jandafields,

Thank you for your prompt reply.

I have tried creating this rule, both with port 443 and 8101 (internal port of camera, external port of camera) and moving the rules from the bottom of the list to the top of the list. Still nothing. No packets even hit the rule. Here is the export:

/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=10.0.1.4 dst-port=
8101 out-interface=mgmt_bridge protocol=tcp src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=wan to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=WmsNVR01 disabled=no dst-port=7079
in-interface=wan protocol=tcp to-addresses=10.0.1.3 to-ports=7079
add action=dst-nat chain=dstnat comment=Camera1Web disabled=no dst-port=8101
in-interface=wan protocol=tcp to-addresses=10.0.1.4 to-ports=443
add action=dst-nat chain=dstnat comment=Camera1RTSP disabled=no dst-port=8201
in-interface=wan protocol=tcp to-addresses=10.0.1.4 to-ports=554

Thanks, Ryan

ryanww · May 2, 2012, 7:24am

I am an idiot and didn’t do the first rule of the Hairpin right. But this example isn’t going to work with what I have because:

-I have a dynamic IP
-I will have 6 cameras with port 443 and port 554 coming from each re-directing to 8101-8106, 8201-8206.

With that said, It doesn’t seem the hairpin rules are allowing me to change ports like this to allow all 6 cameras to be accessible by the viewing software.

jandafields · May 2, 2012, 11:50am

Dynamic IP: There are plenty of scripts in this forum that will automatically change the IP addresses in the rules when your IP address changes. That isn’t a problem.

Redirection: There is no reason this shouldn’t work. Clear your counters and see if your correct rules are getting hit.

ryanww · May 2, 2012, 7:00pm

I was able to figure it out using this:

http://forum.mikrotik.com/t/hairpin-nat-not-working/51489/1

No rule requiring the Wan IP. Just uses a not local IP. Much easier.

Thanks for your assistance.
Ryan