Problem with Hairpin NAT with multiple servers

Robbb · December 29, 2018, 11:40am

Hi

I am having some problems, I have a small home network of several PC’s, a web server and a game server. I have my nat rules bellow. The problem is that people inside the home (behind the Mikrotik) can’t access the game server Atlas5.

I think it is to do with the hairpin code. We can access it from outside the home. How can I give people outside access and also people inside while keeping the web server running?

/ip firewall nat

add action=src-nat chain=srcnat comment="Source NAT all interfaces on the way out" log-prefix="Atls5 SrcNAT: " out-interface=pppoe-out1 to-addresses=x.x.x.x
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes out-interface=pppoe-out1

add action=dst-nat chain=dstnat comment="Atlas5 Server" dst-address=x.x.x.x dst-port=57550-57570 in-interface=pppoe-out1 log-prefix="Atlas5 Query Port: " protocol=tcp to-addresses=192.168.88.18 to-ports=57550-57570
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=57550-57570 in-interface=pppoe-out1 log-prefix="Atlas5 Query Port UDP: " protocol=udp to-addresses=192.168.88.18 to-ports=57550-57570
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=5750-5770 in-interface=pppoe-out1 log-prefix="Atlas5 Game Port: " protocol=tcp to-addresses=192.168.88.18 to-ports=5750-5770
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=5750-5770 in-interface=pppoe-out1 log-prefix="Atlas5 Game Port UDP: " protocol=udp to-addresses=192.168.88.18 to-ports=5750-5770

add action=dst-nat chain=dstnat comment="Tortuga Server" dst-address=x.x.x.x dst-port=22 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.67 to-ports=22
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.67 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.67 to-ports=443

add action=dst-nat chain=dstnat comment=" Hairpin to Nibiru" dst-address=!192.168.88.0/24 dst-address-type=local to-addresses=192.168.88.67
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.88.0/24 dst-address-type=local port=57550-57570 protocol=tcp to-addresses=192.168.88.18
add action=masquerade chain=srcnat comment=" Local to Local NAT" src-address=192.168.88.0/24

pcunite · December 29, 2018, 2:06pm

One simple way to solve this would be to set a static DNS entry for your at home users. So when they go to www.example.com, the MikroTik replies with 192.168.0.5, etc.

Robbb · December 29, 2018, 6:21pm

I don’t think that will work, we don’t search for www.example.com, we just run the game, it connects to some address beyond our control, and we search for a server by name. It loads a list of names. and our one never shows up if we connect from here. But shows up for people off site.

I think the game server registers with the master site, and clients get the list of ip’s from the master site then try to connect to server from this list via the port number. And so this data is being sent back to our external IP from our site and the data is getting redirected to the game server instead of the client.

I am not making much sense am i? I don’t really know what is going on, just that we can see all other game servers in the world but our own from our network, but can see ours from outside our network, and I think it is these nat rules that cause it.

EDIT: I think when the game server sends it’s info to the clients the infor destined for clients in my network is caught by this rule:

add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=57550-57570 in-interface=pppoe-out1 log-prefix="Atlas5 Query Port UDP: " protocol=udp to-addresses=192.168.88.18 to-ports=57550-57570

And gets sent back to the game server instead of the local client. But without those rules it is not visible on th server lsit at all.

EDIT 2 and Resolved: I removed the clause for in-interface and it is now working.