Problem with Hairpin & Verizon Fios (Frontier)

tabate47 · May 11, 2017, 5:08pm

My hairpin setup has always worked. Yesterday we installed a mikrotik behind a Verizon Fios modem/router and it did not work. We put the mikrotik in the dmz of the Verizon. We can VPN to it, it’s just the hairpin that doesn’t work. I think the Verizon is somehow affecting the hairpin. We have never had an issue before. Here is our hairpin setup:

/ip firewall filter

FORWARD

add chain=forward comment=“DST NAT - Port Foward” dst-address=192.168.1.20
dst-port=81 protocol=tcp

/ip firewall nat

DST-NAT

add action=dst-nat chain=dstnat comment=“Port Foward” dst-port=81
dst-address-type=local protocol=tcp to-addresses=192.168.1.20

SRC-NAT

add chain=srcnat comment=“Hairpin” src-address=192.168.1.0/24
dst-address=192.168.1.20 protocol=tcp dst-port=81
out-interface=ether3-lan action=masquerade

Sob · May 12, 2017, 12:37am

It sounds like public address is on other router. In that case, your dstnat rule can’t work, because it’s looking for packets destined to local address. And if public address is somewhere else, it’s not local.

You’ll need another dstnat rule with dst-address= instead of dst-address-type=local. That would be problem for dynamic addresses, but it’s solvable if you put your dynamic hostname in address list, let RouterOS resolve it and use dst-address-list=.

tabate47 · May 12, 2017, 2:10am

The weird thing is, it works when using another isp at another location. It seems the problem is somehow with Verizon. We did the exact same thing with time warner and it works fine.

Sob · May 12, 2017, 2:23am

It really can’t (*), because rule with dst-address-type=local won’t catch any packets for public address which is somewhere else.

(*) But it can work if hairpin NAT is performed by the other router.

tabate47 · May 12, 2017, 2:52am

You may be right! I forgot that the I used an internal ip address for the camera system so that’s why it was working.

Can you help me figure out a way to make it work? A lot of times we have to put the mikrotik behind the clients router in the dmz zone because the clients router can’t be bridged. We have no other option. I don’t like to forward ports, but sometimes the clients request it. When we do, we need the hairpin to work.

Sob · May 12, 2017, 12:39pm

As I already wrote, you just need to change dstnat rule:

/ip firewall address-list
add address=<your dynamic hostname> list=my-public-address
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Foward" dst-address-list=\
    my-public-address dst-port=81 protocol=tcp to-addresses=192.168.1.20

If you don’t already have some dynamic hostname, you can get one using IP->Cloud on router.

tabate47 · May 12, 2017, 2:29pm

Thanks. I would like to use the IP cloud from the router. What would that look like if you wrote it that way?

Sob · May 12, 2017, 3:24pm

If you enable it, it will give you hostname in form .sn.mynetname.net and you’ll use address=.sn.mynetname.net in address list.

tabate47 · May 12, 2017, 3:51pm

I got it. Thanks. I will test it out.

tabate47 · May 12, 2017, 3:53pm

Do I need to remove my current dst-nat rule in order for this new one to work?

Sob · May 12, 2017, 4:32pm

Connections from internet (using forwarded port) will still go to 192.168.1.20. So either keep the old rule, or if you remove it, you’d have to add 192.168.1.20 to address list.