[SOLVED] Help needed to configure hairpin NAT

TezNot · February 5, 2020, 10:59am

Hello,

After reading almost all posts about how to configure hairpin NAT, I still can’t make it work.
I have a CCR1009-7G-1C-1S+ MikroTik router.
The public IP is provided by my ISP with DHCP.
From internet I can access my web server without any problem. From LAN I can’t access my web server.

Interface ether1 is connected to Internet.
Interface VLAN ont-vl832 is created on interface ether1 because my ISP use VLAN 832 for internet data.
Bridge br-wan si created with interface ont-vl832 because I need to set TOS on DHCP packets to get my public IP from my ISP.

This is what happens from LAN when i try to access the webserver :

curl -k https://my_public_ip
curl: (7) Failed to connect to my_public_ip port 443: Connection refused

Here is the tcpdump trace :

11:43:35.692012 IP 192.168.1.YY.51996 > my_public_ip.443: Flags [S], seq 2525450066, win 29200, options [mss 1460,sackOK,TS val 1921652487 ecr 0,nop,wscale 7], length 0
11:43:35.692671 IP my_public_ip.443 > 192.168.1.YY.51996: Flags [R.], seq 0, ack 2525450067, win 0, length 0

Here is my config on the MikroTik router :

VLAN :

/interface vlan print
 #   NAME                                                                                          MTU ARP             VLAN-ID INTERFACE                                                                                                                                                          
 0 R ;;; VLAN832 on ether1
     ont-vl832                                                                                     1500 enabled             832 ether1

BRIDGE :

/interface bridge print
name="br-wan" mtu=auto actual-mtu=1500 l2mtu=1576 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:XX:YY:ZZ protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

NAT :

/ip firewall nat print
0    chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=br-wan
1    chain=dstnat action=dst-nat to-addresses=192.168.1.XX protocol=tcp in-interface=br-wan dst-port=80
2    chain=dstnat action=dst-nat to-addresses=192.168.1.XX protocol=tcp in-interface=br-wan dst-port=443

FILTER :

/ip firewall filter print
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; FastTrack
      chain=forward action=fasttrack-connection connection-state=established,related 
 2    ;;; Established, Related
      chain=forward action=accept connection-state=established,related 
 3    ;;; Drop invalid
      chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid" 
 4    ;;; Drop tries to reach not public addresses from LAN
      chain=forward action=drop dst-address-list=not_in_internet in-interface=combo1 out-interface=!combo1 log=yes log-prefix="!public_from_LAN" 
 5    ;;; Drop incoming packets that are not NATted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 out-interface=!ether1 log=yes log-prefix="!public_from_LAN" 
 6    ;;; Drop incoming from internet which is not public IP
      chain=forward action=drop src-address-list=not_in_internet in-interface=ether1 log=yes log-prefix="!public" 
 7    ;;; Drop packets from LAN that do not have LAN IP
      chain=forward action=drop src-address=!192.168.1.0/24 in-interface=combo1 log=yes log-prefix="LAN_!LAN"

ADRESS-LIST :

/ip firewall address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                 ADDRESS                                                                                                                  CREATION-TIME        TIMEOUT             
 0   ;;; RFC6890
     not_in_internet                                                                                      0.0.0.0/8                                                                                                                may/27/2018 17:18:41
 1   ;;; RFC6890
     not_in_internet                                                                                      172.16.0.0/12                                                                                                            may/27/2018 17:18:41
 2   ;;; RFC6890
     not_in_internet                                                                                      192.168.0.0/16                                                                                                           may/27/2018 17:18:41
 3   ;;; RFC6890
     not_in_internet                                                                                      10.0.0.0/8                                                                                                               may/27/2018 17:18:41
 4   ;;; RFC6890
     not_in_internet                                                                                      169.254.0.0/16                                                                                                           may/27/2018 17:18:41
 5   ;;; RFC6890
     not_in_internet                                                                                      127.0.0.0/8                                                                                                              may/27/2018 17:18:41
 6   ;;; Multicast
     not_in_internet                                                                                      224.0.0.0/4                                                                                                              may/27/2018 17:18:41
 7   ;;; RFC6890
     not_in_internet                                                                                      198.18.0.0/15                                                                                                            may/27/2018 17:18:41
 8   ;;; RFC6890
     not_in_internet                                                                                      192.0.0.0/24                                                                                                             may/27/2018 17:18:41
 9   ;;; RFC6890
     not_in_internet                                                                                      192.0.2.0/24                                                                                                             may/27/2018 17:18:41
10   ;;; RFC6890
     not_in_internet                                                                                      198.51.100.0/24                                                                                                          may/27/2018 17:18:41
11   ;;; RFC6890
     not_in_internet                                                                                      203.0.113.0/24                                                                                                           may/27/2018 17:18:41
12   ;;; RFC6890
     not_in_internet                                                                                      100.64.0.0/10                                                                                                            may/27/2018 17:18:41
13   ;;; RFC6890
     not_in_internet                                                                                      240.0.0.0/4                                                                                                              may/27/2018 17:18:41
14   ;;; 6to4 relay Anycast [RFC 3068]
     not_in_internet                                                                                      192.88.99.0/24                                                                                                           may/27/2018 17:18:43

Thanks for help !

bpwl · February 5, 2020, 12:42pm

and seen the wiki ? https://wiki.mikrotik.com/wiki/Hairpin_NAT

To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.1.2 protocol=tcp dst-port=80
out-interface=LAN action=masquerade

TezNot · February 5, 2020, 12:54pm

I’ve already tested with this rule but this doesn’t work :

/ip firewall nat print
 0    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.XX out-interface=combo1 dst-port=80 
 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.XX out-interface=combo1 dst-port=443 
 2    chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=br-wan 
 3    chain=dstnat action=dst-nat to-addresses=192.168.1.20 protocol=tcp in-interface=br-wan dst-port=80 
 4    chain=dstnat action=dst-nat to-addresses=192.168.1.20 protocol=tcp in-interface=br-wan dst-port=443

Another information :

/ip address print
 #   ADDRESS            NETWORK         INTERFACE                                                                                                         
 0   ;;; defconf
     192.168.1.1/24     192.168.1.0     combo1                                                                                                            
 1 D 90.22.XX.YY/21   90.22.184.0     br-wan

Sob · February 5, 2020, 1:00pm

Maybe reading less but more carefully would be better.

You can’t have dstnat rules with in-interface=br-wan, they can’t work from inside, because connections will be coming from LAN interface. The best is dst-address=, but if it’s dynamic, you can use dst-address-type=local instead and it will match all local addresses. In case you need those ports also on router, e.g. for management from LAN using WebFig, add additional dst-address=!<192.168.1.x> as exception (where 192.168.1.x is router’s local address; don’t forget “!” which means “not”).

TezNot · February 5, 2020, 1:36pm

Thanks it works now. I didn’t understand this part but now it seems obvious…
Here are the working rules :

/ip firewall nat print           
 0 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=br-wan 
 1 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-port=443 
 2 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-port=80 
 3 chain=dstnat action=dst-nat to-addresses=192.168.1.XX protocol=tcp dst-address-type=local dst-port=443 
 4 chain=dstnat action=dst-nat to-addresses=192.168.1.XX protocol=tcp dst-address-type=local dst-port=80