treat local return traffic as outside traffic

miko3k · October 23, 2012, 7:13pm

hi,

Say address provided by my ISP is 1.2.3.4, my router is 192.168.1.1. My outside address is dynamic so I would like avoid hardcoding it into firewall rules.

I would like to set up routing in a way so if I connect to 1.2.3.4 from inside the network, traffic would behave as outside traffic and would go through normal NAT, filtering, etc. My previous routers done it that way be default.

Reson for this is testing, mainly. I would like to run nmap to see how my network looks from outside, test port forwards without using my cell phone, etc…

Any advice ?

CelticComms · October 24, 2012, 3:14pm

Have a look here:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

miko3k · October 24, 2012, 7:30pm

Thanks.

Browsing to 1.2.3.4:80 seems to work properly now.

However, I dislike following things:

it’s hacky as hell. I had to write a script (because NAT rules without my external IP went crazy).
when I run nmap 1.2.3.4 from inside of network, I would like to see same output as from outside. Currently it’s not the case. For example, I can see admin interface running at port 2222 and ssh 1.2.3.4 -p 2222 works.

Any thoughts?

Description of my current config follows.

I’m using following scheduled script to create address list with my outside address (patched together from various online sources):

:local gateway "ether1-gateway"
:local listname "outside"

:local ip [ /ip address get [ find interface=$gateway ] address ];
:local ip [:pick $ip 0 [:find $ip "/"]]
:put "Remote IP: $ip"

:local numbers [/ip firewall address-list find list=$listname]
:local diff true

:if ( [ :len $numbers ] = 1 ) do={
    :if ( [/ip firewall address-list get $numbers address ] = $ip and [ /ip firewall address-list get $numbers disabled ] = false ) do={
        :set diff false
    }
}

:if ( $diff ) do={
    /ip firewall address-list remove $numbers
    /ip firewall address-list add address=$ip list=$listname
    :put "Updated."
} else={
    :put "Same. Not updated."
}

my NAT rules look like this:

[admin@MikroTik] /ip firewall address-list> /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=80 protocol=tcp dst-address-list=outside dst-port=80 

 1   chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=22 protocol=tcp dst-address-list=outside dst-port=22 

 2   chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=45612 protocol=tcp dst-address-list=outside dst-port=45612 

 3   chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=45612 protocol=udp dst-address-list=outside dst-port=45612 

 4   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 

 5   ;;; http://wiki.mikrotik.com/wiki/Hairpin_NAT
     chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface=bridge-local