hello my friend..!
so i have a Mikrotik router with the following network configuration, you can see it below..
i am trying to apply hairpin nat to see my NVR device that have the IP 192.168.1.122 thorugh public IP address inside my LAN network, but it seems that there is something that prevent me from doing that.
can anyone tell me what this thing that prevent the Hairpin NAT from work..?
here is my mikrotik configuration:
/interface bridge
add arp=proxy-arp dhcp-snooping=yes fast-forward=no igmp-snooping=yes
multicast-querier=yes multicast-router=permanent name=Bridge
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether3 ]
set [ find default-name=ether4 ]
/interface list
add comment=defconf name=WAN
add name=LAN
/ip pool
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.150
/ip dhcp-server
add address-pool=dhcp_pool3 interface=Bridge lease-time=30m name=dhcp2
/snmp community
add addresses=::/0 name=
/system logging action
set 0 memory-lines=3000
/interface bridge port
add bridge=Bridge ingress-filtering=no interface=ether3 trusted=yes
add bridge=Bridge ingress-filtering=no interface=ether4 trusted=yes
add bridge=Bridge interface=wlan1 trusted=yes
add bridge=Bridge interface=ether2 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=Bridge vlan-ids=1
add bridge=Bridge vlan-ids=55
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=l2tp enabled=
yes keepalive-timeout=120 use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=Bridge list=LAN
/ip address
add address=192.168.2.2/24 comment=“out interface” interface=ether1 network=
192.168.2.0
add address=192.168.1.1/24 comment=LAN interface=Bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server
add address-pool=dhcp_pool8 interface=*B name=dhcp1
/ip dhcp-server alert
add disabled=no interface=Bridge on-alert=
“:log error message="Rogue DHCP Server Discovered"”
/ip dhcp-server network
add address=10.10.1.0/24 gateway=10.10.1.1
add address=10.20.1.0/24 gateway=10.20.1.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,192.168.1.1 gateway=192.168.2.2
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.132.0/24 gateway=192.168.132.1
/ip dns
set allow-remote-requests=yes cache-size=3000KiB servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="allow " dst-port=1701 protocol=udp
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=
yes new-connection-mark=user-1 passthrough=yes src-address=192.168.1.100
add action=mark-packet chain=prerouting connection-mark=user-1 disabled=yes
new-packet-mark=“user exceeded” passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.1.0/24
dst-address=192.168.1.122 protocol=tcp dst-port=37777
to-addresses=192.168.2.2 to-ports=37777
comment=“hairpin NAT”
add action=masquerade chain=srcnat dst-address=192.168.2.2 out-interface=
Bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.2.2
add action=src-nat chain=srcnat comment=“defconf: masquerade”
out-interface-list=WAN to-addresses=192.168.2.2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=34567
protocol=tcp to-addresses=192.168.1.10 to-ports=34567
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=554
protocol=tcp to-addresses=192.168.1.244 to-ports=554
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=37777
protocol=tcp to-addresses=192.168.1.122 to-ports=37777
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=9021
protocol=tcp to-addresses=192.168.1.170 to-ports=9021
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=WAN
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=*12
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=Bridge
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.100.1 name=l2tp
remote-address=*5 use-upnp=no
/ppp secret
add name=ali service=ovpn
add name=admin profile=l2tp
/routing igmp-proxy
set query-interval=10s
/routing igmp-proxy interface
add
add alternative-subnets=0.0.0.0/0 interface=ether1
add alternative-subnets=10.10.0.200/32 interface=wlan1 upstream=yes
/snmp
set contact=“ISTC Company” enabled=yes location=syria trap-community=ISTC
trap-version=2
/system identity
set name=Office
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
…