Hi!
I have configured hairpin NAT so I don’t have to deal with split DNS. This has worked fairly well, but causes problems for me when I want to reach my web server 10.0.50.30 when I am connected over wireguard.
If I configure AllowedIPs to 0.0.0.0/0 it works fine, but usually I want split tunneling. Applying 10.0.0.0/16 in allowedIPs works as well for reaching my internal services. However my web server (10.0.50.30) is configured to accept traffic with a host header. Say “asd.test.com” as an example. In my imagination I thought I would be able to append my WAN IP to AllowedIPs, but then I can not reach anything in my /16 subnet (nor my web server for that matter). I assume this breaks because of some sort of routing loop. Maybe the handshake is routed into the new route?
Any suggestions to solve this while maintaining the hairpin NAT config?
/interface bridge
add admin-mac=DC:2C:6E:0B:34:89 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=WiFi
set [ find default-name=ether5 ] comment=VMHost
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-ba\
seT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=ISPWAN vlan-id=202
add interface=bridge name=bridge-vlan10-management vlan-id=10
add interface=bridge name=bridge-vlan50-server vlan-id=50
add interface=bridge name=bridge-vlan100-internal vlan-id=100
add interface=bridge name=bridge-vlan150-iot vlan-id=150
add interface=bridge name=bridge-vlan151-zaptec vlan-id=151
add interface=bridge name=bridge-vlan200-guest vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=138 name=Omada-Controller value=0x0A00321E
/ip dhcp-server option sets
add name=omada options=Omada-Controller
add name=dhcp ranges=10.0.0.2-10.0.0.250
add name=l2tp_pool ranges=10.0.3.100-10.0.3.150
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
add name=vlan-200-guest-pool ranges=10.0.200.10-10.0.200.254
add name=vlan-151-zaptec-pool ranges=10.0.151.10-10.0.151.100
add name=vlan-10-management-pool ranges=10.0.10.100-10.0.10.254
add name=vlan-100-internal-pool ranges=10.0.100.10-10.0.100.254
add name=vlan-50-server-pool ranges=10.0.50.100-10.0.50.254
add name=vlan-150-iot-pool ranges=10.0.150.10-10.0.150.254
add name=VPN-POOL ranges=10.0.210.100-10.0.210.200
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge lease-time=10m name=\
LAN-dhcp
add address-pool=vlan-200-guest-pool interface=bridge-vlan200-guest \
lease-time=10m name=guest-dhcp
add address-pool=vlan-151-zaptec-pool interface=bridge-vlan151-zaptec \
lease-time=10m name=zaptec-dhcp
add address-pool=vlan-10-management-pool dhcp-option-set=omada interface=\
bridge-vlan10-management lease-time=10m name=management-dhcp
add address-pool=vlan-50-server-pool interface=bridge-vlan50-server \
lease-time=10m name=server-dhcp
add address-pool=vlan-100-internal-pool interface=bridge-vlan100-internal \
lease-time=10m name=internal-dhcp
add address-pool=vlan-150-iot-pool interface=bridge-vlan150-iot lease-time=10m \
name=iot-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add bridge=bridge dns-server=10.0.0.1 local-address=10.0.3.1 name=L2TP-Profile \
remote-address=l2tp_pool
add dns-server=10.0.210.1 local-address=10.0.210.1 name=OPENVPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing pimsm instance
add afi=ipv4 disabled=no name=pimsm-instance1 vrf=main
/routing table
add disabled=yes fib name=wg-back
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10 pvid=100
add bridge=bridge comment=defconf disabled=yes interface=sfp1 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=";;; defconf" interface=ether1 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge vlan-ids=50
add bridge=bridge tagged=ether2,bridge untagged=ether4 vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ether5 vlan-ids=100
add bridge=bridge tagged=ether2,bridge vlan-ids=150
add bridge=bridge tagged=ether2,bridge vlan-ids=151
add bridge=bridge tagged=ether2,bridge vlan-ids=200
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ISPWAN list=WAN
add interface=bridge-vlan200-guest list=LAN
add interface=wireguard1 list=LAN
add interface=bridge-vlan151-zaptec list=LAN
add interface=bridge-vlan10-management list=LAN
add interface=ether5 list=LAN
add interface=bridge-vlan100-internal list=LAN
add interface=bridge-vlan50-server list=LAN
add interface=bridge-vlan150-iot list=LAN
/interface ovpn-server server
add auth=sha1 certificate=server@MikroTik-hEX-S cipher=aes128-gcm,aes256-gcm \
default-profile=OPENVPN-PROFILE disabled=no mac-address=FE:9D:73:63:56:86 \
name=ovpn-server1 require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.200.3/32 interface=wireguard1 name=tyrkia \
public-key="lDckeSBt7Y8lFAQgC7EAF4haM1+xb3f0/CTnZL+mEwM="
add allowed-address=192.168.200.4/32 interface=wireguard1 name=work-laptop \
public-key="CTQ5I5fzp8Hrq8hRMbehdJiGKVyDVJFLKH7oEJMA5Ww="
add allowed-address=192.168.200.5/32 interface=wireguard1 name=iphone \
public-key="L0snMcGFnPrXzzSCI9RNInB5r5MpMj3nxOoffIcxqnE="
add allowed-address=192.168.200.6/32 interface=wireguard1 name=laptop \
public-key="DqU+48L/wGPYFsI5YeqoZofNTXXJkNPVz4jistMNRT8="
add allowed-address=192.168.200.7/32 interface=wireguard1 name=ipad \
public-key="/dxRzkxkkwvxL0PtD49GtyS5ZBmK4d61PwKktJVWEis="
add allowed-address=192.168.200.9/32 interface=wireguard1 name=work-lenovo \
public-key="eej1TTLDCQKWaGF0/u/AhAdcLTKKiKBmV+CU89O6k2M="
/ip address
add address=192.168.100.1/24 comment="Guest address space" disabled=yes \
interface=*B network=192.168.100.0
add address=192.168.200.1/24 interface=wireguard1 network=192.168.200.0
add address=10.0.150.1/24 interface=bridge-vlan150-iot network=10.0.150.0
add address=10.0.0.1/24 interface=bridge network=10.0.0.0
add address=10.0.200.1/24 interface=bridge-vlan200-guest network=10.0.200.0
add address=10.0.151.1/24 interface=bridge-vlan151-zaptec network=10.0.151.0
add address=10.0.50.1/24 interface=bridge-vlan50-server network=10.0.50.0
add address=10.0.10.1/24 interface=bridge-vlan10-management network=10.0.10.0
add address=10.0.100.1/24 interface=bridge-vlan100-internal network=10.0.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-tables=main interface=ISPWAN
/ip dhcp-server lease
add address=10.0.50.15 client-id=\
ff:11:5d:24:63:0:1:0:1:2b:1b:c2:6d:16:a:bd:fb:7b:5b mac-address=\
52:BE:11:5D:24:63 server=server-dhcp
add address=10.0.50.30 client-id=\
ff:26:77:e7:a8:0:1:0:1:29:9c:32:0:9e:41:26:77:e7:a8 mac-address=\
9E:41:26:77:E7:A8 server=server-dhcp
add address=10.0.50.13 client-id=1:6e:b3:ec:b9:9f:6e mac-address=\
6E:B3:EC:B9:9F:6E server=server-dhcp
add address=10.0.10.234 client-id=1:e8:48:b8:56:b4:12 mac-address=\
E8:48:B8:56:B4:12 server=management-dhcp
add address=10.0.100.240 client-id=1:94:dd:f8:b:a3:cd mac-address=\
94:DD:F8:0B:A3:CD server=internal-dhcp
add address=10.0.50.147 client-id=\
ff:5d:e2:6c:15:0:2:0:0:ab:11:98:74:43:20:62:1c:28:57 mac-address=\
68:1D:EF:34:74:6C server=server-dhcp
add address=10.0.100.233 client-id=1:0:d4:9e:5f:99:16 mac-address=\
00:D4:9E:5F:99:16 server=internal-dhcp
add address=10.0.150.15 client-id=1:cc:5e:f8:aa:28:a8 mac-address=\
CC:5E:F8:AA:28:A8 server=iot-dhcp
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.50.30 gateway=10.0.1.1 netmask=24
add address=10.0.10.0/24 dns-server=\
213.184.200.1,213.184.200.2,213.184.210.210 gateway=10.0.10.1
add address=10.0.50.0/24 dns-server=\
213.184.200.1,213.184.200.2,213.184.210.210 gateway=10.0.50.1
add address=10.0.100.0/24 dns-server=10.0.50.30 gateway=10.0.100.1
add address=10.0.150.0/24 dns-server=10.0.50.30 gateway=10.0.150.1
add address=10.0.151.0/24 dns-server=1.1.1.1 gateway=10.0.151.1
add address=10.0.200.0/24 dns-server=10.0.50.30 gateway=10.0.200.1
add address=192.168.100.0/24 dns-server=1.1.1.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces="bridge-vlan200-guest,bridge-v\
lan100-internal,bridge-vlan150-iot,bridge-vlan10-management,bridge-vlan50-s\
erver" servers=213.184.200.1,213.184.200.2,213.184.210.210
/ip dns static
add address=10.0.10.1 comment=defconf name=router.lan type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=10.0.50.10 name=qnap.lan type=A
/ip firewall address-list
add address=d4500f0ca973.sn.mynetname.net list=WAN-IP
add address=192.168.200.4 list=asd-wireshark
add address=192.168.200.5 list=asd-wireshark
add address=10.0.0.0/16 list=all-lan-ranges
add address=192.168.200.0/24 list=all-lan-ranges
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=WIREGUARD dst-port=13231 in-interface=\
ISPWAN protocol=udp
add action=accept chain=input comment=\
"allow WireGuard traffic asdASDASDASDASDADS" disabled=yes src-address=\
192.168.200.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark=!ipsec connection-state=established,related disabled=yes \
hw-offload=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=DNS dst-address=10.0.50.30 dst-port=\
53,67 protocol=tcp
add action=accept chain=forward comment=DNS dst-address=10.0.50.30 dst-port=\
53,67 protocol=udp
add action=accept chain=forward comment="defconf: accept ICMP" in-interface=\
wireguard1 src-address=192.168.200.4
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="L2TP Traffic out" out-interface-list=\
WAN src-address=10.0.3.0/24
add action=accept chain=forward comment="LAN to Guest" in-interface=bridge \
out-interface=bridge-vlan200-guest
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new
add action=accept chain=forward in-interface=bridge-vlan10-management \
out-interface=bridge-vlan50-server
add action=accept chain=forward in-interface=bridge-vlan10-management \
out-interface=bridge-vlan100-internal
add action=accept chain=forward in-interface=bridge-vlan10-management \
out-interface=bridge-vlan150-iot
add action=accept chain=forward in-interface=bridge-vlan10-management \
out-interface=bridge-vlan200-guest
add action=accept chain=forward in-interface=bridge-vlan50-server \
out-interface=bridge-vlan150-iot
add action=accept chain=forward in-interface=bridge-vlan50-server \
out-interface=bridge-vlan100-internal
add action=accept chain=forward in-interface=bridge-vlan100-internal \
out-interface=bridge-vlan150-iot
add action=accept chain=forward dst-address=10.0.10.237 dst-port=22,3389 \
in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward in-interface=bridge-vlan200-guest \
out-interface=bridge-vlan150-iot
add action=accept chain=forward dst-address=10.0.50.30 dst-port=443,80 \
in-interface=bridge-vlan200-guest protocol=tcp
add action=accept chain=forward dst-address=10.0.50.30 in-interface=\
bridge-vlan100-internal protocol=icmp
add action=accept chain=forward comment="Wireguard to webserver" dst-address=\
10.0.50.30 dst-port=443,80 in-interface=wireguard1 protocol=tcp
add action=accept chain=forward dst-address=10.0.10.237 in-interface=\
wireguard1
add action=accept chain=forward dst-address=10.0.50.30 dst-port=443,80 \
in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward comment="Sonos -> Home Assistant" dst-address=\
10.0.50.13 dst-port=1400 in-interface=bridge-vlan150-iot protocol=tcp
add action=accept chain=forward comment="Access portainer from internal" \
dst-address=10.0.50.30 dst-port=9443 in-interface=bridge-vlan100-internal \
protocol=tcp
add action=accept chain=forward comment=redlib dst-address=10.0.50.30 \
dst-port=1337 in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward in-interface=wireguard1 out-interface=\
wireguard1
add action=accept chain=forward in-interface=bridge-vlan10-management \
out-interface=wireguard1
add action=accept chain=forward comment="openvpn out" disabled=yes \
out-interface-list=WAN src-address=10.0.210.0/24
add action=accept chain=forward dst-address=10.0.50.10 dst-port=445,139 \
in-interface=bridge-vlan100-internal protocol=tcp
add action=accept chain=forward dst-address=10.0.50.10 dst-port=445,139 \
in-interface=wireguard1 protocol=tcp
add action=drop chain=forward comment="Drop anything else"
/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=172.30.100.0/24 \
new-mss=1400 protocol=tcp src-address=10.0.10.0/24 tcp-flags=syn tcp-mss=\
!0-1400
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=172.30.100.0/24 \
src-address=10.0.10.0/24
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-list=WAN-IP \
dst-port=443 protocol=tcp to-addresses=10.0.50.30 to-ports=443
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-list=WAN-IP \
dst-port=80 protocol=tcp to-addresses=10.0.50.30 to-ports=80
add action=masquerade chain=srcnat dst-address=10.0.50.30 out-interface-list=\
LAN protocol=tcp src-address=10.0.50.0/24
add action=masquerade chain=srcnat comment="management out" \
out-interface-list=WAN src-address=10.0.10.0/24
add action=masquerade chain=srcnat comment="server network out" ipsec-policy=\
out,none out-interface-list=WAN src-address=10.0.50.0/24
add action=masquerade chain=srcnat comment="LAN out" out-interface-list=WAN \
src-address=10.0.100.0/24
add action=masquerade chain=srcnat comment="IOT network out" \
out-interface-list=WAN src-address=10.0.150.0/24
add action=masquerade chain=srcnat comment=zaptec-out out-interface-list=WAN \
src-address=10.0.151.0/24
add action=masquerade chain=srcnat comment="Guest network out" \
out-interface-list=WAN src-address=10.0.200.0/24
add action=masquerade chain=srcnat comment="VPN out" out-interface-list=WAN \
src-address=192.168.200.0/24
add action=masquerade chain=srcnat comment="openVPN out" out-interface-list=\
WAN src-address=10.0.210.0/24
add action=dst-nat chain=dstnat comment="traefik http" dst-address-list=WAN-IP \
dst-port=80 protocol=tcp to-addresses=10.0.50.30 to-ports=80
add action=dst-nat chain=dstnat comment="traefik https" dst-address-list=\
WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.50.30 to-ports=443
add action=dst-nat chain=dstnat comment=torrents dst-port=13339 \
in-interface-list=WAN protocol=tcp src-address-list="" to-addresses=\
10.0.50.30 to-ports=13339
add action=dst-nat chain=dstnat comment=plex dst-address-list=WAN-IP dst-port=\
32400 protocol=tcp to-addresses=10.0.50.30 to-ports=32400
add action=masquerade chain=srcnat comment="L2TP out" out-interface-list=WAN \
src-address=10.0.3.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.210.0/24 gateway=10.0.210.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=172.30.100.0/24 gateway=10.0.0.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
routing-table=wg-back scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway="" routing-table=main \
suppress-hw-offload=no
/ip service
set telnet address=10.0.0.0/16
set ftp address=10.0.0.0/16
set www address=10.0.0.0/16
set ssh address=10.0.0.0/16
set api address=10.0.0.0/16
set winbox address=10.0.0.0/16
set api-ssl address=10.0.0.0/16
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add name=min profile=L2TP-Profile service=l2tp
add disabled=yes name=sinmid profile=L2TP-Profile service=l2tp
add name=sin profile=OPENVPN-PROFILE service=ovpn
/routing bfd configuration
add disabled=no
/routing igmp-proxy interface
add disabled=yes interface=bridge upstream=yes
add disabled=yes interface=*D
add disabled=yes interface=bridge-vlan200-guest
/routing pimsm interface-template
add disabled=no instance=pimsm-instance1 interfaces=bridge
add disabled=no instance=pimsm-instance1 interfaces=bridge-vlan200-guest
/routing rule
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=yes src-address=192.168.200.9/32 table=wg-back
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=MikroTik-hEX-S
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=wireguard1 filter-ip-address=192.168.200.9/32