Urgent help please (Hairpin NAT)

memolipascal · November 4, 2016, 3:10pm

Hi,

Our Mikrotik RouterOS version : V6.38

Hairpin NAT working. But, My IIS server log shows the correct localnet ip addresses. (Visitor IP address : 10.0.0.10)

Please help me. Thank you very much.

/export compact
# nov/04/2016 15:28:48 by RouterOS 6.38rc24
#
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/queue interface
set LAN queue=ethernet-default
set WAN queue=ethernet-default
/system logging action
set 1 disk-file-count=10 disk-file-name=log_altinsoft
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=5.255.61.93/28 interface=WAN network=5.255.61.80
add address=10.0.0.10/8 interface=LAN network=10.0.0.0
/ip dhcp-server config
set store-leases-disk=never
/ip dns
set servers=195.175.39.39,195.175.39.40
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=forward log-prefix=FIREWALL
add action=log chain=forward log=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local log=yes log-prefix=L1 protocol=tcp to-addresses=10.0.0.100
add action=masquerade chain=srcnat dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=5.255.61.81
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=ALTINSOFT
/system logging
set 1 prefix=ERROR
set 3 action=disk
/system package update
set channel=release-candidate

Sob · November 4, 2016, 5:19pm

Add src-address=10.0.0.0/8 to masquerade rule. You need hairpin NAT only for connections originating from same LAN, but currently your rule applies to connections with any source address.

memolipascal · November 5, 2016, 11:12am

This is not a solution.Same problem. Hairpin NAT is already used.

Sob · November 5, 2016, 2:06pm

Maybe I misunderstood what you want? I assumed it was a typo and you meant “… server log shows the incorrect localnet ip addresses.” Because that’s exactly what your srcnat rule would do. Split in parts, it says to:

action=masquerade - change packet’s source address to router’s address
dst-address=10.0.0.100 - when the destination is this
out-interface=LAN - and it goes out via this interface
protocol=tcp - and it’s tcp

It does not say anything about packet’s source, so any tcp packet to 10.0.0.100 will have its source address changed to 10.0.0.10, unless you limit the rule by other conditions.

memolipascal · November 5, 2016, 3:21pm

What’s the solution ?

skuykend · November 5, 2016, 3:32pm

I think the only real solution if you want to log the actual IP of local users is split DNS. Where outside users get the external IP and internal users get the local IP for the same DNS name. Otherwise, that’s what a Hairpin will do.

memolipascal · November 5, 2016, 3:35pm

Why does the local IP address appear? Does not the real IP address appear? I’m waiting for help.

Sob · November 5, 2016, 3:43pm

Adding src-address, as I already wrote, should work. I mean changing this rule:

add action=masquerade chain=srcnat dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp

To this:

add action=masquerade chain=srcnat src-address=10.0.0.0/8 dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp

Then if client connects from e.g. 1.2.3.4, connection can’t be masqueraded by this rule, because 1.2.3.4 obviously is not in 10.0.0.0/8.

memolipascal · November 5, 2016, 4:07pm

Sob:

Adding src-address, as I already wrote, should work. I mean changing this rule:
add action=masquerade chain=srcnat dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp
To this:
add action=masquerade chain=srcnat src-address=10.0.0.0/8 dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp
Then if client connects from e.g. 1.2.3.4, connection can’t be masqueraded by this rule, because 1.2.3.4 obviously is not in 10.0.0.0/8.

/ip firewall nat> print
 0    chain=dstnat action=dst-nat to-addresses=10.0.0.100 protocol=tcp dst-address-type=local log=yes log-prefix="L1" 
 1    chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.0/8 dst-address=10.0.0.100 out-interface=LAN log=yes log-prefix="L2"

This is not working. And

/ip firewall nat> print
 0    chain=dstnat action=dst-nat to-addresses=10.0.0.100 protocol=tcp dst-address-type=local log=yes log-prefix="L1" 
 1    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.0.100 out-interface=LAN log=yes log-prefix="L2" 
 2    chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.0/8 dst-address=10.0.0.100 out-interface=LAN log=yes log-prefix="L2"

This is working. But, same problem. Please see here : http://5.255.61.93/

memolipascal · November 5, 2016, 4:33pm

and web server network configration,

IP : 10.0.0.100
Netmask : 255.0.0.0
Gateway : none
dns : none

Sob · November 5, 2016, 4:38pm

And you don’t see any problem with that? That’s your answer, of course it can’t work without default gateway. It worked previously because your original broad srcnat rule made all connections look like they come from 10.0.0.10 and server knew where to find that. But when you added src-address, connections kept their source addresses and server had no idea where to send replies.

memolipascal · November 5, 2016, 4:44pm

The problem is, the web server sees the local ip. Visitor IP address does not appear. This problem was solved earlier. But I forgot.

Please see this is topic : http://forum.mikrotik.com/t/urgent-help-please/73988/1

Sob · November 5, 2016, 4:59pm

The main problem is that server does not have default gateway. You need to set it to router’s address, i.e. 10.0.0.10. Then use the config with masquerade rule having src-address specified and it will work.

Unless of course it’s part of some larger complicated setup you didn’t provide any details about…

memolipascal · November 5, 2016, 5:10pm

Web Server default gateway changed. 10.0.0.10

But, same problem.

Sob · November 5, 2016, 5:31pm

And your current NAT rules are which ones exactly?

memolipascal · November 5, 2016, 6:19pm

/ip firewall nat> print
 0    chain=dstnat action=dst-nat to-addresses=10.0.0.100 protocol=tcp dst-address-type=local log=yes log-prefix="L1" 
 1    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.0.100 out-interface=LAN log=yes log-prefix="L2"

Sob · November 5, 2016, 6:31pm

You’re killing me.

You have again the original rule that masquerades packets with any source. Since now you should have already fixed server’s routing problem by giving it default gateway, it’s the right time to limit the rule using src-address=10.0.0.0/8.

memolipascal · November 7, 2016, 5:23pm

add action=masquerade chain=srcnat src-address=10.0.0.0/8 dst-address=10.0.0.100 log=yes log-prefix=L2 out-interface=LAN protocol=tcp

This is not working. I’m waiting for help from other users. Please help me.