Hi. I have problem with my RB751u-2hnd and rb951g-2hnd.
I’m trying to configure hairpin nat on ROS v6.x according to http://wiki.mikrotik.com/wiki/Hairpin_NAT
Before upgrade to 6.x it was working perfectly, but now srcnat doesn’t see this packages so it doesn’t work.
Is there any another way to configure this? Or maybe it’s a bug?
Thanks for your help!
please post your configuration for others to see.
Example:
config:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat dst-address=10.1.1.196 dst-port=80 \
protocol=tcp src-address=10.1.1.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.211 dst-port=80 \
protocol=tcp to-addresses=10.1.1.196 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.1.211 dst-port=81 \
protocol=tcp to-addresses=10.1.1.197 to-ports=80
/interface bridge
add arp=proxy-arp l2mtu=1598 name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=ye
No firewall filter rules.
Forwarding works well between client and server1 (no need to configure hairpin nat), but not between client and server2. Hairpin nat rule doesn’t see this packages - counter is 0:
This config works well on v5.x but not on v6.x.
Add a static DNS entry for your web server.
It won’t work. As you can see I’m changing ports in dstnat.
Both servers run on port 80, so I do not see the problem.
so tell me how to add static DNS entry that redirects me from port 81 to port 80?
I want to put address http://<my_domain>:81 in my web browser and get connection to server2 on port 80 (10.1.1.196:80)
Another time I want to put address http://<my_domain>:80 and get connection to server1 on port 80 (10.1.1.197:80)
@pablo191f i have question to the example.
You said “This config works well on v5.x but not on v6.x.”
OK, let’s assume we use 5.x where it works.
Will it work, with serwer connected to the SWITCH? In this configuration everything is on one Mikrotik port. Is it possible to work?
by everything I mean “LAN” side.
Where are you browsing from, the client computer in your drawing?
@mxmxmxmxmx
Yes, it is possible because it IS working on 5.25. Client and server connected to the switch and switch connected to one port of MT
@THG
yes, client computer connected to the switch
Okey, I’m trying to understand your scenario.
Can you please answer if you browse to the same domain with different port numbers, or if you have two different domains?
One domain, differend port numbers
Do you think that this little detail was quite irrelevant and barely worth mentioning in the first place? This little piece of information changes everything, right now I do not have any solution for you.
But that’s why i used only IP addresses in my example without any info about domain. In this case one domain = no domain (I think)
Same problem - rule working ok on v.5.25, not ok on 6.0 and obove
Example
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=local.ip.address to-ports=80 protocol=tcp dst-address=public.ip.address dst-port=80
Now on v.6.3
dstnat is ok on the public network, but not in local
The problem is not in DNS.
Any ideas?
Same issue.
I have a public ip subnet lets say 8.8.8.1-8.8.8.20 these are assigned to a mikrotik. The mikrotik then has a private ip range of 192.168.1.xx. The publics are dstnat to the privates with the same ending number.
So. 8.8.8.1 is nated to 192.168.1.1 and so forth
we also have a srcnat for 192.168.1.1 to netmap to 8.8.8.1
from the server 192.168.1.1 that is netmap out 8.8.8.1 they can not access anything by using the public ip of a different server on the network like 8.8.8.8, however they can if they use 192.168.1.8 which is netpmaed to the 8.8.8.8 because its just local addresses.
These rules were working with 5.14 but are not working with 6.3 firmware.
I know 8.8.8.8 is a subnet held by google. I changed the subnet for privacy.
Then, I did a srcnat with src address 192.168.1.0/24 to dst address 192.168.1.0/24 and masquerade and it still does not seem to be working. I tried putting it at the top of the list and it still doesn’t work.
Hi,
I have 6 Cloud Core Routers in offices around the world. In each office I have with ROS6.x (all versions so far) been able to successfully implement hair pin with the following:
/ip firewall nat
add action=masquerade chain=srcnat comment=HairPin dst-address=172.16.10.0/24 src-address=172.16.10.0/24
This rule will do Hairpin for everything and you don’t have to do it by port.
Add a similar rule for every subnet that you have masqueraded.
For your case I would use:
/ip firewall nat add action=masquerade chain=srcnat comment=HairPin dst-address=192.168.1.0/24 src-address=192.168.1.0/24
Hope that can help!
Dan
I have that rule in the router and it is set at as rule 0, i have also tried setting it as the last src nat in the list and rebooted each time.
I turned on logging of traffic and I dont see the servers even hitting the router. I rolled back to 5.26 and everything started working again. Not sure what i did wrong.
I just bought a RouterOS license and have the same problem 
(ver. 6.4)
darbeau’s version of the hairpin NAT rule doesnt work for me, too.. 
Has anybody fixed this problem yet?
Did you put the hairpin rule in before the router was live and programmed? It is my guess that it has to be done at the very begging before having the router live. I fixed the issue by going back to 5.25. So I dont know what is going on with it.