Yet another hairpin nat question

Please understand that I’ve been at this for days (as I get the time) trying to make this work. I have a simple architecture that was converted from a basic consumer friendly router to the mikrotik for home use; everything worked on the previous device. I got everything working well on the mikrotik except the hairpin nat and that has eluded me to the point where I’m basically trying things at random to see if anything will accidentally work.

I went through, probably, every youtube video there was, read threads on many forums including this one, and nothing I’ve found made it work. I got the destnat working on the first try and can access the web server from outside, but the masquerade just doesn’t work for me. Totally at my wits end here.

The configuration as it is right now that doesn’t work. There have been so many changes that I haven’t been able to keep track of them all.

[admin@MikroTik] /ip firewall> export
# oct/04/2021 17:20:49 by RouterOS 6.47.9
# software id = QXIJ-366T
#
# model = RBD53iG-5HacD2HnD
# serial number = E72C0EBE5293
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
    log=yes log-prefix="I just dropped this"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    aaa.aaa.aaa.aaa dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.sss to-ports=80
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=iii.iii.iii.iii dst-address-type=local log=yes log-prefix=\
    "Hairpin for web server" protocol=tcp src-address=192.168.0.0/24
[admin@MikroTik] /ip firewall

Where the aaa… is the vlan address given to me by the isp. I think I’m on a subnet that teknet set up for this area (rural with a network of radios on our roofs). The iii… is my internet address; I have a static address. The little sss is my pi webserver.

HELP ! I’m starting to look at the mikrotik like it might become a frizbee and go sailing out into the desert behind my house.

See the hairpin NAT documentation. Note that the destination address matched in the src-nat rule is not the external address. Source-NAT is performed after the destination-NAT rule has changed the destination address to the internal address of the server. For debugging, keep an eye on the firewall rule packet counters and see if they increase when you think a packet should match. Both the dst-nat and the src-nat rule must be triggered if you connect to the external server IP address from a host on the same local network as the server.

Im feeling lazy so I will make it short…

Hairpin Nat is a funny situation of dst-nat and mostly for the case of port forwarding, where the requirement needs to address local users as follows:
a. The server and the lan users of the server are on the same subnet
b. The server admin requires access to the server via its domain name (external WANIP).
a. This could be for several reasons but for example when one has multiple vlans and a standard method for access is provided that works for all users, regardless of vlan associated forward chain firewall rules.
b. The admin for other reasons does not want users to use the LANIP address of the servers.

Two quick ways to avoid the need for Hairpin NAT include:
i. Simply move the lan users or Server to a different subnet, done!
ii. Allow the lan users to use the LANIP of the server for access, done!
If the two options are not to your liking then we have to adjust the config of the Mikrotik appliance and there are two main approaches, one touching upon DNS changes and the other various manipulations of dst-nat rules and one necessary src-nat rule.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Scenario: Server IP is 192.168.88.68, protocol tcp, port 12566, WANIP=47.123.12.89 (if static), domain name=www.myserver.net

(1) DNS METHOD – REDIRECT LAN REQUEST VIA DNS (courtesy of rextended & ZeroByte)

Create the following rule!
/ip dns static
add address=192.168.88.68 regexp=“(^|www\.)myserver\.net$” ttl=5m

The precedence for using DNS within the router is as follows…
a. static first
b. static regexp next
c. others…

This rule will capture any request for DNS when looking for that domain name and direct the query to the server IP.
However, some users on the same subnet may have DNS hard coded on their PCs… and thus you need to redirect all DNS queries to the router to handle.

add action=redirect chain=dstnat comment=“Force Users to Router for DNS - TCP”
dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=redirect chain=dstnat comment=“Force Users to Router for DNS - UDP”
dst-port=53 protocol=udp src-address=192.168.88.0/24

This should effectively ensure that regardless of PC DNS settings, all the queries from the subnet will go through the router and thus hit the static DNS rule created.

Two important points:
(i) You’d need to make sure “allow remote request” is turned on in /IP DNS, and

(ii) BE SURE that your input firewall filter blocks DNS requests from the Internet itself so that you don’t get this router taken over by a dns-amp ddos attack. This is not normally a concern if you are using the default firewall rules or any substitution thereof with a drop all else rule.

(2) MANIPULATING NAT

First Step: SOURCE-NAT APPROACH (May be all you need!)
In all cases (dynamic or static WANIPs) the first step that is consistent across all variations of manipulating NAT, is the addition of a source-nat rule addition placed before the default SRC-NAT rule.
add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0
This rule effectively addresses the discrepancy when the router intercepts the return traffic from the server and ignores the WANIP NAT tracking because it knows the originator was local on the router and thus tries to send the traffic directly back to the originator via its LANIP totally befuddling the NAT engine. The rule ‘approves’ the direct return of traffic from the server to the originator for NAT engine purposes even though the request seemingly came from the WAN.

Static WANIP configurations, with this SRC-NAT rule in place, do not require any changes to any existing DST-NAT RULES (format as follows):
add chain=dstnat action=dst-nat dst-address=47.123.12.89 dst-port=12566
protocol= tcp to-addresses=192.168.88.68 {to-ports only required for port translation}

Second Step (if needed): ALL other variations address Dynamic WANIP configurations and boil down to replacing or mimicking the dst-address=WANIP with something similar.

(2a) Dynamic WANIP Local Address approach (kudos to ???)
This method is fairly straight forward in that you tell the router to use a local address as the destination address but to not use the subnet the server (and users) are on. Effectively the router will choose the next available local address and it should be the current WANIP.
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.66.1
protocol=tcp dst-port=12566 to-addresses=192.168.88.68

Limitations: This rule ONLY suffices for a single subnet structure behind the Router. As soon as you add more subnets/vlans the rule gets more complex and one would then have to use a firewall address list to identify all subnets on the network.
Add chain=dstnat action=dst-nat dst-address-type=local dst-address-list=!allsubnets
protocol=tcp dst-port=12566 to-addresses=192.168.88.68
Where:
Add ip=subnetofserver list=allsubnets
Add ip=othersubnetA list=allsubnets
Add ip=othersubnetB list=allsubnets
Etc.

(2b) Dynamic WANIP Approach using Firewall Address List and IP Cloud (kudos to Steveocee)

This method relies upon using ones IP Cloud IP address as a firewall address list entry. The IP Cloud function periodically updates the WANIP every ??? minutes. Instead of using dst-address=WANIP one uses dst-address-list=updatedCloudIP

See https://www.youtube.com/watch?v=_kw_bQyX-3U&t=257s for an excellent presentation.

Limitations: There is a chance of a gap in correct coverage if the WANIP is changed or whatever reason in between IP Cloud updates.
Advantages:
(i) Best when there is 1:1 NAT or
(ii) if the router itself doesn’t have a public IP address as the IP Cloud service will provide the correct public IP in front of your router.

(2c) Dynamic WANIP approach using a Firewall Address List and IP DHCP Client related script (most elegant and courtesy of Sob (sos??))
This method utilized a script that pulls the actual WANIP from your IP DHCP Client settings. The script allows the admin to set any schedule desired vice the fixed IP cloud updates.
DHCP lease script:
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment=“wan1ip”] address=$“lease-address” disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment=“wan1ip”] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan

Limitations: Not suited for a private WANIP setup.

Thank you both for your reply, but it still doesn’t work. As noted in my first post, I did look at the mikrotik discussion about hairpin nat in their documentation. Nothing I gleaned from that worked. I read and reread both of the posts above. Some of it didn’t apply, for example, I do not have a domain name for the system, nor do I actually want to use one. I do have a fixed IP address. Those two things leave out a lot of the solutions suggested.

I did try several things, none of them worked though. Here is the nat configuration as it exists right now. Like I said, I’ve actually been reduced to just trying things to see if there is any result from anything. The srcnat masquerade for the server never gets incremented. It’s like it doesn’t exist. The dstnat for the server works well.

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    protocol=tcp src-address=192.168.0.0
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    iii.iii.iii.iii dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.205 to-ports=80
[admin@MikroTik] /ip firewall nat>

Details are important. Computers do what you tell them, not necessarily what you mean. If you tell the router to masquerade packets coming from 192.168.0.0, it will masquerade only those packets, not packets from any other address in 192.168.0.0-192.168.0.255 (192.168.0.0/24).

Of course details are important. That’s why I copied that line directly from anav’s reply above. Are you saying that I need to masquerade everything from 192.168.0.0/24? I can try that pretty easily.

Try to understand what you’re doing, don’t just copy & paste. You need two NAT rules for the server: One destination NAT rule and one source NAT rule.

The destination NAT is what’s usually called a “port forwarding”. It tells the router that incoming connections to a particular port on the router’s WAN address need to be forwarded to the server’s LAN IP address.

The source NAT is the hairpin rule. This solves the problem that with only the destination NAT, you can talk to the WAN IP address and reach the server from outside the LAN alright, but if you try to talk to the server using the WAN IP from inside the LAN, it doesn’t work. That’s because both directions of the connection need to pass through the router, so that it can undo the NAT on the way back to the client. But without the source NAT, the server sees the source IP of the client on the same network and sends its replies directly to the client, not through the router. So you need to make the connection appear to come from the router whenever it comes from the same LAN as the destination address.

add action=masquerade chain=srcnat comment="Hairpin" protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.0/24

This rule affects traffic that comes from the 192.168.0.0/24 network and is destined for the same network. This is a strange rule, because there’s usually no need for traffic like that to pass through the router. But in this case it’s the result of the destination NAT rule: The connection arrived from the local network and was sent to the WAN IP address and then NAT makes it return to the LAN.

For example, suppose the WAN IP is 203.0.113.23, your router’s LAN IP is 192.168.0.1, your client is 192.168.0.7 and the server is 192.168.0.111.

• Then the connection arrives at the router with src=192.168.0.7 and dst=203.0.113.23.
• The dst-nat rule changes that to src=192.168.0.7 and dst=192.168.0.111.
• Without the src-nat rule, the server replies directly to 192.168.0.7 and the poor client doesn’t know what to do with that response because it wasn’t talking to 192.168.0.111.
• The src-nat rule however matches, because 192.168.0.7 is in 192.168.0.0/24 (src-address) and 192.168.0.111 is in 192.168.0.0/24 (dst-address), so this rule changes the connection to src=192.168.0.1 and dst=192.168.0.111.
• When the server replies to the source of the connection (192.168.0.1), the packets pass through the router, where both address translations are undone and the response arrives at the client with addresses 192.168.0.7 and 203.0.113.23, as the client expects.

Emils explanation is spot on.


You can remove the protocol tcp, in the hairpin source nat rule, not required!
Since the WANIP is a fixed wanip you dont need anything fancy in terms of other rules or methods!
It should just work!!

THe problem is your OTHER required basic but non-standard sourcenat rule that is probably buggering everything up.
More to the point it is incomplete You have two choices.
Use the default
“add action=masquerade chain=srcnat out-interface-list=WAN”
OR
because you have a fixed WANIP
add action=src-nat chain=src-nat out-interface-list=WAN to-addresses=WANIP

Notes:
-assuming fixed wanip=iii.iii.iii.iii

• to-ports not required if same as dst-ports

FROM
/ip firewall nat
add action=masquerade chain=srcnat comment=“Hairpin for web server”
dst-address=192.168.0.0/24 log=yes log-prefix=“Hairpin for web server”
protocol=tcp src-address=192.168.0.0
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=“NAT for web server” dst-address=
iii.iii.iii.iii dst-address-type=local dst-port=80 log=yes log-prefix=
“NAT for web server” protocol=tcp to-addresses=192.168.0.205

/ip firewall nat
add action=masquerade chain=srcnat comment=“Hairpin for web server”
dst-address=192.168.0.0/24 log=yes log-prefix=“Hairpin for web server”
protocol=tcp src-address=192.168.0.0
add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=iii.iii.iii.iii
add action=dst-nat chain=dstnat comment=“NAT for web server” dst-address=iii.iii.iii.iii
dst-port=80 log=yes log-prefix=“NAT for web server” protocol=tcp to-addresses=192.168.0.205

Thank you Emil, but it still doesn’t work. Here is the very latest that I tried a few minutes ago. I couldn’t get to it sooner because my boss said something about “work”.

[admin@MikroTik] /ip firewall nat> export
# oct/05/2021 18:00:11 by RouterOS 6.47.9
# software id = QXIJ-366T
#
# model = RBD53iG-5HacD2HnD
# serial number = E72C0EBE5293
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    iii.iii.iii.iii dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.205 to-ports=80
[admin@MikroTik] /ip firewall nat>

I memory serves, and that is a valid concern since I’ve tried a huge number of combinations based on both logic and frustration over the last week, that is exactly what I tried on the first day. The masquerade counter doesn’t increment at all, … ever. I can get to the inside server from outside still though.

IMHO, the masquerade isn’t getting anything to it to work on, but I’ve been consistently wrong in this project. Is there some way in the router to see what the heck it is doing? What the destination is when it gets to some of these?

Thank you anav. I just tried:

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    172.25.50.18 dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.205 to-ports=80
[admin@MikroTik] /ip firewall nat>

That didn’t work; I still can’t get to the web server from inside. I’m a bit afraid to try the second suggestion because the wife is playing a game online, and if I lose the internet, she’ll punish me severely. I can probably try it when her bladder fills up she has to take a break though.

It could be something else on your config…
/export hide-sensitive file=anynameyouwish

I bet I can do that.

# oct/06/2021 08:09:14 by RouterOS 6.47.9
# software id = QXIJ-366T
#
# model = RBD53iG-5HacD2HnD
# serial number = E72C0EBE5293
/interface bridge
add admin-mac=2C:C8:1B:BB:97:B9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country="united states3" disabled=no distance=indoors frequency=auto \
    mode=ap-bridge ssid=Thompsonhouse wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    Thompsonhouse5G wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] auto-negotiation=no loop-protect=off
set [ find default-name=ether5 ] auto-negotiation=no loop-protect=off \
    poe-out=off speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/system logging action
add bsd-syslog=yes name=cloutikds remote=142.44.211.110 remote-port=5014 \
    syslog-facility=syslog target=remote
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 trusted=yes
add bridge=bridge comment=defconf interface=ether3 trusted=yes
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 trusted=yes
add bridge=bridge comment=defconf interface=wlan1 trusted=yes
add bridge=bridge comment=defconf interface=wlan2 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
/ip arp
add address=192.168.0.210 comment="House NAS" interface=bridge mac-address=\
    00:08:9B:E2:C7:CC
add address=192.168.0.204 comment="House Clock" interface=bridge mac-address=\
    DE:AD:BE:EF:FE:EF
add address=192.168.0.205 comment="House Monitor" interface=bridge \
    mac-address=B8:27:EB:5F:F8:EC
add address=192.168.0.206 comment="Weather Station" interface=bridge \
    mac-address=B8:27:EB:EC:31:FA
add address=192.168.0.207 interface=bridge mac-address=B8:27:EB:8E:23:D0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.105 client-id=1:0:1d:7e:91:12:a mac-address=\
    00:1D:7E:91:12:0A server=defconf
add address=192.168.0.41 client-id=1:34:e1:d1:80:c7:b mac-address=\
    34:E1:D1:80:C7:0B server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "I just dropped this"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    iii.iii.iii.iii dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.205 to-ports=80
/system clock
set time-zone-name=America/Phoenix
/system logging
add action=cloutikds prefix=info topics=info
add action=cloutikds prefix=error topics=error
add action=cloutikds prefix=critical topics=critical
add action=cloutikds prefix=warning topics=warning
/system scheduler
add comment=Cloutik-update interval=30s name=Cloutik-update on-event=\
    GetTaskCloutik policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/16/2021 start-time=13:57:06
add comment=Cloutik-GetHealth interval=30m name=Cloutik-GetHealth on-event=\
    GetHealthCloutik policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/16/2021 start-time=13:57:09
/system script
add dont-require-permissions=no name=InitCloutik owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \t:local token \"b9a5bc62b34215cd211f6b35ce107773\";\
    \n\t:global sn [/system routerboard get serial-number];\
    \n\t:global model [/system routerboard get model];\
    \n\t:local firmware [/system routerboard get upgrade-firmware];\
    \n\t:local identity [/system identity get name];\
    \n\t:local result [/tool fetch url=\"https://login.cloutik.com/install.php\
    \\\?sn=\$sn&token=\$token&model=\$model&firmware=\$firmware&op=action\" mo\
    de=https http-method=get dst-path=install.txt];\
    \n        :do { import install.txt;/file remove install.txt;} on-error={};\
    "
add comment=Cloutik-US dont-require-permissions=no name=Cloutik-US owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local token \"886f472f4d0bc8ab6bbec807c8a83411\";:global sn [/system route\
    rboard get serial-number];:global model [/system routerboard get model];:l\
    ocal firmware [/system routerboard get upgrade-firmware];:local identity [\
    /system identity get name];:local newid;:for i from=( [:len [:tostr \$iden\
    tity]] - 1) to=0 do={:local char [:pick [:tostr \$identity] \$i];:if ( \$c\
    har = \" \") do={:set \$newid (\".\" . \$newid);};:if ( \$char != \" \") d\
    o={:set \$newid (\$char . \$newid);};};/system identity set name=\$newid;:\
    local result [/tool fetch url=\"https://login.cloutik.us/install.php\?sn=\
    \$sn&token=\$token&model=\$model&firmware=\$firmware&op=action\" mode=http\
    s http-method=get dst-path=install.txt];:do {import install.txt;/file remo\
    ve install.txt;} on-error={};"
add comment=GetTaskCloutik dont-require-permissions=no name=GetTaskCloutik \
    owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local token \"45d2eb17510437d708b1b01856f2b046\";:local identity [/system \
    identity get name];:local uptime [/system resource get uptime];:local cplo\
    \_[/system resource get cpu-load];:local fm [/system resource get free-mem\
    ory];:local tm [/system resource get total-memory];:local fhds [/system re\
    source get free-hdd-space];:local thds [/system resource get total-hdd-spa\
    ce];:if ([:len [/file find name=\"action.txt\"]]=1) do={/file remove actio\
    n.txt;};\
    \n:if ([/system routerboard get routerboard]=false) do={:global sn;:local \
    model \"CHR\";:local firmware [/system package get system version];:local \
    result [/tool fetch url=\"https://login.cloutik.us/update.php\?v=4&sn=\$sn\
    &token=\$token&identity=\$identity&model=\$model&firmware=\$firmware&uptim\
    e=\$uptime&cplo=\$cplo&fm=\$fm&tm=\$tm&fhds=\$fhds&thds=\$thds&op=action\"\
    \_mode=https http-method=get dst-path=action.txt];} else {:global sn [/sys\
    tem routerboard get serial-number];:local model [/system routerboard get m\
    odel];:local firmware [/system routerboard get upgrade-firmware];:local re\
    sult [/tool fetch url=\"https://login.cloutik.us/update.php\?v=4&sn=\$sn&t\
    oken=\$token&identity=\$identity&model=\$model&firmware=\$firmware&uptime=\
    \$uptime&cplo=\$cplo&fm=\$fm&tm=\$tm&fhds=\$fhds&thds=\$thds&op=action\" m\
    ode=https http-method=get dst-path=action.txt];};\
    \n:do {import action.txt; /file remove action.txt;} on-error={};"
add comment=GetHealthCloutik dont-require-permissions=no name=\
    GetHealthCloutik owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local token \"45d2eb17510437d708b1b01856f2b046\";:local WANifnb \"0\";:loc\
    al WANifnm [/interface ethernet get number=\$WANifnb name];:global sn;:loc\
    al uptime [/system resource get uptime];:local cplo [/system resource get \
    cpu-load];:local fm [/system resource get free-memory];:local fhds [/syste\
    m resource get free-hdd-space];:local tm [/system resource get total-memor\
    y];:local thds [/system resource get total-hdd-space];:local rxbts [/inter\
    face ethernet get \$WANifnm rx-bytes];:local txbts [/interface ethernet ge\
    t \$WANifnm tx-bytes];:local rxbct [/interface ethernet get \$WANifnm rx-b\
    roadcast];:local txbct [/interface ethernet get \$WANifnm tx-broadcast];:l\
    ocal rxmct [/interface ethernet get \$WANifnm rx-multicast];:local txmct [\
    /interface ethernet get \$WANifnm tx-multicast];:local date [/system clock\
    \_get date];:local months {\"jan\"=\"01\";\"feb\"=\"02\";\"mar\"=\"03\";\"\
    apr\"=\"04\";\"may\"=\"05\";\"jun\"=\"06\";\"jul\"=\"07\";\"aug\"=\"08\";\
    \"sep\"=\"09\";\"oct\"=10;\"nov\"=11;\"dec\"=12};:local dd [:tonum [:pick \
    \$date 4 6]];:local yy [:tonum [:pick \$date 7 11]];:local month [:pick \$\
    date 0 3];:local mm (:\$months->\$month);:local dayinf9 [:len \$dd];:if (\
    \$dayinf9=1) do={:set dd \"0\$dd\";};\
    \n:local etime \"T\";:set etime \"\$yy-\$mm-\$dd\$etime\$[/system clock ge\
    t time]\";\
    \n:local uptlen [:len \$uptime];:local upsec [pick \$uptime (\$uptlen - 2)\
    \_\$uptlen ];:local upmin [pick \$uptime (\$uptlen - 5) (\$uptlen - 3) ];:\
    local uphour [pick \$uptime (\$uptlen - 8) (\$uptlen - 6) ];:local upday [\
    pick \$uptime (\$uptlen - 10) (\$uptlen - 9) ];:local upweek [pick \$uptim\
    e 0 [:find \$uptime \"w\"]];\
    \n:local uptsec;:set uptsec (\$upsec + 60*\$upmin + 3600*\$uphour + 86400*\
    \$upday + 604800*\$upweek);\
    \n/tool fetch url=\"https://login.cloutik.us/health.php\?v=4&sn=\$sn&etime\
    =\$etime&uptsec=\$uptsec&token=\$token&uptime=\$uptime&cplo=\$cplo&fm=\$fm\
    &fhds=\$fhds&tm=\$tm&thds=\$thds&rxbts=\$rxbts&txbts=\$txbts&rxbct=\$rxbct\
    &txbct=\$txbct&rxmct=\$rxmct&txmct=\$txmct&iface=\$WANifnm\" mode=https ht\
    tp-method=get dst-path=health.txt;/log info \"interface: \$WANifnm\";"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’m also concerned about the scripts, but they can wait until I get this problem out of the way.

/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=
192.168.0.0
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0

nothing else seems off…
Dont see an IP route do you use the auto ip route in the dhcp client setup?

anav, thank you I made the change to the addresses. It didn’t seem to impact anything.

However, people may have missed something that I noticed in playing around around after making the change. My external IP address is 130.mmm.mmm.mmm as given by a simple “what’s my IP address” on google. However, my isp gets in the middle of things and stuff comes into me on 172.iii.iii.iii, so I have to use that address in the masquerade to make getting to my internal web server from the web.

I just tried going from my laptop on 192.168.0.25 to that 172.iii.iii.iii and the dstnat worked to get me to the server on 192.168.0.205. That doesn’t do me any good though because I need to use the 130 address darn it. However it does point something out if I knew what it was.

The back story is that I had a perfectly good tp-link router that they couldn’t get to work, so they sold me this MicroTik and made it work. I added the dstnat rule and about a thousand others to get the dstnat to work internally, and what you see is the result. That little mistake in the addresses was NOT mine, I limited my frustrated changing to the nat rules alone. The question I might have to ask is

What the heck do I do in that case??

Edit because I forgot: I have no clue what routing was used, it came to me like this. How do I check?

That looks familiar…

Okay it sounds like we are in a double nat scenario.
If the IP address your router gives you is not what your IP cloud is showing or WHATS MY IP shows, then you do not have an ISP modem you have an ISP modem/router combo of some sort.

In other words you are getting a private IP.
So you need to be able to reach the ISP router and port forward the port in question to the LANIP on the ISP network of your router, or in other words the WANIP of your router. THe the traffic will hit your router and your MT rules will work.

When you type in the WANIP, do you reach the ISP routers home page??

I’m sorry, I only understood about three of the words you said.

I have an IP address that is available on the web, and I can use it to get to the web server sitting on a shelf over there. That is the 130.mmm… address and it works well with the dstnat rule I have that is in the config above.

There is another address the 172.iii… that the ISP told me to use in the dstnat. I just mentioned. If I punch the 172… address into a browser, it goes to my webserver on the shelf. Nothing I’ve tried gets to the ISP’s devices.

This is a rural ISP called tecnet that supplies to people that need better than 5mb ethernet. There is a radio antenna on the house that communicates with the rest of the network and the router hooks directly into that. So what that system does is a black box to me.

What would you like for me to try?

OMG, you might have led me to a solution. I tried a new destnat entry trying to get an answer to your question and it redirected me to my OWN router. That made me think a bit and I tried the web server in the to-address just for kicks. It worked!!

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT for web server" dst-address=\
    172.n.n.n dst-address-type=local dst-port=80 log=yes log-prefix=\
    "NAT for web server" protocol=tcp to-addresses=192.168.0.205 to-ports=80
add action=dst-nat chain=dstnat dst-address=130.n.n.n to-addresses=\
    192.168.0.205
[admin@MikroTik] /ip firewall nat>

I haven’t beaten on it much, so I dpn’t know for sure if this solves all the problems, but it is the first time I’ve seen that web server on that address.

SOLVED, plus some.

The folks here gave me enough clues that I finally got my configuration to work. Since so many threads are just abandoned and the solution is not posted, I don’t want to be “one of those”

To recap just a bit. I have an isp that gave me a fixed IP address and I needed to port forward to support two little Pi machines. One has a simple webserver and the other supports Grafana graphs of data. It turned out that I was behind another router that was messing up the normal dstnat that you find (mostly incorrect) all over the web. The discussion above will show you how it went after over a week of reading and rereading and trying literally hundreds of things.

I wanted port forwarding to two machines, but I didn’t describe the problem that way, I presented it as a simple web server that I wanted to get to using the same address internally that I used externally. This was to make development and testing much easier since I didn’t have to tailor everything to two addresses and worry about the difference.

Here is the NAT configuration that finally resulted. It works. I pared out a ton of unnecessary stuff that various sites said was “absolutely” necessary leaving only the minimum that made it work. I’m not convinced that I can’t pare out something else, but “good enough” is good enough.

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for web server" \
    dst-address=192.168.0.0/24 log=yes log-prefix="Hairpin for web server" \
    src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="External NAT for web server" \
    dst-address=VVV.VVV.VVV.VVV dst-port=80 log=yes log-prefix=\
    "External NAT for web server" protocol=tcp to-addresses=192.168.0.205 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Internal NAT for Webserver" \
    dst-address=III.III.III.III dst-port=80 log=yes log-prefix=\
    "Int NAT for webserver" protocol=tcp to-addresses=192.168.0.205 to-ports=80
add action=dst-nat chain=dstnat comment="External NAT for Graphs" dst-address=\
    VVV.VVV.VVV.VVV dst-port=3000 log=yes log-prefix="Ext NAT for Graphs" \
    protocol=tcp to-addresses=192.168.0.207 to-ports=3000
add action=dst-nat chain=dstnat comment="Internal Nat for Graphs" dst-address=\
    III.III.III.III dst-port=3000 log=yes log-prefix="Int NAT for Graphs" \
    protocol=tcp to-addresses=192.168.0.207 to-ports=3000
[admin@MikroTik] /ip firewall nat>

The ‘V’ address is the vlan address that was given to me by my ISP, the ‘I’ address is my static IP address.

Hope this helps someone else to get past this kind of problem. Thanks to the folks here for leading me to a solution

Hi you all experts,

In the standard Hairpin Nat rule:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.3 out-interface=LAN protocol=tcp src-address=10.0.0.0/24

dst-address is the internal address of one server. May one instead use 10.0.0.0/24 to apply the rule to all servers in the network ?

By the way, I have two comments on the surrounding text:

1. It is written: “To resolve this issue, we will configure the src-nat rule as follows:” .Wouldn’t it be better to say “we will add” instead of “we will configure” ? This line does not replace the rule with out-interface=WAN
2. The explanation says
   “the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 172.16.16.1 into the destination IP address field” shouldn’t 1.1.1.1 be replaced by 172.16.16.1 and 172.16.16.1 by 10.0.0.2 ?
   Thanks
   Marc