Community discussions

MikroTik App
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Problems with Hairpin setup

Thu Mar 17, 2016 5:58 am

I have been reading the posts available in the forum, and reading some of the most recent questions about how to accomplish a hairpin loop, but it is not working for me. It might have something to do with my configuration, so that I am going to include some of my details.

1. There is a cable router that connects to the internet. Let's say that the outside ip of this router is 1.1.1.1 and the LAN ip is 192.168.0.1 Loopback is possible and enabled in this router.
2. A mikrotik router connects to this cable router and is in a DMZ. The MK router has an ip of 192.168.0.69 and then it supplies four VLANs and the dhcp servers for the VLANS. In VLAN10, there is a computer that serves Carddav and Calddav services through Baikal (port 443). The IP addresses of the VLAN10 is 192.168.1.0/24, the MK router has an IP address of 192.168.1.1 and the server is where Baikal is has the address 192.168.1.10.

My first problem was trying to get the outside to connect to my Carddav servers in VLAN10 (Or elsewhere, but VLAN does need access for this). I managed to get it work in either of this two ways. I do not fully understand why they work, but they do work.
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAS openning to do the addressbook" dst-port=443 in-interface=ether8 protocol=tcp to-addresses=192.168.1.10 to-ports=56
I also found that I could get it working by doing the following.
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAS openning to do the addressbook" dst-address=192.168.0.69 dst-port=443 protocol=tcp to-addresses=192.168.1.10 to-ports=443
This doesn't work with 192.168.1.1 or 192.168.1.1, nor 1.1.1.1. If someone could explain this to me, I would appreciate it, but my questions is how to do a hairpin loop in my network.

Supposedly, I would do something like,
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=443 out-interface=all-ethernet protocol=tcp src-address=192.168.1.0/24
and it would work, but it doesn't. I posted something earlier, and I think that people think that I am just lazy and do not want to read what is going on in the forum, but this is far from the truth. I tried everything. I have been following a similar discussion on how to do a SMTP routing, and tried several things mentioned there, but none of them work for me. Any ideas?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problems with Hairpin setup

Thu Mar 17, 2016 12:15 pm

The key is to understand what exactly happens, why addresses are translated and where. MikroTik wiki has very nice description.

In your case, if you let connection go to cable router, it would have to be that router doing hairpin NAT. Because your mikrotik router has no idea that 1.1.1.1 belongs to you, from its point of view it's just some external address like any other. If the cable router just bounces connection back and keeps original source address (192.168.0.69), it can't work. In other words, the bad thing that can be fixed by hairpin NAT is not happening in internal 192.168.1.x network, but in 192.168.0.x DMZ.

If you can't convince the cable router to do right thing, you need to catch connections to 1.1.1.1 early at mikrotik router and don't let them go out. So you need another rule:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=443 protocol=tcp to-addresses=192.168.1.10
It's easy to do if 1.1.1.1 is static. If it isn't, you'd need some script that would periodically get current public address and update the rule.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Problems with Hairpin setup

Thu Mar 17, 2016 6:06 pm

Thank you, it worked. I am going to look into the script. I am still chewing all of this.

Who is online

Users browsing this forum: No registered users and 17 guests