Page 1 of 1

Hairpin NAT and DDNS (noob)

Posted: Fri Jan 27, 2017 10:44 pm
by limbo
Hello Mikrotik experts
I'm completely noob with Mikrotik and routerOS and I need your precious help. (so be gentle on me) :D

Major question Hairpin NAT
My setup is as follows: LAN > Mikrotik (with PPPoE Dialing) > MODEM > ISP (with Dynamic IP)

I have several server devices on LAN (1 NVR, 1 web based light switch, 2 IP cameras) and I have managed to forward the ports using dstnat rules. Now I can access the devices from internet using DDNS address which is updated regulary using a specific script. Everything is fine.

However I really don't get how to setup the router to redirect my DDNS request to internal IP's when I'm on connected to LAN.
I know that I have to setup Hairpin NAT but I can't understand really the rule structure.
To be more specific:
My public DDNS is: mymikrotik.two-dns.de
My internal switch (web server) is running on 192.168.128.199 on port 8880
My router is on 192.168.128.1

Can anybody provide an example how to setup my firewall rules to achieve Hairin NAT?

Thank you in advance

Re: Hairpin NAT and DDNS (noob)

Posted: Fri Jan 27, 2017 11:56 pm
by JB172
http://wiki.mikrotik.com/wiki/Hairpin_NAT

/ip firewall nat
add chain=srcnat src-address=192.168.128.0/24 dst-address=192.168.128.199 protocol=tcp dst-port=8880 out-interface=LAN action=masquerade

Re: Hairpin NAT and DDNS (noob)

Posted: Sat Jan 28, 2017 1:04 am
by limbo
Well I'm definitely missing something major here. :) :oops:
I tried few times to use the rule but "no juice".

I tried to create two different rules for two different devices, but no success.
Any ideas?

My master interface is bridge1 (where the rule is targeting). Is this correct?
5.jpg
The indicated rule is targeting correctly an active device and an active port:
6.jpg
What am I doing wrong? :?

Re: Hairpin NAT and DDNS (noob)

Posted: Sat Jan 28, 2017 5:00 am
by 2frogs
The problem is your dst-nat rule. You have in-interface=pppoe-out1, which works fine for traffic coming from outside your network. However, your local traffic never hits that interface. You will need something like this:
/ip firewall nat add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 dst-port=8008 protocol=tcp action=dst-nat to-address=192.168.128.248 to-port=8008
Now your hairpin should work.

Re: Hairpin NAT and DDNS (noob)

Posted: Sat Jan 28, 2017 12:01 pm
by docmarius
I really don't get the idea behind the previously provided responses...
What you need is to D-NAT the requests originating from your internal LAN towards your public IP to the internal server's IP.
Now here we have 2 solutions:

1. Assuming your external IP is static (not your case, just for the concept):
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<your_ext_ip> in-interface=bridge-lan to-addresses=192.168.128.199
2. If your IP is dynamic add it to a address list in your update script and use that address list for DST-NAT:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=Hairpin in-interface=bridge-lan to-addresses=192.168.128.199
Of course, in both cases, you can adapt the NAT rules to be restricted to certain ports, or use multiple different internal servers.

Here is an example script that you can adapt to get your interface IP periodically and add it to the 'Hairpin' address list, and should work regardless of static or dynamic IP. Just run it every minute or so:
# this is the global variable holding the last known public IP
:global HairpinPreviousIP ;

# get the current WAN IP
:local currentIP ;

:do {
    :set currentIP [/ip address get [find interface="YOUR_WAN_INTERFACE"] address] ;
} on-error={
    # you could add a failover static IP here, just have something so the script won't fail
    :set currentIP 192.168.128.199 ;
}

# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
   :if ( [:pick $currentIP $i] = "/") do={
       :set currentIP [:pick $currentIP 0 $i] ;
   }
}

# Public IP has changed
:if ($currentIP != $HairpinPreviousIP) do={

    # clear the address list
    :foreach entry in=[/ip firewall address-list find list="Hairpin"] do={
         /ip firewall address-list remove $entry
     }
     
   # add new address to the address list
   /ip firewall address-list add list="Hairpin" address=$currentIP
   
   # here you could also add other static router IPs to the Hairpin list
   # /ip firewall address-list add list="Hairpin" address=192.168.1.2
   
   # store the new IP
   :set HairpinPreviousIP $currentIP ;
}
If you run a dynamic dns update script, you probably have most elements there, just migrate the delete/add IP to the 'Hairpin' address list to that script.

Re: Hairpin NAT and DDNS (noob)

Posted: Sun Jan 29, 2017 9:29 pm
by Steveocee
Rather than using a dst-address or a convoluted script to update the WAN IP and update the rule try using the MikroTik's build in DDNS, enable it and copy your host name.

Go into the Firewall and create an address list and call is WAN-IP (or similar), amend your dst-nat rules so that they apply to an address-list and choose the WAN IP list you just made.

In recent RoS the address list can resolve host names so it will resolve your WAN IP and change when you swap IP (if your ISP supports dynamic)

Re: Hairpin NAT and DDNS (noob)

Posted: Sun Jan 29, 2017 10:02 pm
by msatter
To be independable from your dynamic IP address you can use !local:

http://forum.mikrotik.com/viewtopic.php ... in#p576155

Re: Hairpin NAT and DDNS (noob)

Posted: Sun Jan 29, 2017 10:03 pm
by docmarius
In recent RoS the address list can resolve host names so it will resolve your WAN IP and change when you swap IP (if your ISP supports dynamic)
I forgot this one. So ignore the script and just add your wan dns name to the list:
/ip firewall address-list
add address=mymikrotik.two-dns.de list=Hairpin

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=Hairpin in-interface=bridge-lan to-addresses=192.168.128.199
The only issue is that there will be a hiatus after ddns update for the remainder of the DNS entry TTL (usually 5-15 minutes worst case since ddns providers use some 300-900 seconds TTL). This does not happen with the script, which limits this behavior to the script cycle.

Re: Hairpin NAT and DDNS (noob)

Posted: Mon Mar 26, 2018 2:30 pm
by neven
I'm trying to configure Hairpin using dst-address-list but looks like I'm missing something.
[admin@MikroTik] /ip firewall filter> /ip firewall address-list print

Flags: X - disabled, D - dynamic 
 #   LIST              ADDRESS                        
 0   Hairpin           xxxx.sn.mynetname.net  
 1 D ;;; xxx.sn.mynetname.net
     Hairpin           xxx.xx.xx.182                  

[admin@MikroTik] /ip firewall filter> /ip firewall filter print      
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; allow IPsec NAT
      chain=input action=accept protocol=udp dst-port=4500 

 3    ;;; allow IKE
      chain=input action=accept protocol=udp dst-port=500 

 4    ;;; allow l2tp
      chain=input action=accept protocol=udp dst-port=1701 

 5    ;;; allow pptp
      chain=input action=accept protocol=tcp dst-port=1723 

 6    ;;; allow sstp
      chain=input action=accept protocol=tcp dst-port=443 

 7    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 9    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

10    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

12    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

13    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

14    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

15    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface-list=WAN 

[admin@MikroTik] /ip firewall filter> /ip firewall nat print                      
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 

 2    chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=41234 
      protocol=tcp in-interface=ether1 dst-port=41235 log=no log-prefix="" 

 3 X  chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=3389 
      protocol=tcp in-interface=ether1 dst-port=3389 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.7.21 to-ports=41234 
      protocol=tcp dst-address-list=Hairpin in-interface=bridge dst-port=41235 
      log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.7.11 to-ports=22 
      protocol=tcp dst-address-list=Hairpin in-interface=bridge dst-port=22 
      log=no log-prefix="" 
Connection request is triggering firewall/NAT dst-nat rule 4 and 5 but it is not reaching to-address

Do I need src-nat masquerade for local network?

Re: Hairpin NAT and DDNS (noob)

Posted: Mon Mar 26, 2018 11:03 pm
by Steveocee
Have a watch of this;
https://www.steveocee.co.uk/mikrotik/ha ... nat-video/

If you try https://www.steveocee.co.uk/mikrotik/hairpin-nat/ you will find fully scripted setup.

Re: Hairpin NAT and DDNS (noob)

Posted: Tue Mar 27, 2018 7:19 am
by jspool
If you can access it fine externally and not internally that's generally a masquerade issue
Typically the default settings will masquerade the LAN traffic leaving ether1. However if you temporarily remove the ether1 from the rule and apply it my guess is that it will work fine.
If so you should be able to customize rules needed to access devices locally.

Re: Hairpin NAT and DDNS (noob)

Posted: Thu Mar 29, 2018 12:43 pm
by neven
Yup, masquarade for bridge to local subnet in src-chain did the trick. Thank you all.

Re: Hairpin NAT and DDNS (noob)

Posted: Sun Dec 16, 2018 6:17 pm
by ilovepancakes
Yup, masquarade for bridge to local subnet in src-chain did the trick. Thank you all.
Do you mind sharing your final full config for NAT rules? I am trying to get this working and am having similar issues as you originally described.