Community discussions

 
SergeS
just joined
Topic Author
Posts: 13
Joined: Fri Mar 25, 2016 6:23 am

NAT Loopback, for all ports.

Sun Mar 19, 2017 2:48 am

It is bother me I cannot access my home web-based services from home network on the same way I accessed them from outside of my home network. Especially, I have changed provider recently and with old provider it was working, I believe because of his router (I had two routers, external one from provider, another one - mine mikroik, yes, it was double NAT). Now, with new provider, I have provider's modem <-> my mikrotik routerhave, and loopback is not working. I've understood this is because of NAT loopback problem, I've seen some solutions how to fix it.

I have multiple port-forwarding rules, with different ports, with different internal IPs, I wold like to access all that stuff from inside using the same links as from outside.
But I have never seen solution how to enable loopback globally, for all ports, I do not want to create two or three rules per port because I have many of them. With old provider it was working like i would like to. Is this possible to achieve with mikrotik?
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: NAT Loopback, for all ports.

Sun Mar 19, 2017 10:32 am

The old setup was working because your provider's router was doing the loopback.
There is no single rule to reroute incoming traffic through the prerouting chain of your WAN, so that DNAT rules are obeyed.

The solution could be to rewrite those DNAT and input rules, so they don't use interfaces on their definitions, just IPs or address lists (for dynamic IPs). In this case, the rules will work no matter the incoming interface, including hairpin.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
SergeS
just joined
Topic Author
Posts: 13
Joined: Fri Mar 25, 2016 6:23 am

Re: NAT Loopback, for all ports.

Sun Mar 19, 2017 4:18 pm

The old setup was working because your provider's router was doing the loopback.
There is no single rule to reroute incoming traffic through the prerouting chain of your WAN, so that DNAT rules are obeyed.

The solution could be to rewrite those DNAT and input rules, so they don't use interfaces on their definitions, just IPs or address lists (for dynamic IPs). In this case, the rules will work no matter the incoming interface, including hairpin.
Could you please give some links to read about it?

P.s. Actually, i have added static record to mikrotik dns configuration and it covers majority of links, since these links are to one ip in internal network, to my nas. But external ports forwarded to other internal ip (i still have few)is not covered by this solution...
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: NAT Loopback, for all ports.

Sun Mar 19, 2017 5:40 pm

Could you please give some links to read about it?
No, this is my personal reasoning, and I have not written it down.
But you could check out the packet flow for IPv4:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

To be more precise what I am talking about regarding port forward.
Instead of using:
/ip firewall filter
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ISP_PPoE protocol=tcp to-addresses=192.168.1.100
use:
/ip firewall filter
add action=dst-nat chain=dstnat dst-port=10000 dst-address=<your_public_ip> protocol=tcp to-addresses=192.168.1.100
This will ensure the proper dst-nat regardless of the incoming interface, WAN or LAN.
Last edited by docmarius on Sun Mar 19, 2017 5:47 pm, edited 2 times in total.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: NAT Loopback, for all ports.

Sun Mar 19, 2017 5:44 pm

Instead of getting NAT loopback working, in my opinion it would make more sense to solve this by DNS. Have your MikroTik work as a DNS server for your clients and have all services that run internally resolved to the internal IP address.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: NAT Loopback, for all ports.

Sun Mar 19, 2017 6:00 pm

Using the DNS will still not solve the issue.
Let's say you have some ports used by the router (e.g. ssh access, or VPN terminations), a DVR on one internal IP and a web server on another.
To which internal IP should the host name be "masqueraded" via DNS? In neither case will all port forwards be honored. The solution I posted solves port forwarded destinations this without additional rules.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
SergeS
just joined
Topic Author
Posts: 13
Joined: Fri Mar 25, 2016 6:23 am

Re: NAT Loopback, for all ports.

Mon Mar 20, 2017 2:01 am

Instead of getting NAT loopback working, in my opinion it would make more sense to solve this by DNS. Have your MikroTik work as a DNS server for your clients and have all services that run internally resolved to the internal IP address.
I have just setup static dns record, it solves a lot of problem with majority of links, but cannot solve all, if port translation is using to redirect to different internal IPs.
For example, <My_External_IP>:80 redirect me to 192.168.0.5:80 (web server, NAS), and <My_External_IP>:8080 redirect me to 192.168.0.10:80 (administrative control panel for my reserve NAS).
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: NAT Loopback, for all ports.

Mon Mar 20, 2017 10:36 am

In this case DNS together with a reverse proxy will do just fine. Make sure all the services have their own name. This way you don't have to do port translation.
 
Sob
Forum Guru
Forum Guru
Posts: 4794
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT Loopback, for all ports.

Mon Mar 20, 2017 4:44 pm

I believe you might be looking for this rule:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 out-interface=<LAN> \
    src-address=192.168.0.0/24 src-address-type=!local
Combine it with dstnat suggested by docmarius (using dst-address=<your_public_ip>, to work from both internet and LAN) and any forwarded port will also work from LAN.

DNS is nice too and it's good idea to use it for any high traffic services where you don't want your packets take "shorcut" through router. But for something small it's just too much work to keep things synchronized, plus not everything uses DNS.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 35 guests