Community discussions

 
ayit
just joined
Topic Author
Posts: 1
Joined: Mon Jan 01, 2018 3:23 am

Hairpin NAT is not working

Mon Jan 01, 2018 3:30 am

I use roteros v6.41rc52 .
I have web site in my local network on my server with ip 192.168.1.10 port 8000 and i have public ip . i have dst.nat for users that are out of my network and rule is ok and users can open we site
but in my local network i want to open web site with public ip too but i cant open it with public ip
so how can i do this?
Please do not give a wiki website,That is not fix it. I have two ISP line .


I checked all website ,can not make it working .
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1704
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Hairpin NAT is not working

Mon Jan 01, 2018 1:55 pm

Wiki examples are working. Believe me. The receipe to forward outside traffic to internal router is two lines of rules long. Harpin is the third one.
Try to configure it for one ISP's address and then for the second.
Real admins use real keyboards.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Mon Jan 01, 2018 2:18 pm

DST-NAT rule needs to be to destination address and not mention the inbound interface.
You need a hairpin rule as your rule 0 to go from src address your lan range to dst address your lan range and masquerade.

Sorry if that doesn’t read too easily, I made a video showing this on YouTube which has helped another member on here;
https://youtu.be/_kw_bQyX-3U
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: Hairpin NAT is not working

Fri Jan 12, 2018 1:08 pm

i have exactly same problem like @ait
i've tried a lot of solution from google search and mikrotik forum search.
@Steveocee, your solution have not worked for me.

i want reach to local server (192.168.0.52) form local network (my local ip: 192.168.0.165) with external ip (1.1.1.1). (My external IP is static)
When i try reach form out network (e.g. 2.2.2.2) to (1.1.1.1) -> SUCCESS
When i try reach form in network (192.168.0.165) to (192.168.0.52) -> SUCCESS
When i try reach form in network (192.168.0.165) to (1.1.1.1) -> FAIL : ERR_CONNECTION_REFUSED

RouterOS 6.40.1
RouterBOARD 3011UiAS
/ip firewall nat export
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=629 protocol=tcp to-addresses=192.168.0.52 to-ports=629
mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.

It is possible? Where do i make mistakes?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Fri Jan 12, 2018 6:02 pm

QUOTE HERE
Here is below what I am using, this is from my main router with rules working, the only thing I can see is your dst-nat rule is set to change the port when it is not needed.
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.10.10.0/24 src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1 src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment=Transmission dst-address=1.1.1.1 dst-port=9091 protocol=tcp to-addresses=10.10.10.20
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Fri Jan 12, 2018 6:15 pm


When i try reach form in network (192.168.0.165) to (1.1.1.1) -> FAIL : ERR_CONNECTION_REFUSED

It is possible? Where do i make mistakes?
Are you using any kind of fasttrack or similar? If you are the router is seeing Lan > Lan so bypassing the routing.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: Hairpin NAT is not working

Fri Jan 12, 2018 10:18 pm

Here is below what I am using, this is from my main router with rules working, the only thing I can see is your dst-nat rule is set to change the port when it is not needed.
i remove "to-ports=629", but still it not worked.

Are you using any kind of fasttrack or similar? If you are the router is seeing Lan > Lan so bypassing the routing.
i am not using any kind of fasttrack. actually i dont know that what is fasttrack.
if you talking abount filter rules, i have only 4 drop rules.
 1    ;;; PROXY-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=8080 log=no 
      log-prefix="" 

 2    ;;; PROXY-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=8080 log=no 
      log-prefix="" 

 3    ;;; DNS-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=53 log=no 
      log-prefix="" 

 4    ;;; DNS-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=53 log=no 
      log-prefix=""

when i add following fasttrack flter rule, but still it not worked.

chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
 
montagdude
just joined
Posts: 14
Joined: Fri Jan 05, 2018 4:33 am

Re: Hairpin NAT is not working

Fri Jan 12, 2018 11:40 pm

DST-NAT rule needs to be to destination address and not mention the inbound interface.
You need a hairpin rule as your rule 0 to go from src address your lan range to dst address your lan range and masquerade.

Sorry if that doesn’t read too easily, I made a video showing this on YouTube which has helped another member on here;
https://youtu.be/_kw_bQyX-3U
Thank you for the tutorial. I have a dynamic WAN IP, but I wanted to mention that I took a slightly different approach. Instead of doing all the cloud stuff, I simply set the dst-address for my port forwarding rule to my current WAN IP like you would if it were static. Since I also use No-IP DDNS, I modified the No-IP script on the wiki so that when the IP address is updated, the dst-address on the port forward also gets updated. It was just a couple lines to add (well, really only one is necessary):
# Update port forwarding rule
              /ip firewall nat set numbers=2 dst-address=$currentIP
              :log info "Updated dst-address for HTTPS port forward rule"
Note: 2 is the number of my port forwarding rule. Change it as appropriate for your setup.

If you are not using No-IP DDNS, you could still use the No-IP script for this task, but just comment out the lines where it sends the update to no-ip.com.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Sun Jan 14, 2018 8:56 am

Here is below what I am using, this is from my main router with rules working, the only thing I can see is your dst-nat rule is set to change the port when it is not needed.
i remove "to-ports=629", but still it not worked.

Are you using any kind of fasttrack or similar? If you are the router is seeing Lan > Lan so bypassing the routing.
i am not using any kind of fasttrack. actually i dont know that what is fasttrack.
if you talking abount filter rules, i have only 4 drop rules.
 1    ;;; PROXY-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=8080 log=no 
      log-prefix="" 

 2    ;;; PROXY-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=8080 log=no 
      log-prefix="" 

 3    ;;; DNS-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=53 log=no 
      log-prefix="" 

 4    ;;; DNS-ATAK-DROP
      chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=53 log=no 
      log-prefix=""

when i add following fasttrack flter rule, but still it not worked.

chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
Just reread your first post. My solution won’t work for dual WAN. You could try adding both WAN ip addresses to the wan list from my video, that might work?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
phin
just joined
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Re: Hairpin NAT is not working

Sun Feb 11, 2018 7:51 am

@Steveocee

Very unique way to solve this and it worked flawlessly for me. Thank you!
 
User avatar
nichky
Long time Member
Long time Member
Posts: 522
Joined: Tue Jun 23, 2015 2:35 pm

Re: Hairpin NAT is not working

Sun Feb 11, 2018 12:24 pm

@ayit can you show us yout topology?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Sun Feb 11, 2018 8:22 pm

@Steveocee

Very unique way to solve this and it worked flawlessly for me. Thank you!
Thank you. I had went through every forum thread on this board to try and find what I'll term as the "simplest" (least lines of config) solution to this. It's painful that there isn't a simple "Hairpin" button in routeros but if there was my video wouldn't get any more views lol
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
edwinkkc
just joined
Posts: 1
Joined: Tue Dec 11, 2018 8:17 am

Re: Hairpin NAT is not working

Thu Dec 20, 2018 6:56 am

@Steveocee

Thanks for wonderful and helpful video that you share in youtube, I am totally new user to Mikrotik but base on your guidance from the video, after some testing and reboot finally I able to get the loopback/ Hairpin NAT plus DYNDNS work perfectly with my Dynamic IP.

Keep up the good job and million thanks
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1090
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin NAT is not working

Sat Dec 22, 2018 11:08 am

@Steveocee

Thanks for wonderful and helpful video that you share in youtube, I am totally new user to Mikrotik but base on your guidance from the video, after some testing and reboot finally I able to get the loopback/ Hairpin NAT plus DYNDNS work perfectly with my Dynamic IP.

Keep up the good job and million thanks
Thank you for the kind words.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials

Who is online

Users browsing this forum: No registered users and 21 guests