Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Hairpin NAT not working  [SOLVED]

Locked
 
drillstring
just joined
Topic Author
Posts: 15
Joined: Fri Aug 10, 2018 11:54 pm

Hairpin NAT not working

Sat Aug 18, 2018 12:21 pm

I have a Mikrotik CCR1009-7G-1C-1S+ with firmware 6.42.6

I have a local web server running tht is accessable from the internet.
As mentioned in several posts on the forum hairpin Nat is required to access the web server from a local machine with the public request.
I have setup a hairpin rule in the frewall but i can not get it working. What do i wrong??

Code: Select all

 0    ;;; WAN out NAT
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 

 1    ;;; hairpin NAT
      chain=srcnat action=masquerade src-address=192.168.200.0/24 
      dst-address=192.168.200.0/24 log=no log-prefix="" 

 2    ;;; web server
      chain=dstnat action=dst-nat to-addresses=192.168.200.26 to-ports=80 
      protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix="" 

 3    ;;; web server https
      chain=dstnat action=dst-nat to-addresses=192.168.200.26 to-ports=443 
      protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Hairpin NAT not working

Sat Aug 18, 2018 1:57 pm

Hairpin NAT is used when you try to reach internal resources by external IP from the internal network, so what you've done is not hairpin nat.
You should do something like:
Code: Select all
chain=srcnat action=src-nat src-address=192.168.200.0/24 
      dst-address=ROUTER_EXTERNAL_IP dst-port=80,443 to-addresses=ROUTER_INTERNAL_IP log=no log-prefix=""
Last edited by xvo on Sat Aug 18, 2018 11:34 pm, edited 1 time in total.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT not working  [SOLVED]

Sat Aug 18, 2018 3:14 pm

Srcnat rule for hairpin is fine, problem is with dstnat rules. When they have in-interface-list=WAN (where I assume WAN list contains WAN interface), they will only work for connections from internet. But connections from local machine come from LAN, so dstnat part won't happen for them. The condition needs to be replaces preferably by dst-address=<public IP address> (if it's static) or dst-address-type=local (matches any address assigned to router). If it's the latter, make sure it doesn't conflict with anything else, e.g. if you'd use WebFig on 192.168.200.x:80 (where .x is what router has), you'd also need to add dst-address=!192.168.200.x.
Top
 
drillstring
just joined
Topic Author
Posts: 15
Joined: Fri Aug 10, 2018 11:54 pm

Re: Hairpin NAT not working

Sat Aug 18, 2018 4:37 pm

Thanks all for the support.

After implementing the advice of "Sob" the system is working as required.
Top
Locked

Who is online

Users browsing this forum: simtj and 36 guests
  4. RouterOS
  5. Beginner Basics