Community discussions

 
drc
just joined
Topic Author
Posts: 4
Joined: Mon Oct 29, 2018 1:38 pm

Hairpin NAT

Tue Oct 30, 2018 4:48 pm

Hi all

I have some issues when trying to get hairpin nat to work. I have 2 vlans comming into the Mikrotik 1272 (WAN) and 3524 (MGMT). I have created vlan 30,40,50,60 for my customers with NAT. Vlan 30,50,60 is for all users and vlan 40 is for a specific customer, that wants it own puplic IP and portforwarding options. I have 2 IP adresses on vlan 1272 x.x.x.3 and x.x.x.4, x.x.x.3 is for all and x.x.x.4 is for the specific customer (10077777).

My issue is that i cannot get Hairpin nat to work, it works fine when i try to access the external IP x.x.x.4 outside on port 23 (a test setup) but when i try to access it from the LAN (192.168.40.x) on the outside IP, it dosen't work. I've attached all my config below.

Code: Select all

# RouterOS 6.43.4

# model = CCR1036-8G-2S+

/interface bridge
add name=br3524 protocol-mode=none

/interface vlan
add interface=sfp-sfpplus1 name=eth1-10GE.30 vlan-id=30
add interface=sfp-sfpplus1 name=eth1-10GE.3524 vlan-id=3524
add interface=sfp-sfpplus1 name=eth1-10GE.40 vlan-id=40
add interface=sfp-sfpplus1 name=eth1-10GE.50 vlan-id=50
add interface=sfp-sfpplus1 name=eth1-10GE.60 vlan-id=60
add interface=ether2 name=eth2.1272 vlan-id=1272
add interface=ether2 name=eth2.3524 vlan-id=3524

/ip pool
add name=dhcp_pool0 ranges=192.168.30.10-192.168.30.254
add name=dhcp_pool1 ranges=192.168.40.10-192.168.40.254
add name=dhcp_pool2 ranges=192.168.50.10-192.168.50.254
add name=dhcp_pool3 ranges=192.168.60.10-192.168.60.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=eth1-10GE.30 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=eth1-10GE.40 lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=eth1-10GE.50 lease-time=1d name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=eth1-10GE.60 lease-time=1d name=dhcp4

/interface bridge port
add bridge=br3524 interface=eth1-10GE.3524
add bridge=br3524 interface=eth2.3524

/ip address
add address=10.1.51.120/24 interface=br3524 network=10.1.51.0
add address=X.X.X.3/25 interface=eth2.1272 network=X.X.X.0
add address=X.X.X.4/25 interface=eth2.1272 network=X.X.X.0
add address=192.168.30.1/24 interface=eth1-10GE.30 network=192.168.30.0
add address=192.168.40.1/24 interface=eth1-10GE.40 network=192.168.40.0
add address=192.168.50.1/24 interface=eth1-10GE.50 network=192.168.50.0
add address=192.168.60.1/24 interface=eth1-10GE.60 network=192.168.60.0

/ip dhcp-server network
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.1

/ip firewall address-list
add address=192.168.30.0/24 list=All
add address=192.168.50.0/24 list=All
add address=192.168.40.0/24 list=10077777
add address=192.168.60.0/24 list=All

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_All passthrough=yes src-address-list=All
add action=mark-routing chain=prerouting new-routing-mark=to_10077777 passthrough=yes src-address-list=10077777

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.40.0/24 src-address=192.168.40.0/24
add action=src-nat chain=srcnat comment="Nat til All" out-interface=eth2.1272 routing-mark=to_All src-address-list=All to-addresses=X.X.X.3
add action=src-nat chain=srcnat comment="Nat til 10077777" dst-address=!192.168.40.1 out-interface=eth2.1272 routing-mark=to_10077777 src-address-list=10077777 to-addresses=X.X.X.4
add action=dst-nat chain=dstnat comment="Portforward port 23" dst-address-type=local dst-port=23 protocol=tcp to-addresses=192.168.40.2 to-ports=23

/ip route
add distance=1 gateway=X.X.X.1 routing-mark=to_All scope=255
add distance=1 gateway=X.X.X.1 routing-mark=to_10077777 scope=255
add distance=1 gateway=10.1.51.1
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Hairpin NAT

Tue Oct 30, 2018 10:22 pm

You did not list your firewall rules. I assume that there is either a rule that allows the specific NAT through the firewall, or all NATted packets through the firewall. Does that rule or rules specify the input being the WAN interface? That would stop NATTed packets that are coming in on one of the LAN interfaces.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1013
Joined: Fri Jul 28, 2017 2:53 pm

Re: Hairpin NAT

Wed Oct 31, 2018 8:52 am

You don't need a firewall rules to control NAT. Just use correct NAT rules, that's it.
 
drc
just joined
Topic Author
Posts: 4
Joined: Mon Oct 29, 2018 1:38 pm

Re: Hairpin NAT

Wed Oct 31, 2018 9:12 am

You don't need a firewall rules to control NAT. Just use correct NAT rules, that's it.
Can you provide me with an example or maybe tell me what's wrong with my rules since the hairpin dosen't work :)

Who is online

Users browsing this forum: Majestic-12 [Bot] and 33 guests