Community discussions

 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Hairpin not working

Thu Sep 12, 2019 11:43 am

Hello, so trying to make hairpin in my network for port 2222 which runs on IP 192.168.1.203, but just cant make it work.... Here is my rules:
add action=dst-nat chain=dstnat comment="testinis 2222" disabled=yes dst-port=\
    2222 in-interface=bridge1 protocol=tcp src-address=192.168.1.0/24 \
    to-addresses=192.168.1.203 to-ports=2222
add action=masquerade chain=srcnat dst-address=192.168.1.203 dst-port=2222 \
    out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Allow ESXI " dst-port=\
    52960,80,443 in-interface=ether1 protocol=tcp src-address=some public IP \
    to-addresses=192.168.1.200
add action=dst-nat chain=dstnat comment="ESMC" disabled=yes dst-port=\
    2222,2223,3128 in-interface=ether1 protocol=tcp to-addresses=192.168.1.203
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 \
    protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="RDP" disabled=yes \
    dst-address=88.119.49.142 dst-port=3389 protocol=tcp src-address=\
    192.168.1.0/24 to-addresses=192.168.1.202
add action=add-dst-to-address-list address-list="" address-list-timeout=\
    none-dynamic chain=srcnat disabled=yes dst-address=Some public IP dst-port=\
    3389 log=yes protocol=tcp src-address=192.168.1.12 to-ports=3389
  
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Thu Sep 12, 2019 12:13 pm

Modify this to work as you need it:
https://www.youtube.com/watch?v=_kw_bQyX-3U






(Shameless plug but it DOES work)
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Fri Sep 13, 2019 5:08 pm

Modify this to work as you need it:
https://www.youtube.com/watch?v=_kw_bQyX-3U






(Shameless plug but it DOES work)
ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Fri Sep 13, 2019 5:30 pm

Even your original config should work (if you enable first rule). So make sure that packets are really passing through router (you can add logging rules in prerouting and postrouting) and if not, see where they are blocked.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Fri Sep 13, 2019 6:15 pm

ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working
You clearly haven't done everything it says to then. There is more than just 1 line of srcnat.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Sat Sep 14, 2019 12:23 pm

ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working
You clearly haven't done everything it says to then. There is more than just 1 line of srcnat.
if heard right, he says that i`m finished if i do have static public IP
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Sun Sep 15, 2019 1:36 pm

if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Tue Sep 17, 2019 12:31 pm

if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Tue Sep 17, 2019 12:50 pm

Trace the packets, you need to see what exactly happens. Add something like (at the top):
/ip firewall mangle
add chain=prerouting protocol=tcp dst-port=2222 action=log log-prefix=step1
add chain=postrouting protocol=tcp dst-port=2222 action=log log-prefix=step2
add chain=prerouting protocol=tcp src-port=2222 action=log log-prefix=step3
add chain=postrouting protocol=tcp src-port=2222 action=log log-prefix=step4
Step1 is incoming request, step2 means that it passed through router (dstnat works and forward filter does not block it), step3 is response from server, finally step4 is response going back to client. In your case, something will be missing and it will tell you where to look for problem.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Tue Sep 17, 2019 1:47 pm

if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)

DNS has nothing to do with this. Stop getting hung up on it, you're clearly not understanding the key elements here.
You need the first rule to masquerade anything from your LAN to 1.203:2222
Then you need a port forward rule to push anything destined for your WAN IP (note NOT your WAN interface) to 1.203:2222

Don't use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
Address list is used to resolve WAN hostname (if dynamic) so that dst-address-list can be used to help tighten the rules down, if you have static WAN IP use that instead of dst-address instead.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Tue Sep 17, 2019 6:45 pm

if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)

DNS has nothing to do with this. Stop getting hung up on it, you're clearly not understanding the key elements here.
You need the first rule to masquerade anything from your LAN to 1.203:2222
Then you need a port forward rule to push anything destined for your WAN IP (note NOT your WAN interface) to 1.203:2222

Don't use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
Address list is used to resolve WAN hostname (if dynamic) so that dst-address-list can be used to help tighten the rules down, if you have static WAN IP use that instead of dst-address instead.
That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network. I have added the rules in mangle as Sob said, and it gets stuck on phase 2, phase 3 wont appear, looks like router makes some kind of loop inside. the step 2says:
ClientExternalIP:someport -> 192.168.1.203:2222, NAT
ClientExternalIP:someport -> (routerExternalIP:2222->192.168.1.203:2222),len52
If i get it right, in phase 3 when 192.168.1.203 tries to respond, it searches for routerExternalIP:2222 and my rule:
add action=dst-nat chain=dstnat dst-address=routerExternalIP dst-port=2222 \
    protocol=tcp to-addresses=192.168.1.203
says go to 192.168.1.203 and we get looped?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Tue Sep 17, 2019 7:09 pm


That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?

Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1364
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Hairpin not working

Wed Sep 18, 2019 12:23 am


He / I ....
:-)
MTCNA, MTCTCE, MTCRE & MTCINE
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Wed Sep 18, 2019 9:24 am


That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?

Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="ESXI" dst-port=52960,80,443 in-interface=ether1 protocol=tcp src-address=someIP to-addresses=192.168.1.200
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
RDP on 3389 is working.
Last edited by krisjanisj on Wed Sep 18, 2019 9:33 am, edited 1 time in total.
Reason: Leave one line free above and below [code][/code] block for it to properly work
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Wed Sep 18, 2019 11:02 am

You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Wed Sep 18, 2019 1:20 pm

You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.
Tried to disable one rule, then another, then both, nothing helps, here is my firewall:
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward dst-address=192.168.1.200 dst-port=52960,80,443 protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input comment="WINBOX only from VPN" disabled=yes dst-port=8291 protocol=tcp src-address=!192.168.99.0/24
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=forward comment=UPTIMEROBOT dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address-list=UPTIMEROBOT
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward comment="Eimantas" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=drop chain=forward comment="drop RDP" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Wed Sep 18, 2019 2:31 pm

The public address routerWAN_IP is directly on this router (you'd see it in IP->Addresses), not on some other router, modem or whatever, right?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Wed Sep 18, 2019 4:05 pm

The public address routerWAN_IP is directly on this router (you'd see it in IP->Addresses), not on some other router, modem or whatever, right?
yes, correct, we get this IP directly through our ISP by WAN (eth1) port.
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Wed Sep 18, 2019 6:57 pm

Everything looks like it should work. I'd do some things differently, but that's not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Thu Sep 19, 2019 11:09 am

Everything looks like it should work. I'd do some things differently, but that's not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.
Sob, the problem was with HairPin, so that it was not working from inside using external IP, but it was working from external, but now it`s not working from outside but working from inside. Your logging rules is still enabled and yes i get till step 2, but step 3 and 4 wont appear when reaching it from outside, and service is definately working and running(testing it from inside network). BTW, on server side (192.168.1.203) nothing changed, like firewall, etc., server should be not blocking it either.
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Thu Sep 19, 2019 11:45 am

What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Thu Sep 19, 2019 12:29 pm

What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...
Yes it worked! Now i can reach fro mexternal and internal networks. Rule is as follows actually:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1092
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Hairpin not working

Thu Sep 19, 2019 1:18 pm

What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...
Yes it worked! Now i can reach fro mexternal and internal networks. Rule is as follows actually:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
Glad to hear you got it sorted. Yes it appears I had a mistype in the initial rule I gave you. (addresses rather than address).
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin not working

Thu Sep 19, 2019 6:22 pm

Actually, it means something different.

If there was already this:
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
and it made connections from inside work (it should, because it's correct hairpin NAT rule), but connections from outside did not work, and this:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
made them work too, then it suggests that server really allows only connections from LAN subnet. So check server's firewall again, because this rule should not be necessary.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PsYcH
newbie
Topic Author
Posts: 27
Joined: Mon Jan 29, 2018 2:22 pm

Re: Hairpin not working

Fri Sep 20, 2019 5:09 pm

Actually, it means something different.

If there was already this:
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
and it made connections from inside work (it should, because it's correct hairpin NAT rule), but connections from outside did not work, and this:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
made them work too, then it suggests that server really allows only connections from LAN subnet. So check server's firewall again, because this rule should not be necessary.
ohh, so that was tricky :) Ok I`ll check and let you know

Who is online

Users browsing this forum: Bing [Bot] and 20 guests