Page 1 of 1

Hairpin not working

Posted: Thu Sep 12, 2019 11:43 am
by PsYcH
Hello, so trying to make hairpin in my network for port 2222 which runs on IP 192.168.1.203, but just cant make it work.... Here is my rules:
add action=dst-nat chain=dstnat comment="testinis 2222" disabled=yes dst-port=\
    2222 in-interface=bridge1 protocol=tcp src-address=192.168.1.0/24 \
    to-addresses=192.168.1.203 to-ports=2222
add action=masquerade chain=srcnat dst-address=192.168.1.203 dst-port=2222 \
    out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Allow ESXI " dst-port=\
    52960,80,443 in-interface=ether1 protocol=tcp src-address=some public IP \
    to-addresses=192.168.1.200
add action=dst-nat chain=dstnat comment="ESMC" disabled=yes dst-port=\
    2222,2223,3128 in-interface=ether1 protocol=tcp to-addresses=192.168.1.203
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 \
    protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="RDP" disabled=yes \
    dst-address=88.119.49.142 dst-port=3389 protocol=tcp src-address=\
    192.168.1.0/24 to-addresses=192.168.1.202
add action=add-dst-to-address-list address-list="" address-list-timeout=\
    none-dynamic chain=srcnat disabled=yes dst-address=Some public IP dst-port=\
    3389 log=yes protocol=tcp src-address=192.168.1.12 to-ports=3389
  

Re: Hairpin not working

Posted: Thu Sep 12, 2019 12:13 pm
by Steveocee
Modify this to work as you need it:
https://www.youtube.com/watch?v=_kw_bQyX-3U






(Shameless plug but it DOES work)

Re: Hairpin not working

Posted: Fri Sep 13, 2019 5:08 pm
by PsYcH
Modify this to work as you need it:
https://www.youtube.com/watch?v=_kw_bQyX-3U






(Shameless plug but it DOES work)
ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working

Re: Hairpin not working

Posted: Fri Sep 13, 2019 5:30 pm
by Sob
Even your original config should work (if you enable first rule). So make sure that packets are really passing through router (you can add logging rules in prerouting and postrouting) and if not, see where they are blocked.

Re: Hairpin not working

Posted: Fri Sep 13, 2019 6:15 pm
by Steveocee
ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working
You clearly haven't done everything it says to then. There is more than just 1 line of srcnat.

Re: Hairpin not working

Posted: Sat Sep 14, 2019 12:23 pm
by PsYcH
ok so I have added the rule to the top of my NAT rules:
add action=masquerade chain=srcnat comment="Hairpin" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
and it`s not working
You clearly haven't done everything it says to then. There is more than just 1 line of srcnat.
if heard right, he says that i`m finished if i do have static public IP

Re: Hairpin not working

Posted: Sun Sep 15, 2019 1:36 pm
by Steveocee
if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.

Re: Hairpin not working

Posted: Tue Sep 17, 2019 12:31 pm
by PsYcH
if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)

Re: Hairpin not working

Posted: Tue Sep 17, 2019 12:50 pm
by Sob
Trace the packets, you need to see what exactly happens. Add something like (at the top):
/ip firewall mangle
add chain=prerouting protocol=tcp dst-port=2222 action=log log-prefix=step1
add chain=postrouting protocol=tcp dst-port=2222 action=log log-prefix=step2
add chain=prerouting protocol=tcp src-port=2222 action=log log-prefix=step3
add chain=postrouting protocol=tcp src-port=2222 action=log log-prefix=step4
Step1 is incoming request, step2 means that it passed through router (dstnat works and forward filter does not block it), step3 is response from server, finally step4 is response going back to client. In your case, something will be missing and it will tell you where to look for problem.

Re: Hairpin not working

Posted: Tue Sep 17, 2019 1:47 pm
by Steveocee
if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)

DNS has nothing to do with this. Stop getting hung up on it, you're clearly not understanding the key elements here.
You need the first rule to masquerade anything from your LAN to 1.203:2222
Then you need a port forward rule to push anything destined for your WAN IP (note NOT your WAN interface) to 1.203:2222

Don't use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
Address list is used to resolve WAN hostname (if dynamic) so that dst-address-list can be used to help tighten the rules down, if you have static WAN IP use that instead of dst-address instead.

Re: Hairpin not working

Posted: Tue Sep 17, 2019 6:45 pm
by PsYcH
if heard right, he says that i`m finished if i do have static public IP
Try watching further the entire video, it needs the port forward rules creating PROPERLY to work.

He / I am quite sure if done properly it will work.
Wont get it how adress list can help with hairpin. I have did as he shows with address list, but it wont work. As example, I try to telnet 192.168.1.201 --> 192.168.1.203:2222 it work, then if i try 192.168.1.201 ---> 88.x.x.142(public ip):2222 it wont work, so I think that DNS stuff have nothing to do with this :)

DNS has nothing to do with this. Stop getting hung up on it, you're clearly not understanding the key elements here.
You need the first rule to masquerade anything from your LAN to 1.203:2222
Then you need a port forward rule to push anything destined for your WAN IP (note NOT your WAN interface) to 1.203:2222

Don't use in-interface as that breaks it severely in this scenario as packets may be coming from either LAN or WAN
Address list is used to resolve WAN hostname (if dynamic) so that dst-address-list can be used to help tighten the rules down, if you have static WAN IP use that instead of dst-address instead.
That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network. I have added the rules in mangle as Sob said, and it gets stuck on phase 2, phase 3 wont appear, looks like router makes some kind of loop inside. the step 2says:
ClientExternalIP:someport -> 192.168.1.203:2222, NAT
ClientExternalIP:someport -> (routerExternalIP:2222->192.168.1.203:2222),len52
If i get it right, in phase 3 when 192.168.1.203 tries to respond, it searches for routerExternalIP:2222 and my rule:
add action=dst-nat chain=dstnat dst-address=routerExternalIP dst-port=2222 \
    protocol=tcp to-addresses=192.168.1.203
says go to 192.168.1.203 and we get looped?

Re: Hairpin not working

Posted: Tue Sep 17, 2019 7:09 pm
by Steveocee

That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?

Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.

Re: Hairpin not working

Posted: Wed Sep 18, 2019 12:23 am
by CZFan

He / I ....
:-)

Re: Hairpin not working

Posted: Wed Sep 18, 2019 9:24 am
by PsYcH

That was clearly the problem that i missed that part about destination IP and it`s quite logic :) Thank you! Now from LAN i can resolve with my external IP, BUT, now I can`t reach it from external network.
The irony being that the DDNS/Address List part is in reference to directing to the dst-address ?!?!?

Can you provide an export of the NAT rules you have now, edit out the ones you have disabled as they make it harder reading through. This is nearly sorted.

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="ESXI" dst-port=52960,80,443 in-interface=ether1 protocol=tcp src-address=someIP to-addresses=192.168.1.200
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="RDP" dst-port=3389 protocol=tcp to-addresses=192.168.1.202
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
RDP on 3389 is working.

Re: Hairpin not working

Posted: Wed Sep 18, 2019 11:02 am
by Steveocee
You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.

Re: Hairpin not working

Posted: Wed Sep 18, 2019 1:20 pm
by PsYcH
You do not need both of these rules.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
add action=dst-nat chain=dstnat comment="2222 from external" dst-port=2222 protocol=tcp to-addresses=192.168.1.203
If you are resolving by hostname internally then all traffic will hit this rule.
add action=dst-nat chain=dstnat dst-address=routerWAN_IP dst-port=2222 protocol=tcp to-addresses=192.168.1.203
Unless there is some firewall then this will work.
Tried to disable one rule, then another, then both, nothing helps, here is my firewall:
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward dst-address=192.168.1.200 dst-port=52960,80,443 protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input comment="WINBOX only from VPN" disabled=yes dst-port=8291 protocol=tcp src-address=!192.168.99.0/24
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=forward comment=UPTIMEROBOT dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address-list=UPTIMEROBOT
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward comment="Eimantas" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=accept chain=forward dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp src-address=someIP
add action=drop chain=forward comment="drop RDP" dst-address=192.168.1.202 dst-port=3389 in-interface=ether1 protocol=tcp

Re: Hairpin not working

Posted: Wed Sep 18, 2019 2:31 pm
by Sob
The public address routerWAN_IP is directly on this router (you'd see it in IP->Addresses), not on some other router, modem or whatever, right?

Re: Hairpin not working

Posted: Wed Sep 18, 2019 4:05 pm
by PsYcH
The public address routerWAN_IP is directly on this router (you'd see it in IP->Addresses), not on some other router, modem or whatever, right?
yes, correct, we get this IP directly through our ISP by WAN (eth1) port.

Re: Hairpin not working

Posted: Wed Sep 18, 2019 6:57 pm
by Sob
Everything looks like it should work. I'd do some things differently, but that's not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.

Re: Hairpin not working

Posted: Thu Sep 19, 2019 11:09 am
by PsYcH
Everything looks like it should work. I'd do some things differently, but that's not the problem now. I skimmed through older posts and if you still have my logging rules and you do see steps 1 and 2, but do not step 3, it would be problem with server not responding. So a step back, what was the original problem? Did it work from outside and not from inside, or neither? If the latter, it could be firewall on server accepting connections only from local subnet.
Sob, the problem was with HairPin, so that it was not working from inside using external IP, but it was working from external, but now it`s not working from outside but working from inside. Your logging rules is still enabled and yes i get till step 2, but step 3 and 4 wont appear when reaching it from outside, and service is definately working and running(testing it from inside network). BTW, on server side (192.168.1.203) nothing changed, like firewall, etc., server should be not blocking it either.

Re: Hairpin not working

Posted: Thu Sep 19, 2019 11:45 am
by Sob
What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...

Re: Hairpin not working

Posted: Thu Sep 19, 2019 12:29 pm
by PsYcH
What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...
Yes it worked! Now i can reach fro mexternal and internal networks. Rule is as follows actually:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp

Re: Hairpin not working

Posted: Thu Sep 19, 2019 1:18 pm
by Steveocee
What if you temporarily add this rule?
/ip firewall nat
add action=masquerade chain=srcnat comment="TEMP" dst-port=2222 protocol=tcp dst-addresses=192.168.1.203
It will change source of all packets going to 192.168.1.203:2222, so that it will be router's internal address, same as it is when connection comes from inside and uses hairpin NAT rule. And yes, it does look like I don't believe you about server config, but for the lack of better ideas...
Yes it worked! Now i can reach fro mexternal and internal networks. Rule is as follows actually:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
Glad to hear you got it sorted. Yes it appears I had a mistype in the initial rule I gave you. (addresses rather than address).

Re: Hairpin not working

Posted: Thu Sep 19, 2019 6:22 pm
by Sob
Actually, it means something different.

If there was already this:
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
and it made connections from inside work (it should, because it's correct hairpin NAT rule), but connections from outside did not work, and this:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
made them work too, then it suggests that server really allows only connections from LAN subnet. So check server's firewall again, because this rule should not be necessary.

Re: Hairpin not working

Posted: Fri Sep 20, 2019 5:09 pm
by PsYcH
Actually, it means something different.

If there was already this:
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
and it made connections from inside work (it should, because it's correct hairpin NAT rule), but connections from outside did not work, and this:
add action=masquerade chain=srcnat comment=TEMP dst-address=192.168.1.203 dst-port=2222 protocol=tcp
made them work too, then it suggests that server really allows only connections from LAN subnet. So check server's firewall again, because this rule should not be necessary.
ohh, so that was tricky :) Ok I`ll check and let you know

Re: Hairpin not working

Posted: Wed Sep 25, 2019 10:03 am
by PsYcH
So been busy these days, checked the firewall from server side, dont know hom much you guys are familiar with Unix systems, but here is my rule for port 2222 in 192.168.1.203
Image
Image

Re: Hairpin not working

Posted: Wed Sep 25, 2019 5:34 pm
by Sob
The first rule looks like it should accept everything. So if it's not firewall, another explanation would be wrong default gateway on server. It needs to be this router.

Re: Hairpin not working

Posted: Wed Sep 25, 2019 6:20 pm
by complex1
@PsYcH

Please try next rules and check if it help.
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.1 dst-address-type=local dst-port=2222 protocol=tcp to-addresses=192.168.1.203

Re: Hairpin not working

Posted: Wed Sep 25, 2019 6:28 pm
by PsYcH
The first rule looks like it should accept everything. So if it's not firewall, another explanation would be wrong default gateway on server. It needs to be this router.
So you are right, the gateway is set to 0.0.0.0, but interesting thing is, that I have DHCP set to on for server network card, and on mikrotik in DHCP server I have reserved static IP for server MAC address...

Re: Hairpin not working

Posted: Wed Sep 25, 2019 6:34 pm
by Sob
You can have address reservation in DHCP and wrong gateway at the same time, it's two different things. Fix it and there should be happy end.

Re: Hairpin not working

Posted: Wed Oct 02, 2019 4:53 pm
by PsYcH
So yes, you were totally right, fixed routes and now everything works like charm without extra masquarade rules. Thank you!