Community discussions

MikroTik App
 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Really strange problem with Hairpin NAT

Tue Sep 03, 2013 9:46 pm

I've configured hairpin NAT in order to access my SSH server running on an internal LAN server. On my SSH server I've set up some ip blocking rules to safeguard against brute force attacks. I thought I had it all configured correctly until one day I noticed that I could no longer connect to my SSH server. I was a bit puzzled so I took a closer look at it and I was in for a big surprise. ALL SSH requests came from my routers's IP address no matter if they were from my internal network or from outside on the internet. Then of course it made sense that I could not connect to my SSH server. If all ssh requests seems to originate from my router IP then it will take about 5 minuttes before someone on the outside has triggered the ip blocking rule.

This is my hairpin nat rules :

Chain=src-nat, Dst. Address=mywanip, Protocol=TCP, Dst.Port=22, action=dst.nat, To Addresses=mylanserverip, To Ports=22
Chain=srcnat, Src. Address=mylanipscope,Dst. Address=mylanserverip, Protocol=TCP, Dst. Port=22, out-interface=lan-bridge, action=masquerade
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Really strange problem with Hairpin NAT

Tue Sep 03, 2013 10:19 pm

Which other NAT rules do you have?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Really strange problem with Hairpin NAT

Wed Sep 04, 2013 11:08 am

Thanks for spending time on my issue and thanks for asking the right question :D Off course I was to blame. I had by error activated a chain=srcnat action=masquerade rule at the very bottom of my NAT rules. It was part of some experiments i did a long time ago. I had simply forgotten all about it and left it active.

Thanks again. The right question is better than a thousand explanations :)
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Really strange problem with Hairpin NAT

Wed Sep 04, 2013 1:39 pm


Thanks again. The right question is better than a thousand explanations :)
I'm glad it shone a light on the problem. :)
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

Who is online

Users browsing this forum: No registered users and 34 guests