Community discussions

 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Hairpin NAT - no luck

Thu May 21, 2015 9:29 pm

Hello! New to MT, trying to repeat basic config of port-forwarding to my local web server. After I did that - I quickly learned that it works for everybody except me (from local network). My home router hanled this "NAT loop back" without issue.

Ok. I found that I need to do Hairpin NAT and here is what I have now:
add action=dst-nat chain=dstnat comment="WWW on .30:8080" dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.33.30
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 log=yes out-interface=bridge-local protocol=tcp src-address-list=\
    192.168.33.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
I don't see any problem with my setup, however I still can't access my web site when inside network. Any pointers?

I followed article here: http://wiki.mikrotik.com/wiki/Hairpin_NAT

I also tried to change NAT rule to be close to article, but without luck:
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 log=yes out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
The only difference I can see is in "out-interface=bridge-local" - I don't have "LAN" in my defaults and assume bridge-local is what I need. Correct?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Hairpin NAT - no luck

Thu May 21, 2015 10:05 pm

add action=dst-nat chain=dstnat comment="WWW on .30:8080" dst-port=8080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.33.30
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 log=yes out-interface=bridge-local protocol=tcp src-address-list=192.168.33.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
Think carefully about what the first rule here says:
Packets coming in ether1-gateway which are TCP and with a destination port of 8080, modify the destination address to become 192.168.33.30

If your computer is on the LAN - will the packets to the public IP on TCP:8080 be arriving on interface ether1-gateway?
No - they're arriving on bridge-local.

I prefer interface-based rules like these, but unfortunately, when doing Hairpin NAT, you need to use a different match criteria. It used to be that you had to match the destination IP = your WAN IP, but this is troublesome if your IP is dynamic....

The best way to match pinhole packets is with the matcher: dst-address-type=local which means "if the destination IP is one of the Mikrotik's own IP addresses"

This will actually cause the pinhole on all interfaces, but port 8080 shouldn't matter. If it does matter, you can limit the rule a little more by adding a criteria dst-address=!192.168.0.0/16 - so the LAN IP won't have the pinhole - just the public IP.

Change rule 1 to this:
/ip firewall nat add action=dst-nat chain=dstnat dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.33.30
(in Winbox, just modify the existing rule by removing the interfcace and then going to the Extra tab and expand Dst. Address Type, and choose Address Type: Local)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Hairpin NAT - no luck

Thu May 21, 2015 10:34 pm

Makes perfect sense! Works now. I have more of those and seems like they work ok so far after I made change to original port-forward NAT. I do have static IP (5 of them) but prefer NOT to use it anywhere in setup if possible..
 
katit
newbie
Topic Author
Posts: 32
Joined: Wed May 13, 2015 6:01 am

Re: Hairpin NAT - no luck

Fri May 22, 2015 12:07 am

This will actually cause the pinhole on all interfaces, but port 8080 shouldn't matter. If it does matter, you can limit the rule a little more by adding a criteria dst-address=!192.168.0.0/16 - so the LAN IP won't have the pinhole - just the public IP.
Can you explain why would it matter for example? And, do I understand correctly it is possible to create "loopback NAT" more universal? Right now this is what I have and it is working, but I wonder if it can be nicer. On external interface this is 8080, 8081, 443 but inside it's 3 different IPs and 2 of them 8080
add action=dst-nat chain=dstnat comment="WWW" dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.33.30
add action=masquerade chain=srcnat dst-address=192.168.33.30 dst-port=8080 out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment="WWW JIRA" dst-address-type=local dst-port=8081 protocol=tcp to-addresses=192.168.33.33 to-ports=8080
add action=masquerade chain=srcnat dst-address=192.168.33.33 dst-port=8080 out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
add action=dst-nat chain=dstnat comment="SVN" dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.33.32
add action=masquerade chain=srcnat dst-address=192.168.33.32 dst-port=443 out-interface=bridge-local protocol=tcp src-address=192.168.33.0/24
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Hairpin NAT - no luck

Fri May 22, 2015 12:33 am

Can you explain why would it matter for example? And, do I understand correctly it is possible to create "loopback NAT" more universal? Right now this is what I have and it is working, but I wonder if it can be nicer. On external interface this is 8080, 8081, 443 but inside it's 3 different IPs and 2 of them 8080
Your configuration is fine. Using different external ports to refer to different hosts, but the same internal port number is a normal configuration. (we had hotels with 50 access points all listening on port 80, but mapped to 8001 - 8050 on the outside, for instance)

The only "limitation" of this configuration is that you can't distinguish between multiple public IP addresses. If you have multiple IPs available, and you want x.x.x.11:TCP:80 --> lan host 1, and x.x.x.12:TCP:80 --> lan host 2, then you're going to need to recognize the differentt IPs. (current config doesn't care what the IP is - all IPs of the Mikotik are mapped)

As for your question - when might it matter - suppose you were wanting to use http proxy on the Mikrotik - it listens on 8080 by default, so you couldn't hit the proxy because the dst-nat rule would re-map the packets to your other server. If you want public IP:8080 --> nat, but lan IP:8080 --> self, you're going to have to be pickier in your rules' matching criteria.

Also note that 443 is mapped - but the Mikrotik has a local webconfig program that listens on 443 if you enable ssl.... so if you wanted to configure the mikrotik over SSL, you couldn't use the rule as it's written.

So for this, and for the previous multiple IP address scenarios, you're going to need to match dst-address=wan.ip.x instead of dst-address-type=local
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 20 guests