Community discussions

MikroTik App
 
kusmierz
just joined
Topic Author
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 11:10 am

Hi,

I've spent whole weekend trying configure hairpin nat, which took me like 2 minutes on OpenWRT before. But here it simply doesn't work. The Hairpin NAT rule shows always "0 packets". The redirect works correctly from the Internet but not from the LAN. What am I doing wrong?
# feb/13/2022 23:16:41 by RouterOS 7.1.2
# model = RB5009UG+S+
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24

/ip firewall filter
add action=accept chain=forward comment="Allow forward traffic for connection already established/related" connection-state=established,related
add action=accept chain=forward comment="Allow forward traffic for connection from LAN" connection-state=!invalid in-interface-list=LAN out-interface-list=WAN src-address=192.168.144.0/24
add action=accept chain=forward comment="Allow forward traffic for port redirections and DMZ" connection-nat-state=dstnat
add action=drop chain=forward comment="Deny rest of forward traffic"
add action=accept chain=output comment="Allow output traffic"
add action=accept chain=input comment="Allow input traffic for connection already established/related" connection-state=established,related
add action=accept chain=input comment="Allow ICMP ping requests" icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Allow ICMP messages about too big packet size (fragmentation required)" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="Allow init connection to winbox service on LAN" connection-state=new dst-address=192.168.144.1 dst-port=8291,22,80 in-interface-list=LAN protocol=tcp src-address=192.168.144.0/24
add action=accept chain=input comment="Allow requests to DNS service from LAN" connection-state=new dst-address=192.168.144.1 dst-port=53 in-interface-list=LAN protocol=udp src-address=192.168.144.0/24
add action=drop chain=input comment="Deny rest of input traffic"
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Hairpin issue @RB5009 on 7.1  [SOLVED]

Mon Feb 14, 2022 1:32 pm

Do you have "Use IP firewall" for bridge ticked ON?Thats what broke it for me on v7, same setup works on v6
 
kusmierz
just joined
Topic Author
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 2:18 pm

Yes, I have it ticked ON (Bridge | Settings):
Untitled.jpg
should I turn It off? btw, "Use IP Firewall For PPPoE" - should it be turned off (I have PPPoE connection)?
/interface bridge
add igmp-snooping=yes igmp-version=3 name=br-lan protocol-mode=none
/interface bridge port
add interface=wan1
add bridge=br-lan interface=ether2
add bridge=br-lan interface=ether3
add bridge=br-lan interface=ether4
add bridge=br-lan interface=ether5
add bridge=br-lan interface=ether6
add bridge=br-lan interface=ether7
add bridge=br-lan interface=ether8
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 2:39 pm

As per my answer in the other post on the same topic.........

Not that it may make a difference but worth a shot............... change order and modify the rule........

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24


/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNat dst-address=192.168.144.0/24 src-address=192.168.144.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
 
kusmierz
just joined
Topic Author
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 3:00 pm

> Not that it may make a difference but worth a shot............... change order and modify the rule........

tried it already with bunch of other modifications too, but I reconfigured it as you mentioned, just in case I missed something yesterday - same story, it doesn't work :(
 
kusmierz
just joined
Topic Author
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 4:24 pm

I set `use-ip-firewall=no` from `/interface bridge settings` and voila! It's working now! :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 6:03 pm

Good because that is not an very common functionality people use.
 
kusmierz
just joined
Topic Author
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 10:20 pm

What do you mean? I thought it would turn off whole firewall feature (no obviously it didn’t). What does it do exactly?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 10:48 pm

It takes packets that are bridged (e.g. when you have one LAN spanning over multiple ports and there's communication between device connected to one, and another device connected to different one) and IP firewall doesn't normally see them, and runs them through IP firewall as if they were routed. Not something you need often. It's a big change in how things work, and if you enable it without knowing what it does, results can be unexpected.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin issue @RB5009 on 7.1

Mon Feb 14, 2022 11:04 pm

What he said LOL. I just stick to the normal firewall rules section for firewall rules. :-)

Who is online

Users browsing this forum: No registered users and 21 guests