Community discussions

 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

HAIRPIN HAT not working

Tue Oct 31, 2017 1:01 am

here is my config, i can access via internet, but not from the local lan! can someone help me?

add action=dst-nat chain=dstnat comment="OPEN 443 WEB, RULE 25-40 PACKETS PER SECOND" dst-address-type="" dst-limit=25,40,dst-address/1m dst-port=443 \
in-interface=all-ethernet log=yes log-prefix="WEB CONNECTION" protocol=tcp to-addresses=192.168.10.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=80

I ADDED these two lastly, after 230942 attempts to make it work, but i continuos wrong.

add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-address-type="" protocol=tcp src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.10.1 dst-address-type=local protocol=tcp
 
baragoon
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 8:49 am

try to add this one
/ip firewall nat add action=netmap chain=dstnat dst-address=WAN_IP dst-port=443,80 protocol=tcp to-addresses=192.168.10.10
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 3:45 pm

try to add this one
/ip firewall nat add action=netmap chain=dstnat dst-address=WAN_IP dst-port=443,80 protocol=tcp to-addresses=192.168.10.10
thanks for your reply, but still can not enter from local lan.. i can from outside of the office..
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1621
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 4:16 pm

Read this: viewtopic.php?f=2&t=126724&p=623599#p623599 post and quoted thread in it.

or directly this: viewtopic.php?f=2&t=102483&p=508981#p508981
Real admins use real keyboards.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 4:21 pm

after you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1621
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 4:43 pm

It is better to do src-nat with specified IP instead of masquarade.
Real admins use real keyboards.
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 4:46 pm

after you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24

still not working :S . thanks dude
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 4:49 pm

It is better to do src-nat with specified IP instead of masquarade.
how would you change what he said?

also i tried this
add action=masquerade chain=srcnat comment="Hairpin NAT Masq" disabled=yes out-interface=ether1 src-address-list=Local
add action=netmap chain=dstnat disabled=yes dst-address="wanip" dst-port=443,80 protocol=tcp src-address-list=\
Local to-addresses=192.168.10.10

and there if i look on packets, they start to flush, but still cannot reach the site
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 5:01 pm

Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN.
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface="your global interface"
protocol=tcp to-addresses=192.168.10.10 to-ports=80
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 5:49 pm

Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN.
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface="your global interface"
protocol=tcp to-addresses=192.168.10.10 to-ports=80


Ok my friend, now i have only these rules enabled.
/ip firewall nat
1 chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp dst-address-type=local in-interface=ether1 dst-port=443
dst-limit=25,40,dst-address/1m log=yes log-prefix="WEB CONNECTION"

9 chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp src-address=192.168.10.0/24 dst-address="GLOBAL IP" in-interface=ether1
dst-port=443

10 chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 out-interface=ether1 dst-port=443

not working, idk why
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 5:52 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 6:08 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 6:17 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 6:31 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.

now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 6:34 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.

now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.
 
rodrigobenta
just joined
Topic Author
Posts: 23
Joined: Wed Sep 13, 2017 10:55 pm

Re: HAIRPIN HAT not working  [SOLVED]

Tue Oct 31, 2017 7:34 pm

ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out

ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.

now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.

men, you are a f********ng GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD! if i could, i would go to you and give you a hug men jaja
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Oct 31, 2017 7:48 pm

Your welcome :D
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Fri Jan 12, 2018 10:06 pm

i have exactly same problem like @rodrigobenta
i've tried a lot of solution from google search and mikrotik forum search.
men, you are a f********ng GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD! if i could, i would go to you and give you a hug men jaja
@rodrigobenta, please share me all rules. i want give a hug too :)
I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.
@Anumrak, your solution have not worked for me.

i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.165) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.165) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.165) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED

RouterOS 6.40.1
RouterBOARD 3011UiAS


/ip firewall nat export
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629


/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ;;; [ETH1]-LINK_GIRIS
RADIO-LINK ether 1500 1598 8156
1 R ;;; [ETH2]-VDSL_GIRIS
VDSL-ETH ether 1500 1598 8156
2 S ether3 ether 1500 1598 8156
3 S ether4 ether 1500 1598 8156
4 S ether5 ether 1500 1598 8156
5 RS ether6 ether 1500 1598 8156
6 RS ether7 ether 1500 1598 8156
7 RS ether8 ether 1500 1598 8156
8 S ether9 ether 1500 1598 8156
9 S ether10 ether 1500 1598 8156
10 sfp1 ether 1500 1600 8158
11 R ;;; [ETH3-ETH10]-LOCAL_NETWORK_192.168.0.1/24
Local bridge 1500 1598

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 1.1.1.10/30 1.1.1.8 RADIO-LINK
1 10.1.1.121/24 10.1.1.0 VDSL-ETH
2 192.168.0.1/24 192.168.0.0 Local

I have 2 INTERNET input. (Load balancing in local network)
RADIO-LINK connect on port 1 directly.
RADIO-LINK's static IP is: 1.1.1.10
VDSL-ETH connect port 2 over adsl modem.

mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.

It is possible? Where do i make mistakes?
 
sindy
Forum Guru
Forum Guru
Posts: 2512
Joined: Mon Dec 04, 2017 9:19 pm

Re: HAIRPIN HAT not working

Fri Jan 12, 2018 11:45 pm

In your
/ip firewall nat export
, I can see you translate the source IP of the TCP requests, coming from your local subnet and forwarded to the server at 192.168.0.52, to Mikrotik's own IP address using the following rule:
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
This forces the server at 192.168.0.52 to send the response to Mikrotik rather than directly to the client (which would normally be the case as the client and the server are in the same subnet).

But even though the response packet is forced through Mikrotik this way, the client in 192.168.0.0/24 still gets the response from 192.168.0.52 while it has sent its request to 1.1.1.10, which may confuse it. Now a srcnat rule implicitly creates, thanks to "connection tracking", an equivalent of a dstnat rule for the opposite direction, so the Mikrotik changes the destination IP in the received response from its own one to that of the real client. However, I'm not sure the same is the case for dstnat rules. So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
add chain=srcnat src-address=192.168.0.52 protocol=tcp src-port=629 out-interface=Local action=srcnat to-addresses=1.1.1.10 to-ports=629
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Sat Jan 13, 2018 1:04 am

So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
i added too this src-nat rule. should i remove dst-nat rule?

all of rules are like this: (bold line is newly added)

add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629
add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629


unfortunately still not working :(

when i check with torch, only 1 package showing, then connection refused. Red area is RADIO-LINK's external IP (eg: 1.1.1.10)
mikrotik-nat-problem-20180113.PNG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 2512
Joined: Mon Dec 04, 2017 9:19 pm

Re: HAIRPIN HAT not working

Sun Jan 14, 2018 9:54 pm

I've tried to implement a subset of your scenario. My PC is connected to the LAN interface of a RB, and the gateway to the internet is connected to the WAN interface of the same RB. There already was a srcnat masquerade rule on the WAN interface, and I've added a dstnat rule for ssh (proctocol=tcp,dst-port 22) for dst-address matching the WAN IP of the RB which redirects the packet to the internet gateway. This rule alone was enough to log in to the internet gateway from a PC in the LAN subnet when indicating RB's WAN IP as destination and, noteworthy, to translate the source address of the TCP response from the internet gateway to RB's WAN IP when forwarding the response to the PC. So the dst-nat rule automatically works as src-nat in the opposite direction for related packets. The nat configuration and the resulting connection look as follows:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.5.173 dst-port=22 protocol=tcp to-addresses=192.168.5.1

/ip firewall connection print detail where src-address~":22" || dst-address~":22" || reply-src-address~":22" || reply-dst-address~":22" 
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC Fsd protocol=tcp src-address=192.168.88.253:54434 dst-address=192.168.5.173:22 reply-src-address=192.168.5.1:22
  reply-dst-address=192.168.5.173:54434 tcp-state=established timeout=23h45m orig-packets=18 orig-bytes=2 356 orig-fasttrack-packets=0
  orig-fasttrack-bytes=0 repl-packets=19 repl-bytes=2 893 repl-fasttrack-packets=9 repl-fasttrack-bytes=1 713 orig-rate=0bps repl-rate=0bps
So "normally", i.e. when the client and server are connected to different subnets and different physical ports, these two rules alone are sufficient to make things work properly - at TCP level, both the server and the client think they talk to the RouterBoard, and connection tracking handles that as a single connection. So the srcnat rule I've suggested before is redundant, and the reason why it does not work in your scenario is different. Can you please paste here the export of your "/ip firewall filter" rules? If they are not responsible, then it must be the hairpinning itself, but it does not seem logical to me.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 10:14 am

add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
Wrong idea.

You need only 4 NAT rules:
1) Classic masquerade for your local network in order to go to Internet;
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.

And absence of different firewall rules which can do collision of packets flow.
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 11:38 am

Can you please paste here the export of your "/ip firewall filter" rules?
here are my firewall filters:
ordinary drop port rules for each in-iterface
;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=8080 log=no 
log-prefix="" 

;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=8080 log=no 
log-prefix="" 

;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=53 log=no 
log-prefix="" 

;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=53 log=no 
log-prefix=""
 
sindy
Forum Guru
Forum Guru
Posts: 2512
Joined: Mon Dec 04, 2017 9:19 pm

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 11:50 am

If firewall would be preventing the client on LAN from connecting to the server also on LAN redirected from the WAN IP of the Mikrotik, rules in filter chain "forward" would be responsible. So if no such rules exist, the reason must be different. I'll rearrange my test setup a bit to fully match yours and see what happens.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 1:08 pm

add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
Wrong idea.

You need only 4 NAT rules:
1) Classic masquerade for your local network in order to go to Internet;
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.

And absence of different firewall rules which can do collision of packets flow.
Hi Anumrak, for your described 4 rules, i checked my rules again. now my rules are shown like this:

1) Classic masquerade for your local network in order to go to Internet;
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24

2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629

3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629

4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.
add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629

Still it is not working :(

In torch tool only "Local" interface was catches packages. (I guess this is normal)
mikrotik-nat-problem-20180115-2.PNG
mikrotik-nat-problem-20180115-1.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 1:21 pm

What is the device 192.168.0.52?
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 2:02 pm

What is the device 192.168.0.52?
This is the server which I want to reach in local network.

i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.195) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.195) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.195) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 2:12 pm

What is the device 192.168.0.52?
This is the server which I want to reach in local network.

i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.195) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.195) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.195) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
What exactly is this server? Does it have iptables or something?
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 4:01 pm

What exactly is this server? Does it have iptables or something?
This is QNAP NAS server.
OS: QTS 4.3.4.0.4.35

In web panel, it hasn't iptables configuration. It has only TCP/IP network configuration.
mikrotik-nat-problem-20180115-3.PNG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 2512
Joined: Mon Dec 04, 2017 9:19 pm

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 4:36 pm

Instead of torch, use packet sniffing to file and Wireshark to see what the response from the server was. At this stage we need to know whether the Mikrotik rejects the TCP session establishment or the server does. @Anumrak's question expresses a suspicion that the server may refuse requests coming from Mikrotik's own address (which is the case when the client connects to 1.1.1.10 and Mikrotik does a dst-nat and src-nat while forwarding the request) while it accepts requests coming from another address in the same subnet (which is the case when the client connects to 192.168.0.52 which means that routing and all firewall rules on Mikrotik are bypassed).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
emrah
just joined
Posts: 10
Joined: Fri Jan 12, 2018 11:42 am

Re: HAIRPIN HAT not working

Mon Jan 15, 2018 6:03 pm

Wireshark result with filter (port 629) from client. (192.168.0.195)
mikrotik-nat-problem-20180115-4.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 863
Joined: Fri Jul 28, 2017 2:53 pm

Re: HAIRPIN HAT not working

Tue Jan 16, 2018 11:22 am

You have TCP Reset segments. They transmitted because of wrong or not existing connection. Try to make hairpining to something else in your LAN.
 
sindy
Forum Guru
Forum Guru
Posts: 2512
Joined: Mon Dec 04, 2017 9:19 pm

Re: HAIRPIN HAT not working

Tue Jan 16, 2018 12:19 pm

What I can see in the capture is that the initial SYN packet from the client goes to the public address, but the response SYN,ACK from the server comes from the real address of the server, which makes the client send a RST as the SYN,ACK comes from an unexpected source. So the src-nat action (not necessarily rule!) in the server->client direction fails.

@emrah, I assume the client and the server are connected directly to RouterBoard's physical ports, or, if some other switching gear is between them and the RouterBoard, that it is possible for you to re-arrange cabling in such a way that the client is connected through one physical port of the RouterBoard and the server through another one. Once you are sure that the physical path between the cleint and server goes through the RouterBoard, sniff at both ports simultaneously. And set a display filter "tcp.port == 629 or icmp" when taking the screenshot of the result in Wireshark.

Either one of your NAT rules does not work as expected (maybe because connection tracking does not work), or the RouterBoard sends an icmp redirect to the server when it finds out that it should forward a packet to the same subnet from which it has arrived, so the server re-sends the packet directly to the client.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 33 guests