Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Port forward issue - is this hairpin NAT?

Fri Nov 13, 2015 11:48 pm

Hi,
I'm pulling my hair here.

So I have this config

WAN is ether1 on PPPoE with fixed public IP

LAN is 192.168.1.0/24 with bridge-local, eth2,3,4 and wlan, DHCP, everything OK.

I have a DVR with a fixed IP, 192.168.1.150, port 3333.

I did forward the port 3333 using:
chain - dstnat
protocol - tcp
dst port - 3333
in-interface - pppoe-out1
action - dst-nat
to-address - 192.168.1.150
to ports - 3333

If I try to access my public WAN IP:3333 or my Mikrotik free cloud dns name while connected to a different network providing Internet, it works, the port forwarding is ok and I can get to my DVR, but If I try to access my DVR using my public WAN IP:3333 or mikrotik cloud dns name while I'm connected to my local LAN via ethernet or wifi it fails! I can access the dvr using the internal ip, 192.168.1.150:3333 though.
I want to be able to access the DVR using the public wan IP\cloud dns name even if I'm connected to my local LAN.

Do I need to set up some hairpin nat rules?

I am on 6.25 hAP.
 
skuykend
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Oct 06, 2015 7:28 am

Re: Port forward issue - is this hairpin NAT?

Sat Nov 14, 2015 10:37 am

Yes, that's what hairpin NAT is for.

You need to remove the in-interface filter from your dstnat and put in dst-address-type=local instead. This is because your hairpin traffic won't be actually coming in the PPPoE interface.

Then add a second hairpin rule to fix certain tcp reply's:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.150 protocol=tcp dst-port=3333 \
  out-interface=bridge-local action=masquerade 
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: Port forward issue - is this hairpin NAT?

Sat Nov 14, 2015 2:01 pm

Yes, that's what hairpin NAT is for.

You need to remove the in-interface filter from your dstnat and put in dst-address-type=local instead. This is because your hairpin traffic won't be actually coming in the PPPoE interface.

Then add a second hairpin rule to fix certain tcp reply's:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.150 protocol=tcp dst-port=3333 \
  out-interface=bridge-local action=masquerade 
Yep, that seems to work :).

Now, what if I want to portforward multiple ports, do I have to make two rules for each port, or can I specify multiple ports inside one rule?

For example I want, ports 631, 3333 and 37777 to > 192.168.1.150 631, 3333, 37777
 
skuykend
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Oct 06, 2015 7:28 am

Re: Port forward issue - is this hairpin NAT?

Mon Nov 16, 2015 10:37 am

If it's to the same host and protocol (tcp/udp) you can specify multiple port numbers with either a comma or dash for ranges.

Who is online

Users browsing this forum: ivicask, jvanhambelgium, sindy, yapmeo and 85 guests