Hi all, i'm facing an issue with Hairpin.
I have a basic setup (from scratch).
Local lan : 192.168.88.0/24
Gateway : 192.168.88.1
WAN via PPPoE (IP 100.100.100.100)
Version : 6.35
I have a NAT rule for direct acces to a camera, it is workin from outside. By the way, i i try to reach it from my local lan to its WAN IP, it does not work. (http://100.100.100.100).
As before, i add a NAT rule :
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 \
dst-address=192.168.88.238 protocol=tcp dst-port=80 \
out-interface=brigde-local action=masquerade
I do not have a drop rule in forward chain.I can not see any packets transiting my rule (it is in first position)
It was working with previous versions of Mikrotik.
Any help would be appreciated.
thank you in advance,
Kind Regards,
[SOLVED] HAIRPIN NAT not working
Last edited by evince on Fri Apr 29, 2016 3:45 pm, edited 3 times in total.
Re: HAIRPIN NAT not working
Hello, here is :
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.129 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=pppoe-explore src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-explore protocol=tcp to-addresses=192.168.88.129 to-ports=80
Thank you
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.129 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=pppoe-explore src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-explore protocol=tcp to-addresses=192.168.88.129 to-ports=80
Thank you
Re: HAIRPIN NAT not working
Your rule has in-interface=pppoe-explore. It won't match connections coming from LAN. Change it to:
dst-address-type=local dst-address=!192.168.88.1
dst-address-type=local dst-address=!192.168.88.1
Re: HAIRPIN NAT not working
Hello, this rule is there to access the camero from outside (pppoe-explore)
Re: HAIRPIN NAT not working
Your rule has in-interface=pppoe-explore. It won't match connections coming from LAN. Change it to:
dst-address-type=local dst-address=!192.168.88.1
Ok i've added a new rule with your settings and it is working now, thank you
Can you explain me wy a simple hairpin nat rule does not work anymore?
Re: HAIRPIN NAT not working
You need only one port forwarding rule (dstnat), if you now have two, you can remove the old one. Hairpin NAT rule (srcnat) worked fine, but it was not given any chance to do do anything, if port forwarding was limited only to pppoe-explore as source interface.
Re: HAIRPIN NAT not working
Ok, tahk you very much for your great help 
Re: [SOLVED] HAIRPIN NAT not working
FWIW, I had been wrestling with this issue for years and finally got it thanks to this thread. For completeness, here is an actual working hairpin nat with port forwarding configuration:
The first src-nat is the local-to-internet masquerade. Second src-nat is local-to-local masquerade. The dst-nat forwards local and external traffic to port 1234 of external_ip to 192.168.88.120:1234.
The first src-nat is the local-to-internet masquerade. Second src-nat is local-to-local masquerade. The dst-nat forwards local and external traffic to port 1234 of external_ip to 192.168.88.120:1234.
Code: Select all
/ip firewall nat export
# jul/13/2016 17:35:49 by RouterOS 6.27
# software id = A7N0-8U7V
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.88.1 src-address=192.168.88.0/24
...
add action=dst-nat chain=dstnat dst-address=!192.168.88.1 dst-address-type=local dst-port=1234 log-prefix="" protocol=tcp to-addresses=192.168.88.120 to-ports=\
1234Re: [SOLVED] HAIRPIN NAT not working
Thanks jhgorse, your last post saved me lots of time!
Re: [SOLVED] HAIRPIN NAT not working
Replaced my 8 year old dlink router with a new RouterBoard running v6.38.5. Got it working, the wifi all set up and secured. The basics are all good to go.
So far I've read the hairpin nat wiki and a few other various posts.
Added 2 nat rules as it specified in the wiki, but the webserver is still being blocked over port 8080. The webserver is configured to run on both 80 and 8080. Using the local ip:80 it comes right up. The local ip:8080, nothing. It also runs a dynamic dns service, and is configured to point to my public ip:8080, since Cox doesn't allow outbound port 80. Incoming 8080 traffic to my internet IP needs to be routed to the webserver on the 192 network, same port 8080.
Tried this rule first:
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8080 in-interface=ether1 protocol=tcp to-address=192.168.0.200 to-ports=8080
Anyway this didn't work. Then I read the Hairpin nat wiki. It has 2 rules, the first being very similar to the above, with the addition of
dst-address=(my public ip)
and the removal of the
to-ports=8080
for the first rule, and a second rule of
add chain=srcnat out-interface=ether1 action=masquerade
Added the second rule. Still no luck, even on the local ip:8080. I've tried it both with and without the to-ports setting. Doesn't work either way.
So then I found this thread, looks promising. I am not using pppoe, so perhaps me copying it nearly verbatim is my issue. Here is my current config after updating the NAT rules:
[admin@MikroTik] > ip firewall nat export
# apr/26/2017 19:49:55 by RouterOS 6.38.5
# software id = T5XA-V4CM
#
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=!192.168.0.1 src-address=\
192.168.0.0/24
add action=dst-nat chain=dstnat comment="8080 Forward to webserver" dst-address=!192.168.0.1 \
dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.0.200 to-ports=8080
The differences I can see are there is no "in-interface" specified, and the dst-address does not equal entries. Hoping someone can help me get this working
So far I've read the hairpin nat wiki and a few other various posts.
Added 2 nat rules as it specified in the wiki, but the webserver is still being blocked over port 8080. The webserver is configured to run on both 80 and 8080. Using the local ip:80 it comes right up. The local ip:8080, nothing. It also runs a dynamic dns service, and is configured to point to my public ip:8080, since Cox doesn't allow outbound port 80. Incoming 8080 traffic to my internet IP needs to be routed to the webserver on the 192 network, same port 8080.
Tried this rule first:
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=8080 in-interface=ether1 protocol=tcp to-address=192.168.0.200 to-ports=8080
Anyway this didn't work. Then I read the Hairpin nat wiki. It has 2 rules, the first being very similar to the above, with the addition of
dst-address=(my public ip)
and the removal of the
to-ports=8080
for the first rule, and a second rule of
add chain=srcnat out-interface=ether1 action=masquerade
Added the second rule. Still no luck, even on the local ip:8080. I've tried it both with and without the to-ports setting. Doesn't work either way.
So then I found this thread, looks promising. I am not using pppoe, so perhaps me copying it nearly verbatim is my issue. Here is my current config after updating the NAT rules:
[admin@MikroTik] > ip firewall nat export
# apr/26/2017 19:49:55 by RouterOS 6.38.5
# software id = T5XA-V4CM
#
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=!192.168.0.1 src-address=\
192.168.0.0/24
add action=dst-nat chain=dstnat comment="8080 Forward to webserver" dst-address=!192.168.0.1 \
dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.0.200 to-ports=8080
The differences I can see are there is no "in-interface" specified, and the dst-address does not equal entries. Hoping someone can help me get this working
Re: [SOLVED] HAIRPIN NAT not working
Turns out my rules above were good. The webserver wasn't serving on 8080 for some reason... When it didn't work locally on 8080 I thought the firewall was blocking it between the ethernet ports.
Changed my to-ports to 80, works fine now.
Changed my to-ports to 80, works fine now.
Re: [SOLVED] HAIRPIN NAT not working
Hello, I've got the same problem. I'd like to scan my mikrotik router's public IP. But every time I run nmap it shows open ports for lan, not the wan interface.
Here is my ip firewall nat rules:
out-interface=portlane -- vpn tunnel
out-interface=eth1-gw -- isp port
Reading this https://wiki.mikrotik.com/wiki/Hairpin_NAT I've decided to add:
10.2.0.0/22 -- LAN
10.2.0.1 -- mikrotik router
But it doesn't work. Could you please point out if I'm mistaken? Thanks in advance.
Here is my ip firewall nat rules:
Code: Select all
chain=srcnat action=masquerade src-address-list=portlane out-interface=portlane
chain=srcnat action=masquerade out-interface=eth1-gwout-interface=eth1-gw -- isp port
Reading this https://wiki.mikrotik.com/wiki/Hairpin_NAT I've decided to add:
Code: Select all
chain=srcnat action=masquerade src-address=10.2.0.0/22 dst-address=10.2.0.1 out-interface=bridge10.2.0.1 -- mikrotik router
But it doesn't work. Could you please point out if I'm mistaken? Thanks in advance.
Re: [SOLVED] HAIRPIN NAT not working
You have some internal server with address 10.2.0.X and one or more dstnat rules to forward traffic from public address to 10.2.0.X, right? If so, you want dst-address=10.2.0.X in your last rule. If it does not help, post more info (exact dstnat rule(s), additional details about what exactly are you trying to do, etc...).
Re: [SOLVED] HAIRPIN NAT not working
Hello Sob.You have some internal server with address 10.2.0.X and one or more dstnat rules to forward traffic from public address to 10.2.0.X, right? If so, you want dst-address=10.2.0.X in your last rule. If it does not help, post more info (exact dstnat rule(s), additional details about what exactly are you trying to do, etc...).
There're only two rules to redirect all dns requests to mikrotik:
Code: Select all
chain=dstnat action=dst-nat to-addresses=10.2.0.1 to-ports=53 protocol=tcp in-interface=bridge dst-port=53 log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.2.0.1 to-ports=53 protocol=udp in-interface=bridge dst-port=53 log=no log-prefix=""Exactly i'd like to scan nmap -sS -Pn -vvv -O external_ip and see the external interface, not the 10.2.0.1 I see now with open tcp/80 and tcp/8291 ports. And pointing to internal 10.2.0.1 ip I'd like to see all open ports as they should be.
Code: Select all
nmap -sS -Pn -vvv -O external_ipRe: [SOLVED] HAIRPIN NAT not working
I don't think you can do that. If you have some service running on router (e.g. WinBox on tcp/8291), it's listening on all addresses/interfaces. Even if you limit allowed client addresses in "/ip services", it won't allow you to connect from elsewhere, but port will still show as open from everywhere. And if you block incoming connections from internet using firewall (e.g. /ip firewall filter add chain=input protocol=tcp dst-port=8291 in-interface=WAN), so that no one from internet will be able to connect, you'll get false results when testing from LAN, because no matter what you do, in-interface will be LAN and rule won't match. In short, if you want to reliably test what's available from outside, you need to do it from outside.
Re: [SOLVED] HAIRPIN NAT not working
Thank you Sob, but it rather strange I'm sure I could do this even on basic tomato firmware on linksys wrt-54gl for example -- one check named "NAT loopback" and it works.I don't think you can do that. If you have some service running on router (e.g. WinBox on tcp/8291), it's listening on all addresses/interfaces. Even if you limit allowed client addresses in "/ip services", it won't allow you to connect from elsewhere, but port will still show as open from everywhere. And if you block incoming connections from internet using firewall (e.g. /ip firewall filter add chain=input protocol=tcp dst-port=8291 in-interface=WAN), so that no one from internet will be able to connect, you'll get false results when testing from LAN, because no matter what you do, in-interface will be LAN and rule won't match. In short, if you want to reliably test what's available from outside, you need to do it from outside.
Re: [SOLVED] HAIRPIN NAT not working
Quick Google search gave me this and that's exactly what you can do with hairpin NAT in RouterOS.
It's when you have some internal service (e.g. webserver), want it available from internet (so you forward port from public address to internal one), and you also want to be able to connect to this server using public address from client in same LAN as server. It doesn't work by default and wiki page you found explains why and how to fix it.
But when you don't have any such internal server, this functionality can't do anything useful for you.
It's when you have some internal service (e.g. webserver), want it available from internet (so you forward port from public address to internal one), and you also want to be able to connect to this server using public address from client in same LAN as server. It doesn't work by default and wiki page you found explains why and how to fix it.
But when you don't have any such internal server, this functionality can't do anything useful for you.
Re: [SOLVED] HAIRPIN NAT not working
Good day guys,
Sorry to wake up an old post but I have a similar problem except I am running through 2 routers.
My setup is like the following: "I actually have 3 internet routers for fail-over, all on Eth1 - Eth3 of my Office Mikrotik and routes for the fail-over, but I am sure if I can get the main one working the others will be easy and probably work without any additional config"
Mikrotik 1 Internet:
IP -> 192.168.1.1
Internet -> PPPoE with static public address of 169.255.XXX.XXX
Mikrotik 2 Office:
IP -> 192.168.230.1
IP of Eth1 connecting to Mikrotik 1 -> 192.168.1.2
Network 1 -> 192.168.230.0/24 "for all static devices like cameras and servers"
Network 2 -> 192.168.220.0/24 "for all devices like phones and laptops that connects to our wireless"
I have my DNS setup on the IP/Cloud feature pointing to Mikrotik 1 and got all my servers and cameras which needs to be reached from outside working like they should with no issues, only problem I am having is configuring the hairpin nat rule for devices that are inside our office on the 192.168.220.0/24 network and also the 192.168.230.0/24 servers to reach our other services and cams with the DNS name and corresponding port.
Can someone maybe guide me in the right direction
Thank you
Sorry to wake up an old post but I have a similar problem except I am running through 2 routers.
My setup is like the following: "I actually have 3 internet routers for fail-over, all on Eth1 - Eth3 of my Office Mikrotik and routes for the fail-over, but I am sure if I can get the main one working the others will be easy and probably work without any additional config"
Mikrotik 1 Internet:
IP -> 192.168.1.1
Internet -> PPPoE with static public address of 169.255.XXX.XXX
Mikrotik 2 Office:
IP -> 192.168.230.1
IP of Eth1 connecting to Mikrotik 1 -> 192.168.1.2
Network 1 -> 192.168.230.0/24 "for all static devices like cameras and servers"
Network 2 -> 192.168.220.0/24 "for all devices like phones and laptops that connects to our wireless"
I have my DNS setup on the IP/Cloud feature pointing to Mikrotik 1 and got all my servers and cameras which needs to be reached from outside working like they should with no issues, only problem I am having is configuring the hairpin nat rule for devices that are inside our office on the 192.168.220.0/24 network and also the 192.168.230.0/24 servers to reach our other services and cams with the DNS name and corresponding port.
Can someone maybe guide me in the right direction
Thank you
Re: [SOLVED] HAIRPIN NAT not working
Someone can, but someone needs to see your current configuration to find and tell you where the small mistake is. Follow the guideline in my automatic signature to stay anonymous if it is important for you.Can someone maybe guide me in the right direction
Re: [SOLVED] HAIRPIN NAT not working
Good day, thank you. Here is my config.
Thank you for the assistance.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment="--> CC INTERNET ROUTER" speed=100Mbps
set [ find default-name=ether2 ] comment="--> AXXESS INTERNET ROUTER" speed=100Mbps
set [ find default-name=ether3 ] comment="--> RAIN INTERNET ROUTER" speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=swi-1
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=swi-2
/ip pool
add name=default-dhcp ranges=192.168.230.60-192.168.230.254
add name=office-dhcp ranges=192.168.220.10-192.168.220.254
/ip dhcp-server
add address-pool=office-dhcp disabled=no interface=bridge lease-time=2d name=defconf
/interface bridge port
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
/ip address
add address=192.168.230.1/24 comment=defconf interface=bridge network=192.168.230.0
add address=192.168.220.1/24 comment=defconf interface=bridge network=192.168.220.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether3 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.220.0/24 comment=defconf dns-server=8.8.4.4,8.8.8.8 gateway=192.168.220.1 ntp-server=196.10.52.57,197.82.150.123
add address=192.168.230.0/24 comment="Static Devices Only" gateway=192.168.230.1 ntp-server=196.10.52.57,197.82.150.123
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=192.168.1.1 src-address=192.168.230.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade_CC" out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade_AXXESS" out-interface=ether2
add action=masquerade chain=srcnat comment="defconf: masquerade_RAIN" out-interface=ether3
add action=dst-nat chain=dstnat comment="Foscam C1 Workshop" dst-address=!192.168.230.1 dst-address-type=local dst-port=15001 protocol=tcp to-addresses=192.168.230.59 to-ports=88
/ip route
add check-gateway=ping comment="INTERNET VIA CC" distance=1 gateway=8.8.4.4
add check-gateway=ping comment="INTERNET VIA AXXESS LTE FAILOVER" distance=2 \
gateway=208.67.222.222
add check-gateway=ping comment="INTERNET VIA RAIN LTE FAILOVER" distance=3 \
gateway=8.8.8.8
add comment="FAILOVER ROUTE CC" distance=1 dst-address=8.8.4.4/32 gateway=\
192.168.1.1 scope=10
add comment="FAILOVER ROUTE RAIN" distance=1 dst-address=8.8.8.8/32 gateway=\
192.168.8.1 scope=10
add comment="FAILOVER ROUTE AXXESS" distance=1 dst-address=208.67.222.222/32 \
gateway=192.168.250.1 scope=10Re: [SOLVED] HAIRPIN NAT not working
Hi all,
I have found the solution by following this guide by Steveocee on YouTube.
https://www.youtube.com/watch?v=_kw_bQyX-3U
It works now without any problems from all my connections if they fail over.
Thank you
I have found the solution by following this guide by Steveocee on YouTube.
https://www.youtube.com/watch?v=_kw_bQyX-3U
It works now without any problems from all my connections if they fail over.
Thank you
-
-
ahmedalshibani
just joined
- Posts: 3
- Joined:
Re: [SOLVED] HAIRPIN NAT not working
Hi Dutchman
My all configuration like you i have two Mikrotik also and i see the video but i still can't access my IP camera from outside
can you show me your configurations how you do it ?
My all configuration like you i have two Mikrotik also and i see the video but i still can't access my IP camera from outside
can you show me your configurations how you do it ?
Re: [SOLVED] HAIRPIN NAT not working
I preferred the DUTCHMAN solution and it worked fine.
Re: [SOLVED] HAIRPIN NAT not working
thank you so muchFWIW, I had been wrestling with this issue for years and finally got it thanks to this thread. For completeness, here is an actual working hairpin nat with port forwarding configuration:
The first src-nat is the local-to-internet masquerade. Second src-nat is local-to-local masquerade. The dst-nat forwards local and external traffic to port 1234 of external_ip to 192.168.88.120:1234.Code: Select all/ip firewall nat export # jul/13/2016 17:35:49 by RouterOS 6.27 # software id = A7N0-8U7V # /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.88.1 src-address=192.168.88.0/24 ... add action=dst-nat chain=dstnat dst-address=!192.168.88.1 dst-address-type=local dst-port=1234 log-prefix="" protocol=tcp to-addresses=192.168.88.120 to-ports=\ 1234
it helped me
Re: [SOLVED] HAIRPIN NAT not working
Second rule is not exactly correct. It will work, but it will also unnecessarily masquerade connections to other local subnets, remote VPN subnets, etc. In other words, everything from 192.168.88.0/24 to anywhere will be masqueraded. Condition dst-address=!192.168.88.1 is useless, because if it's router's own address, anything going to this address can never end up in srcnat chain, so the negative condition will always be true.
What you really want is:
So anything going from local subnet back to same local subnet.
What you really want is:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
Re: [SOLVED] HAIRPIN NAT not working
Sob he was already informed of the correct structure and even at least three methods of achieving success (if using a dynamic wanip) on his original thread, so you are wasting your precious keyboard (MTBF keyboard strokes LOL).Second rule is not exactly correct. It will work, but it will also unnecessarily masquerade connections to other local subnets, remote VPN subnets, etc. In other words, everything from 192.168.88.0/24 to anywhere will be masqueraded. Condition dst-address=!192.168.88.1 is useless, because if it's router's own address, anything going to this address can never end up in srcnat chain, so the negative condition will always be true.
What you really want is:
So anything going from local subnet back to same local subnet.Code: Select all/ip firewall nat add action=masquerade chain=srcnat comment="hairpin nat" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
Who is online
Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 73 guests