Community discussions

 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Hairpin NAT configuration

Sun May 15, 2016 3:46 pm

net1.png
Please help me to find reason why my router do not goes to external domains locally.
chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.210 protocol=tcp dst-address=192.168.111.111 dst-port=80 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.2   protocol=tcp dst-address=192.168.111.111 dst-port=487 log=no log-prefix="" 
chain=srcnat action=masquerade src-address=192.168.100.0/24 dst-address=192.168.20.100.0/24 out-interface=pppoe-out1 log=no log-prefix="" 
My domain www.domain1.com is working fine but from outside of my network.

The problem is why domain www.domain1.com is not working from my local network.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sun May 15, 2016 4:36 pm

The last rule is obviously wrong:

- dst-address=192.168.20.100.0/24 doesn't really need an explanation :)
- it can't have out-interface=pppoe-out1 if it's supposed to do hairpin NAT, the correct interface would be bridge-local

But if your WAN address is really 192.168.111.111, i.e. non-public one, your problem is elsewhere. Either haipin NAT must be done by the router with public address used by your domain, or you must create another set of dstnat rules on your router with dst-address=<public address>, to catch packets early and don't let them go out.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Sun May 15, 2016 5:37 pm

The last rule is obviously wrong:

- dst-address=192.168.20.100.0/24 doesn't really need an explanation :)
- it can't have out-interface=pppoe-out1 if it's supposed to do hairpin NAT, the correct interface would be bridge-local

But if your WAN address is really 192.168.111.111, i.e. non-public one, your problem is elsewhere. Either haipin NAT must be done by the router with public address used by your domain, or you must create another set of dstnat rules on your router with dst-address=<public address>, to catch packets early and don't let them go out.
Sorry for wrong example address 192.168.111.111- this should be any external IP 192.162.150.20
Last rule should be ?
chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.210 protocol=tcp dst-address=192.162.150.20 dst-port=80 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.100.2   protocol=tcp dst-address=192.162.150.20 dst-port=487 log=no log-prefix="" 
chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface=bridge-local log=no log-prefix="" 
>??

Can you please put correct rule ?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sun May 15, 2016 6:16 pm

What you have should work. If it doesn't, make sure you allow packets from bridge-local to bridge-local in forward chain.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Sun May 15, 2016 7:50 pm

The problem is that this config doesn't work and I can't open this web page from internal network.

I'm not sure what you mean to allow packets from bridge-local to bridge-local in forward chain
chain=forward action=accept in-interface=bridge-local out-interface=bridge-local log=no log-prefix="" 
This is that rule ?
 
Senux
newbie
Posts: 33
Joined: Wed Jun 30, 2010 6:19 pm

Re: Hairpin NAT configuration

Sun May 15, 2016 8:26 pm

This is DNS problem. You must add DNS static record with server name and IP in router. Network clients must use local DNS server in router as primary.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Sun May 15, 2016 9:14 pm

Can I configure not only DNS local records in ip dns static but also different dns for different URL ?
 
Senux
newbie
Posts: 33
Joined: Wed Jun 30, 2010 6:19 pm

Re: Hairpin NAT configuration

Sun May 15, 2016 9:47 pm

Can I configure not only DNS local records in ip dns static but also different dns for different URL ?
Different dns server for different url? why? Local DNS server will forward dns requests to external if it has not corresponding record.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Sun May 15, 2016 10:11 pm

Different because of using DNS services for using different area restricted services for some web pages ;-)
 
Senux
newbie
Posts: 33
Joined: Wed Jun 30, 2010 6:19 pm

Re: Hairpin NAT configuration

Mon May 16, 2016 12:11 pm

Different because of using DNS services for using different area restricted services for some web pages ;-)
Too complicated, IMHO. How do you react if user will use externall dns, for example google? Simplicity is the power - why do not block by IP address?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Mon May 16, 2016 3:23 pm

I just wondering if in my case the only one solution is to use local DNS services ?
This situation should be quite popular if someone is providing web services.
How do you react if user will use externall dns, for example google
Yes I'm blocking google dns and most other dns services.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Mon May 16, 2016 4:23 pm

Haipin NAT works too. If it still doesn't (btw, that forward rule was ok), it must be something small, rules in wrong order or something like that.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Hairpin NAT configuration

Mon May 16, 2016 5:43 pm

Can you please add info which is right order ?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Mon May 16, 2016 6:17 pm

Not really, it depends on your firewall setup, I have no idea what you have there. Firewall rules are processed in order, so if you want to allow something, it must happen before other rule explicitly blocks it.

Check wiki and understand what exactly happens with addresses when packets goes through router. Then just watch what happens on your router. RouterOS is great in this regard, every rule has live counters, you can add extra logging rules to prerouting, forward or postrouting, to more easily and reliably see what happens, what goes where, etc.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 11:12 am

Check wiki and understand what exactly happens with addresses when packets goes through router. Then just watch what happens on your router. RouterOS is great in this regard, every rule has live counters, you can add extra logging rules to prerouting, forward or postrouting, to more easily and reliably see what happens, what goes where, etc.
I've followed that instruction, and I can make it work from WAN.
I have a setup where my router is behind my ISP router - would I be able to hairpin on my router, or should the ISP make it on their router?

Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 2:40 pm

It can be done on your router, you just need to catch packets going to public address and don't let them go to ISP. So if currently you forward ports using dstnat rule with dst-address=<private address on your router's WAN>, make another one with same settings and only change dst-address=<public address>.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 3:29 pm

This is my setup:
Image

A = ISP IP
B = My router external IP
C = My router internal IP
D = My webserver IP

This is my firewall NAT setup:
/ip firewall nat
add chain=dstnat dst-address=B protocol=tcp dst-port=80 \
action=dst-nat to-address=D

What i tried just now is this:
/ip firewall nat
add chain=dstnat dst-address=A protocol=tcp dst-port=80 \
action=dst-nat to-address=D

What am I doing wrong?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 4:02 pm

Nothing wrong, it should work. First rule is for connections from internet and second one for connections from your LAN. The actual hairpin NAT will be same for both, using srcnat rule from wiki. You do have that too, right? If it still doesn't work, make sure it's not blocked in forward chain. Specifically, connection from LAN to your server (going back to LAN) will have both incoming and outgoing interfaces the same (LAN).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 4:32 pm

Yes I have the source nat setup like this:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 \
dst-address=D protocol=tcp dst-port=80 \
out-interface=bride-local action=masquerade

Still it's not working...
It's the first NAT rules in the NAT table, so I don't think that other rules can be blocking?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sat May 21, 2016 5:01 pm

Then try to connect and watch what happens. Every rule has counters, so you'll know how far the packet got. You can also enable logging for each rule. Or add extra logging rules for debugging:

- in prerouting with src-address=E and dst-address=A, to confirm that request came to router
- in forward with src-address=E and dst-address=D, to tell that dstnat rule worked.
- in postrouting with src-address=C and dst-address=D, to see the final packet leaving the router

Verify each step and you'll see what did not happen, even though it should have.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 12:27 am

I hit the second dst-nat with the following in the log:

dstnat: in :bridge-local out :bride-local, src-mac E, proto TCP (SYN), E->A:80, len 52
SURFER forward: in :bridge-local out :bridge-local, src-mac E, proto TCP (SYN), E->D:80, NAT E->(A:80->D:80), len 52

Was I supposed to hit the srcnat chain?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 3:25 am

Yes, the srcnat rule is important part of this. If you have no hit on that, then it's either something wrong with srcnat rule (both D and E addresses are in 192.168.0.0/24, right?) or packet did not make it through forward chain (you have all its properties, so it should be easy to tell if it should be allowed or not; if you have doubts, post your /ip firewall filter rules).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 9:37 am

Yes both D and E are on the same net.
This is my setup regarding this HTTP traffic

This is hit when I come from WAN
add action=dst-nat chain=dstnat comment="HTTP 1" dst-address=\
B dst-port=80 protocol=tcp to-addresses=\
D to-ports=80

This is hit when I come from LAN
add action=dst-nat chain=dstnat comment="HTTP 2" dst-address=\
A dst-port=80 protocol=tcp \
to-addresses=D to-ports=80
When I hit this, i get the "SURFER forward..." in the log, and then I hit this one, and get the "SURFER forward" again some 6 times.

I never get to this one
add action=masquerade chain=srcnat dst-address=D comment="HTTP 3" dst-port=80 \
out-interface=bridge-local protocol=tcp \
src-address=192.168.0.0/24 to-addresses=B to-ports=80
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 5:34 pm

As I wrote in my last post, it's either:

1) Problem in forward chain. Is the rule logging "SURFER forward..." an accept rule or just logging rule (action=log)?
1a) Accept rule => packet must pass successfully
1b) Logging rule => make sure that packet is actually accepted (allowed to pass) by some further rule

2) If 1) is correct, you'll have packet with src-address=E and dst-address=D about to leave the router. If E is 192.168.0.x, then it must be matched by your srcnat rule. Unless it's matched by another srcnat rule before this one. Btw, masquerade does not take to-addresses or to-ports.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 10:40 pm

THANK YOU SOB!
You made me think... I thought that the SURFER log entry was some native stuff in the RouterOS... I am sorry Sob - your comment made me understand that it was not, so I went through my settings and found a "Filter Rule" I made some years ago, when I set up a guest wireless network. I created some filters to make sure that guests would be separated from the "house net" - if you know what I mean.

I now have specified that those "galvanizing" filters only applies to the guest net, so now I hit the masquerade NAT rule.

There is one thing left though.
When I hit the masquerade rule, it is so slow, that the browser often times out. If I test a simple tiny webpage, I manage to get the site, but a larger site e.g. a Wordpress site, simply dies.

Do you have any idea what can cause that? I've tried to disable all but the 3 NAT rules for HTTP - but it's still slow...
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT configuration

Sun May 22, 2016 11:56 pm

It shouldn't be slow at all, it only goes from client to router and from router to server, it must take a millisecond or two at most. I think I remember reading about same problem in this forum not long ago, but I don't recall if there was any resolution and I can't find the thread now. Generally "small works but large doesn't" is sign of MTU problems, but I'm not sure how it could happen in this case.

If it was happening to me, I'd fire up packet sniffers on both client and server, use something like curl or wget to send test requests and check what happens. If some packets perhaps get lost on the way, etc.. And I'd hope that something obvious would show up.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Kim
just joined
Posts: 17
Joined: Fri Mar 01, 2013 9:05 pm

Re: Hairpin NAT configuration

Mon May 23, 2016 5:22 pm

I'll try to look into it.
Thank you so much for your help, Sob - couldn't have done it without you!

Thanks!

/Kim.

Who is online

Users browsing this forum: No registered users and 104 guests