Community discussions

 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Hairpin nat weirdness

Sun Feb 19, 2017 5:45 pm

Hi all.
I having a strange behavior of hairpin nat. Even if I don't enable masquerade rule in nat section of firewall I can access to my forwarded ports via external ip only from wireless clients. But no access from wired. When I enable masquerade rule I have access both from wired and wireless.
Short config: ether5-master and both wlan interfaces are in one bridge. Hw is hap ac lite. Tried with latest rc and stable. What's wrong? As far as I understand without masquerade rule I can't have access to my forwarded ports from external ip to my lan hosts.
Last edited by baragoon on Mon Feb 20, 2017 8:34 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4786
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin nat weirdness

Mon Feb 20, 2017 4:08 am

It sounds like one big common LAN, so either it should work for all clients or for none. There must be something that's not apparent from your description. Try posting your config and everything should be clear.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Mon Feb 20, 2017 8:33 am

Here is my config
[root@MikroTik] > /export hide-sensitive          
# feb/20/2017 08:22:31 by RouterOS 6.38.1
# software id = IW7X-FBCR
#
/interface bridge
add name=br-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether5 ] poe-out=off
/ip neighbor discovery
set ether1-wan discover=no
/interface ethernet
set [ find default-name=ether2 ] master-port=ether5 name=ether2-pc
set [ find default-name=ether3 ] master-port=ether5 name=ether3-tv
/interface ethernet switch
set 0 name=switch
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa2 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n channel-width=20/40mhz-Ce country=ukraine disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan2 security-profile=wpa2 ssid=MikroTik-hap wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=ukraine disabled=no distance=indoors \
    frequency=auto frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan5 security-profile=wpa2 ssid=MikroTik-hap \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan2 enable-polling=no
set wlan5 enable-polling=no
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,3des pfs-group=none
/ip pool
add name=pool-1 ranges=172.16.69.2-172.16.69.14
add name=pool-vpn ranges=172.16.69.34-172.16.69.44
/ip dhcp-server
add address-pool=pool-1 disabled=no interface=br-lan lease-time=1w name=dhcp-1
/ppp profile
add change-tcp-mss=yes dns-server=172.16.69.1,8.8.8.8 local-address=172.16.69.33 name=vpn remote-address=pool-vpn
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=pool-vpn name=l2tp remote-address=pool-vpn
/system logging action
set 3 remote=172.16.69.2
/interface bridge port
add bridge=br-lan interface=wlan5
add bridge=br-lan interface=wlan2
add bridge=br-lan interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp use-ipsec=yes
/interface ovpn-server server
set certificate=vpn-srv-cert cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn enabled=yes keepalive-timeout=30 port=65535 require-client-certificate=yes
/interface sstp-server server
set certificate=vpn-srv-cert default-profile=vpn enabled=yes
/ip address
add address=xx.xx.xx.xx/27 interface=ether1-wan network=xx.xx.xx.xx
add address=172.16.69.1/27 interface=br-lan network=172.16.69.0
/ip arp
add address=172.16.69.30 interface=br-lan mac-address=FF:FF:FF:FF:FF:FF
/ip dhcp-server lease
add address=172.16.69.2 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
add address=172.16.69.4 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
/ip dhcp-server network
add address=172.16.69.0/27 dns-server=172.16.69.1,8.8.8.8 domain=lan gateway=172.16.69.1 netmask=27
/ip dns
set allow-remote-requests=yes servers=172.16.69.1,8.8.8.8
/ip dns static
add address=172.16.69.1 name=mikrotik.lan
add address=172.16.69.2 name=vmunix.lan
add address=172.16.69.3 name=ps3.lan
add address=172.16.69.4 name=tv.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=input comment="allow established connections" connection-state=established
add action=accept chain=input comment="allow new connections" connection-state=new
add action=accept chain=input comment="allow related connections" connection-state=related
add action=accept chain=input comment="allow ICMP ping" protocol=icmp
add action=accept chain=input comment=vpn dst-port=443,65535 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=webfig-ssl dst-port=8444 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=rossh dst-port=8443 in-interface=ether1-wan protocol=tcp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=drop chain=input comment="drop everything else" in-interface=ether1-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=172.16.69.0/26
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
add action=netmap chain=dstnat comment=rossh dst-address=172.16.69.1 dst-port=22 in-interface=br-lan protocol=tcp to-addresses=172.16.69.1 to-ports=8443
add action=netmap chain=dstnat comment=wol dst-address=xx.xx.xx.xx dst-port=9 protocol=udp to-addresses=172.16.69.30 to-ports=9
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-port=6881,6890-6999 protocol=udp to-addresses=172.16.69.2
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-address-type="" dst-port=4443,6890-6999,9999 protocol=tcp to-addresses=172.16.69.2
/ip ipsec peer
add address=0.0.0.0/0 compatibility-options=skip-peer-id-validation enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes
/ip proxy
set max-client-connections=1000 max-server-connections=1000 port=3128
/ip route
add distance=1 gateway=xx.xx.xx.xx
/ip service
set telnet address=172.16.69.0/26
set ftp address=172.16.69.0/26
set www address=172.16.69.0/26
set ssh port=8443
set www-ssl certificate=webfig port=8444
set api address=172.16.69.0/26
set winbox address=172.16.69.0/26
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-wan type=external
add interface=ether2-pc type=internal
add interface=ether3-tv type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=br-lan type=internal
/ppp secret
add name=solnote profile=vpn
add name=iphone profile=vpn service=ovpn
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Kiev
/system leds
add interface=br-lan leds=user-led type=interface-activity
/system logging
add action=remote topics=dns
/system ntp client
set enabled=yes server-dns-names=0.ua.pool.ntp.org,1.ua.pool.ntp.org,2.ua.pool.ntp.org,3.ua.pool.ntp.org
/system routerboard settings
set init-delay=0s silent-boot=yes
/system watchdog
set automatic-supout=no
/tool e-mail
set address=smtp.gmail.com from=mikrotik@home port=587 start-tls=yes user=sergey.bobrov83@gmail.com
/tool graphing interface
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
This is really strange because
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
is in disabled state and i can reach NAT-ed port outside
from work network to home -
[root@SolCGW1 ~]# telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
from laptop connected to mikrtotik via VPN
solnote-c6gk-2 ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
^]
telnet> Connection closed.
as I mentioned before I can reach this port from wireless device
BUT, I cant from wired connected PC
vmunix ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
^C
What a hell???
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Mon Feb 20, 2017 12:20 pm

It's just a single question for Mikrotik experts: how it can be possible that devices in the same network have different access to single resource without any filter rules?
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Mon Feb 20, 2017 1:36 pm

2 wired devices - pc & tv
dst-nat to some port to tv - i can't reach port from pc via wan_ip but can from wlan or vpn
dst-nat to some port to pc - i can't reach port from pc via wan_ip but can from wlan or vpn
dst-nat to some port to vpn connected laptop - i can reach port from pc via wan_ip but can't from laptop
dst-nat to some port to wireless device - i can reach port from pc via wan_ip and from laptop
:?:
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Tue Feb 21, 2017 8:24 am

No Mikrotik experts on Mikrotik forum?
BTW if I enable masquerade rule all my connections from lan to wan_ip "come" with source-ip of router. How to avoid this?
In Linux it works with a few simple rules. Hairpin nat is like a "duct tape".
 
blackzero
just joined
Posts: 21
Joined: Tue Aug 09, 2011 3:40 pm

Re: Hairpin nat weirdness

Tue Feb 21, 2017 9:45 am

No Mikrotik experts on Mikrotik forum?
BTW if I enable masquerade rule all my connections from lan to wan_ip "come" with source-ip of router. How to avoid this?
In Linux it works with a few simple rules. Hairpin nat is like a "duct tape".
This happens to my case as well. But in my problem it is more for traffic shaping. I can't answer, for the life of me, how to avoid filtering my own traffic speed from my LAN that comes through WAN IP that goes to my own internal server.

It's been years, but nobody can answer me. So yeah, good luck to you. :D
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Tue Feb 21, 2017 10:25 am

It's been years, but nobody can answer me.
It's a shame to Mikrotik... 3 years of "v7 beta" with promises of new functionality and fixing current v6 bugs and still nothing. Unusable PIM, openvpn...
I'm really disappointed in Mikrotik. I never saw such problems in *wrt and similar devices like Zyxel or so.
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Tue Feb 21, 2017 1:28 pm

This is wonderful that the support shy away from this topic and says nothing
Image
 
User avatar
nickshore
Member
Member
Posts: 472
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Hairpin nat weirdness

Tue Feb 21, 2017 6:14 pm

Its very hard to work out what is happening when you hide the IPs with XX.XX.XX.XX

Normally to avoid the need for hairpin NAT you use internal static dns to point at the internal IPs instead.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Tue Feb 21, 2017 6:26 pm

XX.XX.XX.XX is my wan ip


Отправлено с моего iPhone используя Tapatalk
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: Hairpin nat weirdness

Tue Feb 21, 2017 7:50 pm

But in my problem it is more for traffic shaping. I can't answer, for the life of me, how to avoid filtering my own traffic speed from my LAN that comes through WAN IP that goes to my own internal server.
Queues should be on WAN interface only, not on other interfaces. Since hairpin routed packets don't traverse the WAN interface (dst-nat happens in prerouting), they shouldn't touch queues.

But if you have a more complex setup, you should be able to use a connection mark on hairpinned traffic to avoid the queues.
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: Hairpin nat weirdness

Tue Feb 21, 2017 8:01 pm

/interface bridge settings
set use-ip-firewall=yes
Turn this off unless you have a good reason (off is the default). When this is on, it sends all bridged traffic (i.e., wlan→wired) through IP firewall (thus NAT). So replies to your NATted connections from the wlan pass back through the router and get un-NATted, without a hairpin rule. But wired→wired connections are handled by the switch, and thus NATted replies do not reach the bridge or router unless the hairpin rule is enabled.

Turning this off will treat bridged (wlan→wired) and switched (wired→wired) connections equally, requiring a hairpin rule for both.
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: Hairpin nat weirdness

Tue Feb 21, 2017 8:07 pm

BTW if I enable masquerade rule all my connections from lan to wan_ip "come" with source-ip of router. How to avoid this?
In Linux it works with a few simple rules. Hairpin nat is like a "duct tape".
Yes, this is how hairpinning works. Replies to client which made NATted connection (LAN→WAN→LAN) need to pass back through router, so router can "undo" NAT. Normally the only way to force this is by masquerading source as router IP. Else such replies pass directly through bridge/switch, and the recipient (client) drops them, because they appear to come from "wrong" source (LAN instead of WAN).

The other way to do this is to disable switches (use only bridge) and enable IP firewall (the latter of which you had done). But now all your LAN traffic is flowing through router; even with fasttrack this is not very good.
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Thu Feb 23, 2017 8:38 am

Thank you for your replies!
But i still can't understand why I can access nated ports in my wired connected pc from laptop via wifi or from vpn without hairpining?
 
Larsa
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Aug 29, 2015 7:40 pm

Re: Hairpin nat weirdness

Thu Feb 23, 2017 3:42 pm

But i still can't understand why I can access nated ports in my wired connected pc from laptop via wifi or from vpn without hairpining?
Yes, it's possible. See one example down below.

Basically you have two choices which are not specifically related to Mikrotik:

1. Use routing for the internal network and bypass the firewall.
2. Use NAT to hide or consolidate certain internal services that basically will require:
  • a) "hairpin" NAT when used on the same local subnet.
    b) "regular" NAT when used between different subnets.
IMO, in general I'm considering hairpin NAT to be messy, error-prone and insecure (if security matter, that is). :-). NAT is NAT, and when used all traffic must pass through the router regardless of type. Personally I'd divide the network to different subnets. Then it's possible to NAT all internal networks the same way as you would access it from the internet. This also means you only need a single set of NAT rules. (e.g. General NAT access between local networks...)
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: Hairpin nat weirdness

Thu Feb 23, 2017 4:24 pm

Thank you for your replies!
But i still can't understand why I can access nated ports in my wired connected pc from laptop via wifi or from vpn without hairpining?
Because those are forced to flow through the router (and thus NAT) by the bridge with use-ip-firewall=yes. Whereas wired->wired connections use the switch on the return path, bypassing the bridge and NAT, and are dropped by the client due to incorrect source IP.

In short, use-ip-firewall=yes makes bridged traffic behave very differently from switched traffic.
 
Larsa
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Aug 29, 2015 7:40 pm

Re: Hairpin nat weirdness

Thu Feb 23, 2017 5:15 pm

In short, use-ip-firewall=yes makes bridged traffic behave very differently from switched traffic.
Yeah, it's basically like forcing the firewall to manage all ethernet traffic to the bridge. When using "use-ip-firewall=no", all traffic will be transferred directly between the bridge ports in the same way as any other switches.

I still would replace the hairpin nat thot! :-)
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Fri Feb 24, 2017 6:20 pm

No. I disabled firewall in bridge settings. Nothing changed. I can believe that is normal when I can access nated ports via vpn without hairpin (yes, vpn have another subnet - 172.16.69.16/27) but i repeat that I can access nated ports (opened ssh from 172.16.69.2 wired connected pc) via my cell phone or laptop connected via wifi and vice versa. wired and wireless clients are in the same subnet (172.16.69.0/27)


Отправлено с моего iPhone используя Tapatalk
 
Larsa
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Aug 29, 2015 7:40 pm

Re: Hairpin nat weirdness

Sat Feb 25, 2017 12:21 am

Just curious, why do you want to NAT the internal traffic?
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Sat Feb 25, 2017 3:35 pm

i just want to have access to nated ports via external_ip:port from my lan without masquerading like in any other routers
 
Larsa
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Aug 29, 2015 7:40 pm

Re: Hairpin nat weirdness

Sat Feb 25, 2017 6:07 pm

i just want to have access to nated ports via external_ip:port from my lan without masquerading like in any other routers
Ok. But you still need to masquerade the external wan traffic, right? So, what's the difference to masquerading the internal traffic as well. I mean, all traffic still needs to pass through the router in both directions when doing the harpin-dance and there is no actual performance gain skipping the masquerade (that I know of at least). Just curious to hear why...

And as I suggested before, if you skip hairpin-nat you will only need one set of dst-nat rules.
 
baragoon
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA

Re: Hairpin nat weirdness

Mon Feb 27, 2017 9:00 am

Main problem is source ip of hairpined connection, all these connects coming with router ip and i'm unable to understand who is connected.
 
Larsa
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Aug 29, 2015 7:40 pm

Re: Hairpin nat weirdness

Mon Feb 27, 2017 10:37 am

Main problem is source ip of hairpined connection, all these connects coming with router ip and i'm unable to understand who is connected.
This is by design when using hairpin-nat , i.e. source ip is always the router interface. If you try to explain what you are trying to accomplish, it might be easier to understand your needs and possible figure out a solution for your problem.
 
User avatar
icttech
just joined
Posts: 14
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: Hairpin nat weirdness

Sat Dec 29, 2018 11:04 pm

Main problem is source ip of hairpined connection, all these connects coming with router ip and i'm unable to understand who is connected.
This is by design when using hairpin-nat , i.e. source ip is always the router interface. If you try to explain what you are trying to accomplish, it might be easier to understand your needs and possible figure out a solution for your problem.
Hi Larsa

I see why the need.

We are currently using multiple MX and hosting boxes that traverse emails/services and when trying to source out which MX or service (Internal IP) box had sent or not been able send emails or service comms this makes the task a bit frustrating when trying to locate an IP assigned to a local host running MX or hosted services which need communication to other internal server services which have been hairpin'd. Communicating with Internal NAT'd hosted servers using Hairpin could use some method of statically keeping Bridged/Switched IP traffic by keeping it's original internal IP to the local subnetted networks. This would help me out in many cases. Running hosts files internally with hairpin points reverts to the reverseDNS path of course, so it's kinda pointless with Static DNS if reverseDNS public side is mandatory these days for SSL / MX etc..

Any ideas to further expand on getting internal boxes communicating the originating local host IP while using hairpin would be great.... having a local gateway/router IP for troubleshooting is a bit maddening.
thanks

Who is online

Users browsing this forum: No registered users and 122 guests