Community discussions

MikroTik App
 
squishio
just joined
Topic Author
Posts: 18
Joined: Fri Oct 30, 2009 3:58 pm

'Hairpin NAT' in 6.38.3 - How should it be done?

Sun Feb 26, 2017 7:33 pm

Hi Guys,

I have a couple of 951's with dynamic WAN IPs that I'm trying to get hairpin nat working on without having to mess around with Split-DNS etc.
I've tried following various posts detailing how to configure the NAT rules for hairpin to work and its simply not working.
Almost all recent posts seem to follow this method - https://freek.ws/2016/11/21/mikrotik-ha ... r-dummies/
Which for me does not work.

But I have also come across this thread (see last post) which suggests hairpin is not nessasary from ROS v6 onwards, instead you use filter rules, though I cant get this to work either...
viewtopic.php?t=75811

Can anyone advise what is the current method of making this work?

Following the first/most common method, my rules are like this...
0 ;;; WAN NAT
chain=srcnat action=masquerade src-address=10.10.5.0/24 out-interface=Ether1 - WAN log=no log-prefix=""

1 ;;; Hairpin NAT
chain=srcnat action=masquerade protocol=tcp src-address=10.10.5.0/24 dst-address=10.10.5.0/24
out-interface=Ether5 - LAN log=no log-prefix=""

2 ;;; CCTV Hairpin
chain=dstnat action=dst-nat to-addresses=10.10.5.230 to-ports=8000 protocol=tcp
in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix=""

3 ;;; CCTV WAN NAT
chain=dstnat action=dst-nat to-addresses=10.10.5.230 to-ports=8000 protocol=tcp
in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix=""

I'm currently trying to get this to work on 2 different connections, both have dynamic WAN IP addresses, one of them dials the pppoe to ISP directly, the other is a double NAT setup behind an ISP router, I cant get either to work.
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: 'Hairpin NAT' in 6.38.3 - How should it be done?

Sun Feb 26, 2017 8:03 pm

Try to remove out interface from rules 1-3


Отправлено с моего iPhone используя Tapatalk
 
squishio
just joined
Topic Author
Posts: 18
Joined: Fri Oct 30, 2009 3:58 pm

Re: 'Hairpin NAT' in 6.38.3 - How should it be done?

Sun Feb 26, 2017 10:18 pm

No change.
The counters on these rules are staying at 0 too, so no traffic is even hitting them...
 
squishio
just joined
Topic Author
Posts: 18
Joined: Fri Oct 30, 2009 3:58 pm

Re: 'Hairpin NAT' in 6.38.3 - How should it be done?

Mon Feb 27, 2017 12:37 am

I've got it working!
Thanks to something I read about address lists, I have now got rules for CCTV and RDP setup as below...
 0    ;;; WAN NAT
      chain=srcnat action=masquerade src-address=10.10.5.0/24 
      out-interface=Ether1 - WAN log=no log-prefix="" 

 1    ;;; hairpin NAT
      chain=srcnat action=masquerade src-address=10.10.5.0/24 
      dst-address=10.10.5.0/24 out-interface=Ether5 - LAN log=no log-prefix="" 

 2    ;;; RDP
      chain=dstnat action=dst-nat to-addresses=10.10.5.1 protocol=tcp 
      dst-address-list=Dynamic IP dst-port=3389 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.10.5.1 protocol=tcp 
      in-interface=Ether1 - WAN dst-port=3389 log=no log-prefix="" 

 4    ;;; CCTV
      chain=dstnat action=dst-nat to-addresses=10.10.5.230 protocol=tcp 
      dst-address-list=Dynamic IP dst-port=8000 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.10.5.230 protocol=tcp 
      in-interface=Ether1 - WAN dst-port=8000 log=no log-prefix="" 

The first entry of CCTV and RDP (#2 + #4) is for the hairpin, the second rules (#3 + #5) are for access from WAN

and my address list config...
 #   LIST         ADDRESS                          CREATION-TIME        TIMEOUT             
 0   Dynamic IP   MYROUTER.sn.mynetname.net        feb/26/2017 21:22:06
 1 D ;;; MYROUTER.sn.mynetname.net
     Dynamic IP   X.X.X.X                   feb/26/2017 21:50:20

If I reboot my modem, the ISP gives me a new WAN IP, and so far, after /ip cloud runs a DDNS update (every 60s), then the address list at some point updates itself with the new IP, but I dont know how often this is running. If I find it to be a problem, then I will just add a scheduled script with something like...
/ip firewall address-list disable 0
/ip firewall address-list enable 0
"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 'Hairpin NAT' in 6.38.3 - How should it be done?

Mon Feb 27, 2017 1:14 am

You probably don't need two dstnat rules. Just one with dst-address-type=local (instead of in-interface=Ether1 - WAN) should be enough. The trick with address list should not be required either. You would need that only if this router did not have public address, but was behind another router with one, in that case, your config would be correct.

Hostnames in address list resolve based on TTL, which in case of *.sn.mynetname.net seems to be 1 minute.

Who is online

Users browsing this forum: Google [Bot] and 59 guests