Page 1 of 1

Hairpin NAT broken

Posted: Mon Jun 26, 2017 5:54 pm
by dejanb
Hello Guys!

I know there is a numerous posts about hairpin nat problems in version 6 of Mikrotik but i can't find the solution to solve it!
I tried many differnet aproaches from the forum, then from the Wiki Mikrotik but it doesn't work at all.

My config is this:

ether1 - wan
ether3,4,5,6 and wlan in brigdge, use ip firewall enabled; dhcp server laying on bridge, gateway address for the subnet too.
I'm getting static public ip on WAN interface, in ip routes i only have deffault gateway.
In ip firewall, there are no filters, in NAT table i have port forward rules for the various services on the server and masquerade for the entire subnet; so long from the other networks i can access servers on the public ip and on the all ports. From inside when i hit public ip, nothing!
I first tried this kind of config:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade
From the Wiki Mikrotik, this worked earlier in version 5 of Mikrotik for me, without problems.
And i tried everything from this posts:

viewtopic.php?t=101094

viewtopic.php?t=75811

Regards!

Re: Hairpin NAT broken

Posted: Mon Jun 26, 2017 6:33 pm
by Sob
... brigdge, use ip firewall enabled ...
Any reason for it? It's for running otherwise bridged packets through IP firewall, and from your description it doesn't seem like you use it for anything.
... in NAT table i have port forward rules for the various services on the server
But you realize that your hairpin NAT rule is only for protocol=tcp dst-port=80, right?

Anyway, I'm not aware of any difference between v6 and previous ones, it should just work. Check counters on rules, watch packets using Tools->Torch, ... And if you don't find anything, try posting more of your config. You know, description is nice, but it doesn't tell us what exactly you actually have there.

Re: Hairpin NAT broken

Posted: Mon Jun 26, 2017 11:37 pm
by Brillo
Hello All,

I am new here, please assist / advise or point me in the right direction.

hoping ZeroByte can assist / help.


I have a public ddns hostname, i have a script that binds the hostname to my dynamically assigned WAN IP.


ISSUE: I am able to access port 4003 from externally example: http://MYDDNSHOSTNAME:4003 it works perfectly, when i do it internally, it also does work, and i can see the "Hairpin NAT for LOCAL Traffic" does accumale packets.

Is my sharepoint server just dead ? because for some reason it continues to timeout

note: adsl router is configured in bridged mode
note: i am aware that TPOT honeypot service can cause all ports to be used by the TPOT service - I have temporarily turned off the VM.

mikrotik eth1 goes to adsl router
mikrotik eth2 goes to LAN (bridged wlan+lan to have 1 dhcp server serving both LAN and WLAN)

my WAN interface = pppoe namely "MWEB"

mikrotik IP 10.0.0.1
network 10.0.0.0/24



/ip firewall nat print



[admin@Franna-RB2011UiAS-2HnD] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic

0 ;;; ZZZ - NAT MWEB Traffic
chain=srcnat action=masquerade out-interface=MWEB log=no log-prefix=""

1 ;;; ZZZ - Hairpin NAT for LOCAL Traffic
chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24 dst-address-type="" out-interface=WLAN-LAN Bridge log=no
log-prefix=""

2 ;;; ZZZ - HP Aruba WEB GUI
chain=dstnat action=dst-nat to-addresses=10.0.0.5 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4003
log=no log-prefix=""

3 ;;; ZZZ - RDP Port Connection - Francois-PC
chain=dstnat action=dst-nat to-addresses=10.0.0.20 to-ports=3389 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4001
log=no log-prefix=""

4 ;;; test multiple hops
chain=dstnat action=dst-nat to-addresses=10.0.0.5 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=5555
log=no log-prefix=""

5 ;;; ZZZ - RDP Port Connection - Franna-WS
chain=dstnat action=dst-nat to-addresses=10.0.0.21 to-ports=3389 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4002
log=no log-prefix=""

6 ;;; ZZZ - VM - SharePoint - RDP
chain=dstnat action=dst-nat to-addresses=10.0.0.7 to-ports=3389 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4004
log=no log-prefix=""

7 ;;; ZZZ - VM - SharePoint WEB
chain=dstnat action=dst-nat to-addresses=10.0.0.17 to-ports=80 protocol=tcp dst-address-type=local dst-port=4005 log=no log-prefix=""

8 ;;; ZZZ - VM - IIS Server
chain=dstnat action=dst-nat to-addresses=10.0.0.16 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4007
log=no log-prefix=""

9 ;;; ZZZ -TeamSpeak - Connection
chain=dstnat action=dst-nat to-addresses=10.0.0.25 to-ports=9987 protocol=udp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=9987
log=no log-prefix=""

10 ;;; ZZZ - TeamSpeak - FileTransfer
chain=dstnat action=dst-nat to-addresses=10.0.0.25 to-ports=30033 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local
dst-port=30033 log=no log-prefix=""

11 ;;; TPOT - Glastopf - TCP Port 80
chain=dstnat action=dst-nat to-addresses=10.0.0.54 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=80
log=no log-prefix=""

12 ;;; TPOT - Dionaea - TCP Port 42
chain=dstnat action=dst-nat to-addresses=10.0.0.54 to-ports=42 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=42
log=no log-prefix=""

13 ;;; TPOT - Dionaea - TCP Port 135
chain=dstnat action=dst-nat to-addresses=10.0.0.54 to-ports=135 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=135
log=no log-prefix=""

14 ;;; TPOT - Dionaea - TCP Port 443
chain=dstnat action=dst-nat to-addresses=10.0.0.54 to-ports=443 protocol=tcp dst-address=!10.0.0.0/24 dst-address-type=local dst-port=443



/ip firewall filter print

[admin@Franna-RB2011UiAS-2HnD] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop ICMP
chain=input action=drop protocol=icmp log=no log-prefix=""

1 X ;;; Drop ALL Traffic --FROM-- Blacklisted IP's (blacklist)
chain=input action=drop src-address-list=blacklist log=no log-prefix=""

2 X ;;; Drop ALL Traffic --TO-- Blacklisted IP's (blacklist)
chain=forward action=drop dst-address-list=blacklist log=no log-prefix=""

3 ;;; Drop WAN Invalid Connections
chain=input action=drop connection-state=invalid protocol=tcp log=no log-prefix=""

4 ;;; Drop LAN Invalid Connections
chain=forward action=drop connection-state=invalid protocol=tcp log=no log-prefix=""

5 ;;; Accept Established Connection Packets
chain=input action=accept connection-state=established log=no log-prefix=""

6 ;;; Allow Related Connections
chain=forward action=accept connection-state=related log=no log-prefix=""

7 ;;; Deny DNS Request - UDP
chain=imput action=drop connection-state=new protocol=udp in-interface=MWEB dst-port=53 log=no log-prefix=""

8 ;;; Deny DNS Request - TCP
chain=imput action=drop connection-state=new protocol=tcp in-interface=MWEB dst-port=53 log=no log-prefix=""

9 ;;; Net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""

10 ;;; Host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""

11 ;;; Host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""

12 ;;; Detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1 log=no log-prefix=""

13 ;;; Allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0 log=no log-prefix=""

14 ;;; Echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""

15 ;;; Allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""

16 ;;; Allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""

17 ;;; Allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""

18 ;;; Deny all other types
chain=icmp action=drop log=no log-prefix=""

19 ;;; Generic Routing Encapsulation (GRE)
chain=input action=accept protocol=gre log=no log-prefix=""

20 ;;; PPTP
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

21 ;;; SSH - Failure logon Stage 1
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=4000
log=no log-prefix=""

22 ;;; SSH - Failure logon Stage 2
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=4000 log=no log-prefix=""

23 ;;; SSH - Failure logon Stage 3
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=4000 log=no log-prefix=""

24 ;;; SSH - Added to Blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=blacklist
address-list-timeout=1w3d dst-port=4000 log=no log-prefix=""

25 ;;; FTP Login Rate 10/Min
chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""

26 ;;; Deny NFS
chain=udp action=drop protocol=udp dst-port=2049 log=no log-prefix=""

27 ;;; Detect DoS attack
chain=input action=add-src-to-address-list connection-limit=10,32 protocol=tcp address-list=blacklist address-list-timeout=1d log=no
log-prefix=""

28 ;;; Deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix=""

29 ;;; Deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix=""

30 ;;; Deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139 log=no log-prefix=""

31 ;;; Deny CIFS
chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix=""

32 ;;; Deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix=""

33 ;;; Deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no log-prefix=""

34 ;;; Deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix=""

35 ;;; Deny Back Oriffice
chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix=""

36 ;;; Deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68 log=no log-prefix=""

37 ;;; Deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix=""

38 ;;; Deny TFTP
chain=udp action=drop protocol=udp dst-port=69 log=no log-prefix=""

39 ;;; Deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111 log=no log-prefix=""

40 ;;; Deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135 log=no log-prefix=""

41 ;;; Deny NBT
chain=udp action=drop protocol=udp dst-port=137-139 log=no log-prefix=""

42 ;;; Deny Back Oriffice
chain=udp action=drop protocol=udp dst-port=3133 log=no log-prefix=""

43 X ;;; Block Facebook
chain=forward action=drop layer7-protocol=Block Facebook log=no log-prefix=""

44 X ;;; Block Youtube
chain=forward action=drop layer7-protocol=Block Youtube log=no log-prefix=""



Please advise if this is correct or not, this might be completely off!
Please let me know what filter rules doesn't make sense / unnecessary

Thanks in advance wonderful people, please explain nicely because i feel like a retard, i just don't get why some of my services works and others don't.

Regards,
Brillo

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 12:23 am
by dejanb
... brigdge, use ip firewall enabled ...
Any reason for it? It's for running otherwise bridged packets through IP firewall, and from your description it doesn't seem like you use it for anything.

No reason, i tried both with enabled and disabled use ip firewal...
... in NAT table i have port forward rules for the various services on the server
But you realize that your hairpin NAT rule is only for protocol=tcp dst-port=80, right?

Yes i know that, that is just an example rule, that doesnt work either...

Anyway, I'm not aware of any difference between v6 and previous ones, it should just work. Check counters on rules, watch packets using Tools->Torch, ... And if you don't find anything, try posting more of your config. You know, description is nice, but it doesn't tell us what exactly you actually have there.
I don't know differences too, but it simply works on version 5. and there is a ton of posts like mine here on the forum that have the same problem refering to version 6.

When i watch counters i only see that masquerade rule counters are increasing, hairpin nat rule like that i posted above is always at zero bytes and packets.
This is the config right now:
/ip firewall nat
add action=masquerade chain=srcnat comment=nat out-interface=ether1
add action=dst-nat chain=dstnat comment=rdp dst-port=3389 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.1.7 to-ports=3389
add action=masquerade chain=srcnat comment=hairpin-rdp dst-address=192.168.1.7 \
    dst-port=80 out-interface=bridge-lan protocol=tcp src-address=\
    192.168.1.0/24
Rdp is working from the outside on the public ip.

Regards!

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 3:08 am
by Sob
When dstnat rule has in-interface=ether1 (which seems to be your WAN), it will only work from there. When you connect from LAN, it can't apply, because in-interface is bridge-lan. So remove in-interface and instead add dst-address=<your public address>.

And as I already wrote, you have hairpin rule only for port 80, so it can't work for RDP's 3389.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 4:25 am
by Sob
I am new here, please assist / advise or point me in the right direction.
Advice #1: Don't hijack threads, make your own. Obvious advantage is that all focus will be on your problem only. Less obvious advantage is that it won't create confusion in other thread. People don't expect different problems in same thread, they mix them together and it doesn't work. So really, just don't do it.

About the problem:

- You have dstnat rule that takes anything coming to local address as long it's not in 10.0.0.0/24 and tcp port 4003 and forwards it to 10.0.0.5:80 -> good.
- You have srcnat rule that masquerades connections from 10.0.0.0/24 to 10.0.0.0/24 when outgoing interface is "WLAN-LAN Bridge" -> from your description it also seems correct.

If http://MYDDNSHOSTNAME:4003 works from outside and http://10.0.0.5 works from inside, then http://MYDDNSHOSTNAME:4003 from inside should work too, I don't see anything in your config that could block it. It's definitely not your firewall filter, that looks like one big mess.

You have several chains, but no jump to them, so everything in chain=tcp, chain=udp, chain=icmp and chain=imput (typo) is useless.

In chain=input (traffic to router) you unconditionaly block all icmp (not a good idea, because it's even before accepting related packets), source addresses in "blacklist" list, some port scans (but I wouldn't count much on it, even manual says that psd= option "Attempts to detect TCP and UDP scans."), then you limit ssh connections to port 4000 (ok, if you changed ssh's port to that), and then the rest (e.g. WinBox and anything else running on router) is open for whole world.

Finally chain=forward (traffic through router) is not any better. It blocks packets to addresses in "blacklist" list created by ssh limiter, blocks invalid tcp packets, and allows everything else.

I can't find MikroTik's default firewall right now, to use as inspiration. And I'm too tired to write something from scratch (it's very late here), maybe tomorrow. You definitely want to fix what you have now. But if you want to debug hairpin problem, use Tools->Torch on "WLAN-LAN Bridge" interface, connect to http://MYDDNSHOSTNAME:4003 from machine in LAN and you should see outgoing packets to 10.0.0.5:80 from 10.0.0.1:<random port>. If you do, router config is fine (the NAT part). If you also see packets in other direction (on same line), it's communicating both ways and it must be something strange if it doesn't work. If you don't then it's something on the server preventing to reply back.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 9:02 am
by Brillo
Good Morning,

My sincerest apologies for "hijacking" a thread, it was not my intention, i was so anxious to post that i accidentally posted as a reply to someone else's thread.

I have cleaned up the mess of the Firewall Filter Rules:

Flags: X - disabled, I - invalid, D - dynamic

[admin@Franna-RB2011UiAS-2HnD]
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic

0 ;;; Accept Established Connection Packets
chain=input action=accept connection-state=established log=no log-prefix=""

1 ;;; Allow Related Connections
chain=forward action=accept connection-state=related log=no log-prefix=""

2 ;;; Drop WAN Invalid Connections
chain=input action=drop connection-state=invalid protocol=tcp log=no log-prefix=""

3 ;;; Drop ICMP
chain=input action=drop protocol=icmp log=no log-prefix=""

4 ;;; Drop LAN Invalid Connections
chain=forward action=drop connection-state=invalid protocol=tcp log=no log-prefix=""

5 X ;;; Block Facebook
chain=forward action=drop layer7-protocol=Block Facebook log=no log-prefix=""

6 X ;;; Block Youtube
chain=forward action=drop layer7-protocol=Block Youtube log=no log-prefix=""

should i use !10.0.0.1/24 or not ?


[admin@Franna-RB2011UiAS-2HnD] >
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ZZZ - NAT MWEB Traffic
chain=srcnat action=masquerade out-interface=MWEB log=no log-prefix=""

1 ;;; ZZZ - Hairpin NAT for LOCAL Traffic
chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24 dst-address-type=""
out-interface=WLAN-LAN Bridge log=no log-prefix=""

2 ;;; ZZZ - HP Aruba WEB GUI
chain=dstnat action=dst-nat to-addresses=10.0.0.5 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24
dst-address-type=local dst-port=4003 log=no log-prefix=""

3 ;;; ZZZ - RDP Port Connection - Francois-PC
chain=dstnat action=dst-nat to-addresses=10.0.0.20 to-ports=3389 protocol=tcp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4001 log=no log-prefix=""

4 ;;; test multiple hops
chain=dstnat action=dst-nat to-addresses=10.0.0.5 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24
dst-address-type=local dst-port=5555 log=no log-prefix=""

5 ;;; ZZZ - RDP Port Connection - Franna-WS
chain=dstnat action=dst-nat to-addresses=10.0.0.21 to-ports=3389 protocol=tcp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4002 log=no log-prefix=""

6 ;;; ZZZ - VM - SharePoint - RDP
chain=dstnat action=dst-nat to-addresses=10.0.0.7 to-ports=3389 protocol=tcp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4004 log=no log-prefix=""

7 ;;; ZZZ - VM - SharePoint WEB
chain=dstnat action=dst-nat to-addresses=10.0.0.17 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24
dst-address-type=local dst-port=4005 log=no log-prefix=""

8 ;;; ZZZ - VM - SharePoint WEB Administration
chain=dstnat action=dst-nat to-addresses=10.0.0.17 to-ports=8888 protocol=tcp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=4006 log=no log-prefix=""

9 ;;; ZZZ - VM - IIS Server
chain=dstnat action=dst-nat to-addresses=10.0.0.16 to-ports=80 protocol=tcp dst-address=!10.0.0.0/24
dst-address-type=local dst-port=4007 log=no log-prefix=""

10 ;;; ZZZ -TeamSpeak - Connection
chain=dstnat action=dst-nat to-addresses=10.0.0.25 to-ports=9987 protocol=udp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=9987 log=no log-prefix=""

11 ;;; ZZZ - TeamSpeak - FileTransfer
chain=dstnat action=dst-nat to-addresses=10.0.0.25 to-ports=30033 protocol=tcp
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=30033 log=no log-prefix=""



As you can see:

0 ;;; ZZZ - NAT MWEB Traffic
chain=srcnat action=masquerade out-interface=MWEB log=no log-prefix=""

1 ;;; ZZZ - Hairpin NAT for LOCAL Traffic
chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24 dst-address-type=""
out-interface=WLAN-LAN Bridge log=no log-prefix=""


rule 0: Masquerades traffic coming into PPPOE interface "MWEB" - is this correct ?
rule 1: Masquerades traffic from local network to local network - Is this correct ?

dst-nat rules: should i use !10.0.0.1/24 or not , my believes are if i use !10.0.0.1/24 it will masquerade traffic from the source address static "NOT COMING FROM 10.0.0.1/24 NETWORK"


Regards,
Brillo

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 6:00 pm
by Sob
Srcnat rules are ok. Rule #1 doesn't need dst-address-type="", but it shouldn't break anything.

Dstnat rules are ok too. Condition dst-address=!10.0.0.0/24 is not strictly necessary, I understand it as attempt to exempt non-WAN addresses, which is generally correct, but does not really matter for non-standard ports and it doesn't need to include whole subnet. In more detail, if you had only dst-address-type=local, rules would work for any target address owned by router. If you forwarded some standard port (e.g. 80 for http) and you'd also want to use WebFig on 10.0.0.1:80, it would not work, because even this connection would be forwarded to internal server. That can be fixed by adding dst-address=!10.0.0.1. You have 10.0.0.0/24, which works, because it includes 10.0.0.1. And while it's unnecessary to include whole subnet, it doesn't break anything, because packets to any other 10.0.0.x won't be sent to router anyway. So either change it to dst-address=!10.0.0.1 or get rid of it, in this case it's not important.

Now why it doesn't work, because it should... Try to add these rules, then connect from inside to http://myddnshostname:4003/ and see if they catch anything:
/ip firewall mangle
add action=log chain=postrouting dst-address=10.0.0.5 dst-port=80 protocol=tcp src-address=10.0.0.0/24
add action=log chain=prerouting dst-address=10.0.0.0/24 protocol=tcp src-address=10.0.0.5 src-port=80
And about firewall filters, you're still open for almost everything (e.g. you're open resolver if you have DNS service enabled on router). Think about something like this, it allows only selected stuff and blocks everything else:
/ip firewall filter
add action=accept chain=forward connection-state=established,related comment="allow established and related connection"
add action=drop chain=forward connection-state=invalid comment="drop invalid packets"
add action=accept chain=forward in-interface="WLAN-LAN Bridge" comment="allow access from LAN"
add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports"
add action=reject chain=forward reject-with=icmp-admin-prohibited comment="disallow everything else"
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface="WLAN-LAN Bridge" comment="allow access from LAN"
add action=accept chain=input protocol=icmp comment="(recommended) allow icmp; may be limited to selected types"
add action=accept chain=input src-address-list=Trusted comment="(optional) allow access from selected remote addresses"
add action=drop chain=input comment="disallow everything else"
Understand it before you try it, to avoid accidents like locking yourself out.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 6:24 pm
by Brillo
Good evening,

I would just like to thank you for you input, i really appreciate all the assistance, I'll test now and give feedback.

I knew the filter rules was a mess, especially the order they were in.

Thanks again - will test now.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 6:54 pm
by Brillo
Hey Sob,

I think you manage to point me in the right direction & fix my issue.

So i tested again now, and everything is working, however, the SharePoint server which is port forwarded like example below:

WAN IP / HOSTNAME : 4003 --> 10.0.0.17:80 = Times out / Not working

if changed to

WAN IP / HOSTNAME : 80 --> 10.0.0.17:80 it works...beautifully
WAN IP / HOSTNAME : 8088 --> 10.0.0.17:80 it works...beautifully

can someone explain this to me ?

Is the port 4005 unsafe or blocked in any manner ?

My Initial concern was also this:

the mikrotik external http access "/ip services" was set to 8888 which is the same as my internal sharepoint web administration console

the firewall rule port 80 was port forwarded to Glastopf on the honeypot, so i though it might get confused in some manner, after masquerading, it would try to connect to port 80, which is a differend device (10.0.0.017:80)

The resolution to my problem was to understand what is going on here, i have a service running on port 8888 internally, but mikrotik http was also 8888

my new config for the nat part is simple,

SharePoint 2016 OnPrem
Web http://myhostname:80 -> 10.0.0.17:80
Web Administration http://myhostname -> 10.0.0.17:8888
- changed the mikrotik http under /ip services

Thank you very much for assisting, still please try and explain why port 4005 was not working, because this confuses me.

Regards

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 7:30 pm
by Sob
There was a little mixup with port numbers, 4003 vs. 4005. Too bad I didn't pay much attention to rule comments, I could have noticed it earlier. But it doesn't matter if you were testing the right one.

As far as I know, there's nothing special about port 4005. Even if someone somewhere decided to block it, it can't affect you when you do everything locally. Possible explanation is that web server doesn't like it when it listens on port 80 and gets header "Host: myhostname:4005" with seemingly wrong port. But I'd expect an error message rather than timeout.

Same port 8888 on both RB and server doesn't matter. With "to-addresses=10.0.0.17 to-ports=8888" it's completely independent, because it's same port, but somewhere else. If it was "dst-port=8888", then it would be what I described in previous post (the long paragraph). And to make it short, port forwarding would win over local service.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 9:00 pm
by Brillo
Hi Sob,

So what you are saying is that port forwarding dst-nat rules have a higher priority or value than /ip services ?

Thanks friend, you areally saved me so much trouble.


I have been struggling with this for months, everybody has a different Hairpin NAT config due to the fact that some people use eth1 as the WAN port, others use PPPOE some use PTP and some have seperate dhcp servers serving LAN and WLAN.

I'm glad that you solved my issue and ensured that i understand what was going on and not just fixing without mentioning.


Regards.

Re: Hairpin NAT broken

Posted: Tue Jun 27, 2017 9:29 pm
by Sob
It's not exactly higher priority, it's just that when packet comes to router, it first goes through prerouting and dstnat chains. After that it's decided where it will go next, either to router (input chain, when destination address is local) or somewhere else (forward chain, when destination address is not local). So when you rewrite destination address in dstnat, you can make it go elsewhere (routing decision will use the new rewritten destination address) and service on router will never know, because you simply "steal" the packet from it.

Hairpin NAT is simple. Did you see that nice step by step explanation in wiki?

It's good that it works now. But I have to say that I'm not really satisfied with my previous explanation. If web server didn't like Host header, it couldn't work from outside either, because those request would have exactly the same header. So in fact I still don't know what was wrong.

Re: Hairpin NAT broken

Posted: Wed Jun 28, 2017 7:05 am
by Brillo
Good morning Sob,

I shall test tonight and see if it indeed the case.

My conclusion yesterday was if i change the port from 4003 to 80 / 8080 it seems to work.


I shall test with both services:

SharePoint web : 80 <- when set to 4005 it timed out.
SharePoint web admin: 8080 <- when set to 4006 it timed out.


I shall test and investigate tonight and give feedback, i know that this should not be the case since there is now NO filter rule whatsoever.

I shall bind port 4005 to a different web service and see if that is working, This way we should be able to determine if the issue is router sided or server sided.

Thanks for the consistent responses.

Have a wonderful day

Re: Hairpin NAT broken

Posted: Wed Jun 28, 2017 3:31 pm
by nichky
dejanb

can we see your topology, exactly how it looks like