My Universal Hairpin

Fires · Mon Aug 28, 2017 7:46 pm

Hi, I was looking for a solution how to make easy hairpin without the need to make a rule for every NAT, or specify public IP in every NAT. It looks it works. Could please some one check it? Do you see some problem with this config?

1) I make mangle rule to mark hairpin packets (193.165.xxx.xxx is my public IP, 192.168.50.0/24 - is my private bridge segment), first I mark all traffic from local to public, second I mark what came from WAN to public IP

 3    chain=prerouting action=mark-packet new-packet-mark=hairpin passthrough=yes src-address=192.168.50.0/24 dst-address=193.165.154.250 
      log=no log-prefix="" 
 4    chain=prerouting action=mark-packet new-packet-mark=hairpin passthrough=yes dst-address=193.165.xxx.xxx in-interface=eth1-wan 
      log=no log-prefix=""

2) I update my NATs to use mangle

 1    ;;; Hairpin loopback
      chain=srcnat action=masquerade out-interface=bridge_private packet-mark=hairpin log=no log-prefix="" 
 4    ;;; DSTNAT - Synology Steinovi
      chain=dstnat action=dst-nat to-addresses=192.168.50.5 to-ports=5000 protocol=tcp packet-mark=hairpin dst-port=5000 log=no 
      log-prefix=""

Could please somebody check this setup if there could be some problem ? It look fine for me ..

Sob · Mon Aug 28, 2017 10:58 pm

"Hairpin NAT" is that part where you srcnat traffic going from LAN to public address on WAN and then back to LAN. But in your rules, you masquerade not only this, but also normal forwarded ports from outside, so you're hiding original addresses of remote clients. Also, marking packets is not very effective, because NAT works with connections, so only first packet matters and you're marking the rest for nothing.

I'm not exactly sure what was your starting point that you wanted to simplify, but you can use hairpin NAT rule like this:

/ip firewall nat
add chain=srcnat src-address=192.168.50.0/24 dst-address=192.168.50.0/24 \
    out-interface=bridge_private action=masquerade

And that's it. It's possible to fine tune it a little if you want, e.g. this:

/ip firewall nat
add chain=srcnat src-address=192.168.50.0/24 dst-address=192.168.50.0/24 \
    out-interface=bridge_private src-address-type=!local action=src-nat to-addresses=193.165.x.x

will make connections from internal clients look like they come from public address (in fact, you can put any artifical address there) and you'll be able to tell them from connections made by router itself.

If you wanted to make dstnat rules more simpler, chains can help with that (you need to enter the address only once):

/ip firewall nat
add action=jump chain=dstnat dst-address=193.165.x.x jump-target=port-forward
add action=dst-nat chain=port-forward dst-port=5000 protocol=tcp to-addresses=192.168.50.5
add action=dst-nat chain=port-forward dst-port=80,443 protocol=tcp to-addresses=192.168.50.x
add action=dst-nat chain=port-forward dst-port=53 protocol=udp to-addresses=192.168.50.x
add action=dst-nat chain=port-forward dst-port=53 protocol=tcp to-addresses=192.168.50.x
...

Or if you had dynamic address, initial jump rule would be (I assume router has 192.168.50.1):

/ip firewall nat
add action=jump chain=dstnat dst-address=!192.168.50.1 dst-address-type=local jump-target=port-forward

And finally, if you had restrictive "block everything by default" firewall, you can allow all forwarded ports using the single magic rule:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Fires · Tue Aug 29, 2017 8:55 am

Thanks a lot. I have so much to learn. Your solution is much cleaner.

My Universal Hairpin

My Universal Hairpin

Re: My Universal Hairpin

Re: My Universal Hairpin

Who is online