Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

force push local address to gateway? (to avoid Hairpin NAT)

Tue Aug 14, 2018 9:08 pm

lets say I have public IP 66.66.66.66. I want to allow users from LAN access services exposed via public IP. Unfortunately there's quadrillion of zone-like firewall rules, PBR, QoS and tons of other crap. Adding exceptions everywhere for such traffic would be complete clusterf*ck and I'm trying to avoid it like fire. Also seeing LAN IP address as source in server logs would be at best confusing and uncomfortable because direct access from lan to DMZ is obviously strictly forbidden. I can probably perform src-nat to external IP but still quite serious firewall reworking would be necessary.

I tried to use action=route in mangle table but it doesn't seem to work for packets recognized as "input" chain.

Our old ISP router could perform such routing (so that packets incoming to mikrotik had our external IP as source-address) but since we replaced it with pure modem, now we need to accomplish similar thing with mikrotik. Though it didn't really have any meaningful firewall for LAN traffic so it prorably had easier task...
MTCNA, MTCRE, MTCINE
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: force push local address to gateway? (to avoid Hairpin NAT)

Tue Aug 14, 2018 9:13 pm

What is wrong with Harpin NAT? It is just name of technology which "other" routers do behind the scenes.
One line for NAT. That is all.
Real admins use real keyboards.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: force push local address to gateway? (to avoid Hairpin NAT)

Tue Aug 14, 2018 10:46 pm

What is wrong with Harpin NAT? It is just name of technology which "other" routers do behind the scenes.
One line for NAT. That is all.
I just noticed that if I do what I just described MikroTik accepts all dst-nated packets, bypassing all firewall rules whatsoever ._. That's first thing. So basically when I add second line here:
/ip firewall nat add action=dst-nat to-address=192.168.2.4 in-interface=gw-isp
/ip firewall nat add action=dst-nat to-address=192.168.2.4 in-interface=gw-core
It doesn't matter whether I do src nat or not. It just accepts dst-nat'ed packets that are looped back to the same interface.

and now from LAN i can access all servers on all ports (I mean packets are dropped by core router, not by edge MikroTik) What's interesting is that it doesn't happen for actually forwarded packets (ones that go out of different interface than they came in, so eg. I can't access anything from internet, only from LAN). It's terrifying... HOW COULD ANYONE ACCEPT SUCH BEHAVIOR???
MTCNA, MTCRE, MTCINE
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: force push local address to gateway? (to avoid Hairpin NAT)

Fri Aug 17, 2018 11:29 am

Real admins use real keyboards.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: force push local address to gateway? (to avoid Hairpin NAT)

Fri Aug 17, 2018 4:59 pm

In the end I used srcnat to router's external IP so basically hairpin NAT just with public IP, not private. It works. Servers see in logs my external public IP and packets are "properly" forwarded. Except 2 issues:
1. I don't have static IP but I made script that updates this rule alongside with sending update to dyndns via API.
2. viewtopic.php?f=2&t=138032
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 12 guests