Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Why (not) use Hairpin NAT

Mon Dec 31, 2018 10:33 am

I have always used a local DNS server to reach my server that are on NAT from the Internet.
Its simple and works very well.
So if my webserver is video.myserver.com with local IP 192.168.100.50, it will have a public DNS record for external users to pint to 82.xx.xx.xx and a local DNS entry to point to 192.168.100.50.
One line (DNS) to add for each services, No change in any NAT rules

When you setup Hairpin NAT and have a dynamic IP on the outside, you do need to use the Cloud function (or other dyndns system) and change all your NAT setup to get it to work.
Example video:
https://www.youtube.com/watch?v=_kw_bQyX-3U

Also found this good comment by thirdstreetzero on reddit:
It breaks all kinds of fundamental standards and norms, not to mention statistics, security, things like fasttrack, etc. It makes transitions away from your current configuration more difficult. It's impossible for future people to interpret, as it shouldn't be done and without adequate explanation can often require a confusing mess of other work, especially if you've got any queues or packet mangling.

Imagine wanting to go into your living room, but to do so you need to go out the back door, around the block, and in through your front door. If that seems too much of an exaggeration, draw out what you are planning on doing using networking nomenclature. It's equally silly. Your problem, if you state it properly, is that you are not addressing the resource in a way that allows you the shortest path to it. So the problem is how you address it, not how you access it. Once you have accepted that, you can move to the next problem, which is ubiquitous access methods. You don't want to think about where you are, or what network you're on, in order to access the resource. Clearly using the local IP won't work, since that won't work outside the network. Luckily, we have a solution in DNS. Now all that's left is to configure a local DNS server to handle requests from within and around the local network, and configure your external DNS to do the same.

Edit:
People use meth to escape their shitty lives. People speed in their cars because they can't manage their time well. People don't pick their dogs shit up because they're lazy. This is similar - people that have no idea what they're doing have created a solution to a problem they don't understand. This was made worse for a long time by shitty router manufacturers that included (and still do include) options to implement this specifically, because it quickly satisfies, as you said, a common problem. That does not mean it's correct. It isn't. You have literally everything you need on any ROS device to handle this problem correctly, without ever using hairpin NAT.
Anyone has a comment to this?
Any good reason for using Hairpin NAT other than you do not have a local DNS server?
Last edited by Jotne on Mon Dec 31, 2018 8:33 pm, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Why not use Hairpin NAT

Mon Dec 31, 2018 11:55 am

Not sure what your post means?Why not to use? Anyways, with DNS you can only do single internal host, if u need multiple ips to work with DNS name inside ur network u simple must use hairpin.

For example how would you access 3 different IPs via dns name ?If you add static entry for like mydomain.dyndns.org to 192.168.1.50 (Some server), what if i need access to 192.168.1.51 also but another port?If i hit mydomain.dyndns.org it will again point me to first one 192.168.1.50.

With hairpin you can do this for example different ports go to different internal IPS and PORTS.

mydomain.dyndns.org:5000 -> 192.168.1.50:3389
mydomain.dyndns.org:6000 -> 192.168.1.60:3389
mydomain.dyndns.org:8080 -> 192.168.1.60:80

It also works regardless of what DNS server local users uses.

Sorry if i didint explain well.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 12:10 pm

I do use HAProxy to handle all my server/web server. This way I only need to point port 80/443 from outside to one IP. On inside, I do point all DNS to HAProxy server. It then sends it to correct server.
Meaning with post was to get a discussion about Hairpin nat, why, why not use.

I can see that with only the MT router you get problem with
mydomain.dyndns.org:80 points to 192.168.1.50:80
mydomain.dyndns.org:22 points to 192.168.1.51:22
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
mkx
Forum Guru
Forum Guru
Posts: 3180
Joined: Thu Mar 03, 2016 10:23 pm

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 6:29 pm

I agree with quoted comment by thirdstreetzero.

Just think about going IPv6 ... no NAT there. So HairpinNAT really is an obscure solution to a specific problem ... and use case of @ivicask is just further exagerated misuse.

Quite a few times people requested full-featured DNS server for ROS ... and excuse is that they've got super-duper CCR1072 sitting in the comms closet and that it should be fit to perform those duties as well. I guess those people use their super-size wheel loaders for drift racing and container loading as well? People should use proper tools for particular job, that's all.
BR,
Metod
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 8:50 pm

I agree with quoted comment by thirdstreetzero.

Just think about going IPv6 ... no NAT there. So HairpinNAT really is an obscure solution to a specific problem ... and use case of @ivicask is just further exagerated misuse.

Quite a few times people requested full-featured DNS server for ROS ... and excuse is that they've got super-duper CCR1072 sitting in the comms closet and that it should be fit to perform those duties as well. I guess those people use their super-size wheel loaders for drift racing and container loading as well? People should use proper tools for particular job, that's all.
Now im confused, so please tell me, how do i reach my various internal IP addresses via same dns host name from both outside and inside of network if not via hairpin?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 9:02 pm

Use internal DNS.


When someone on the internet asks for your server web.myserver.com on inernal ip 192.168.10.50 he asks a public DNS and gets a public IP 85.12.134.20 (sample IP) that you have registered to an public DNS server.

Then when you are on the internal net, you will use the DNS server you get from your DHCP server. That should not be google or other public DNS, server, but your DNS server. There you will get local IP 192.168.10.50. So you access your internal server directly without passing trough your router.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 9:06 pm

Use internal DNS.


When someone on the internet asks for your server web.myserver.com on inernal ip 192.168.10.50 he asks a public DNS and gets IP 85.12.134.20 (sample IP)
Then when you are on the internal net, you will use the DNS server you get from your DHCP server. That should not be google or other public DNS, server, but your DNS server. There you will get local IP 192.168.10.50. So you access your internal server directly without passing trough your router.
It doesnt work like that all, i can add single static dns and point it to my server, yes it works for single internal ip, but i need 10 for example.

Tell me how can you do that via dns, which is whole point of hairpin?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 9:17 pm

server0.home.com 192.168.10.50
server1.home.com 192.168.10.51
server2.home.com 192.168.10.52
server3.home.com 192.168.10.53
server4.home.com 192.168.10.54
server5.home.com 192.168.10.55
server6.home.com 192.168.10.56
server7.home.com 192.168.10.57
server8.home.com 192.168.10.58
server9.home.com 192.168.10.59
If you buy for a DNS name (10$ a year) you can register as many public name as you like.
No need to use other ports than default

Could you give an full example on where Hairpin Nat is the only solution?
DNS name, ports, local/piblic IP etc.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 9:30 pm

server0.home.com 192.168.10.50
server1.home.com 192.168.10.51
server2.home.com 192.168.10.52
server3.home.com 192.168.10.53
server4.home.com 192.168.10.54
server5.home.com 192.168.10.55
server6.home.com 192.168.10.56
server7.home.com 192.168.10.57
server8.home.com 192.168.10.58
server9.home.com 192.168.10.59
If you buy for a DNS name (10$ a year) you can register as many public name as you like.
No need to use other ports than default

Could you give an full example on where Hairpin Nat is the only solution?
DNS name, ports, local/piblic IP etc.
What your suggesting is nightmare, i have single public dns name and i can access everything in my and other companies while im in the local network or outside.

Example?I need acces to 3 servers RDC.
192.168.50.50 external port 3000 internal 3389
192.168.50.60 external port 4000 internal 3389
192.168.50.70 external port 5000 internal 3389
Than i have video recorder
192.168.50.80, 2-3 various ports for it to work.

Now i have set in my RDC connection file public dns name with ports matching which server i wanna access
blablab.dyndns.org:3000
blablab.dyndns.org:4000
blablab.dyndns.org:5000

Or i have in my phone in Video surveillance app blablab.dyndns.org (Auto uses ports it needs).

And all works, single dns name, i can acces various internal IPs and ports from outside or inside of network.

What your suggesting is unnecessary complication(and costs), i would need to have different DNS names for everything i wanna access on network, in some companies i have over 30 internal ips, which would mean 30 domains instead of one...

Besides, my question, whats actually wrong with Hairpin NAT?It doesn't lower security as far i see it, doesn't affect router performance(at-least in my scenarios)
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 10:00 pm

Now i have set in my RDC connection file public dns name with ports matching which server i wanna access
blablab.dyndns.org:3000
blablab.dyndns.org:4000
blablab.dyndns.org:5000
I see that could be a problem.
But I would not have done it this way. For what you need to pay for dyndns.org each year to not need to renew it all the time, you can get you own domain for som around 10$. The you do:
blablab1.myserver.com:3000
blablab2.myserver.com:4000
blablab3.myserver.com:5000

But I would never open many RDP session to the internet.
Open only one RDP server and from that server connect to all other.
The less the better.

And since you do not use 3389, this is just for your admin use and not a generic solution so you with ease handle many dns name as you would handle different ports.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
ivicask
Member Candidate
Member Candidate
Posts: 238
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 10:09 pm

Now i have set in my RDC connection file public dns name with ports matching which server i wanna access
blablab.dyndns.org:3000
blablab.dyndns.org:4000
blablab.dyndns.org:5000
I see that could be a problem.
But I would not have done it this way. For what you need to pay for dyndns.org each year to not need to renew it all the time, you can get you own domain for som around 10$. The you do:
blablab1.myserver.com:3000
blablab2.myserver.com:4000
blablab3.myserver.com:5000

But I would never open many RDP session to the internet.
Open only one RDP server and from that server connect to all other.
The less the better.

And since you do not use 3389, this is just for your admin use and not a generic solution so you with ease handle many dns name as you would handle different ports.
It's mix, users often use it also, Rdc, vpn, video recorders etc.

For Rdc i mostly use whitelisted ips or sstp vpn so it's very secure.

And as it usually goes I must go for simplest and cheapest solutions which hairpin in most cases is.
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Why (not) use Hairpin NAT

Mon Dec 31, 2018 11:10 pm

Edit:
People use meth to escape their shitty lives. People speed in their cars because they can't manage their time well. People don't pick their dogs shit up because they're lazy. This is similar - people that have no idea what they're doing have created a solution to a problem they don't understand. This was made worse for a long time by shitty router manufacturers that included (and still do include) options to implement this specifically, because it quickly satisfies, as you said, a common problem. That does not mean it's correct. It isn't. You have literally everything you need on any ROS device to handle this problem correctly, without ever using hairpin NAT.
Anyone has a comment to this?
Any good reason for using Hairpin NAT other than you do not have a local DNS server?
[/quote]

I have.

I use hairpin NAT out of necessity. Don't get me wrong: I hate all things NAT with a passion. One one the best things of IPv6 is the possbility of killing NAT. One can always dream.

Anyway.

I host several game servers, on my home connection. When someone joins the match, it does so by browsing the Steam list of available games. I have to do it too - it's just how it works. So, I join a game on my external IP - coming from my intranet. Without hairpin NAT it doesn't work for me. Simple as this.

So, no. Just because it doesn't fit Your use case it doesn't mean that it is wrong to use.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Tue Jan 01, 2019 2:21 am

So, no. Just because it doesn't fit Your use case it doesn't mean that it is wrong to use.
Do not get me wrong, sometime its the only way to do it.
I do use DNS and HAProxy to handle all my servers and it work perfectly.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
nostromog
Member Candidate
Member Candidate
Posts: 161
Joined: Wed Jul 18, 2018 3:39 pm

Re: Why (not) use Hairpin NAT

Tue Jan 01, 2019 1:42 pm

It is a balance between requirements.

Even for a small company dealing with around 30 identities it is tricky and sometimes impossible to force all people to use our internal DNS, as there are different use cases:
  • cloud servers connecting to server through VPN need stable addressing
  • road warriors
  • teleworking
  • VPN accesses
Also, as Paternot commented, sometimes addresses are coming from different sources than DNS.

Hairpin NAT is complicated and brings its own problems, but sometimes is the only way to have a smooth user experience when you arrive to the office with your laptop for half an hour, and then go to a café to keep working using VPN...

I agree that IPv6 is greatly simplifying all of this, while forcing us to tighten our security requirements on computers and people re: password strength and service exposure...
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Tue Jan 01, 2019 2:16 pm

looking forward to the IPv6 becomes the default protocol. With today's speed, maybe 2050 ;)

You can force clients to use your DNS like this:
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53 
or like this:
/ip firewall nat
add chain=dstnat action=redirect dst-address-type=!local dst-port=53 protocol=udp to-ports=53
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
PatricF
just joined
Posts: 15
Joined: Tue May 17, 2011 10:59 am

Re: Why (not) use Hairpin NAT

Tue Mar 12, 2019 3:51 pm

...
Also found this good comment by thirdstreetzero on reddit:
It breaks all kinds of fundamental standards and norms, not to mention statistics, security, things like fasttrack, etc. It makes transitions away from your current configuration more difficult. It's impossible for future people to interpret, as it shouldn't be done and without adequate explanation can often require a confusing mess of other work, especially if you've got any queues or packet mangling.

Imagine wanting to go into your living room, but to do so you need to go out the back door, around the block, and in through your front door. If that seems too much of an exaggeration, draw out what you are planning on doing using networking nomenclature. It's equally silly. Your problem, if you state it properly, is that you are not addressing the resource in a way that allows you the shortest path to it. So the problem is how you address it, not how you access it. Once you have accepted that, you can move to the next problem, which is ubiquitous access methods. You don't want to think about where you are, or what network you're on, in order to access the resource. Clearly using the local IP won't work, since that won't work outside the network. Luckily, we have a solution in DNS. Now all that's left is to configure a local DNS server to handle requests from within and around the local network, and configure your external DNS to do the same.

Edit:
People use meth to escape their shitty lives. People speed in their cars because they can't manage their time well. People don't pick their dogs shit up because they're lazy. This is similar - people that have no idea what they're doing have created a solution to a problem they don't understand. This was made worse for a long time by shitty router manufacturers that included (and still do include) options to implement this specifically, because it quickly satisfies, as you said, a common problem. That does not mean it's correct. It isn't. You have literally everything you need on any ROS device to handle this problem correctly, without ever using hairpin NAT.
...
Thank you for this post. I did the exactly this, I was overthinking it and I really have no idea why.
I have an internal DNS server at home (Pi-Hole) that I use so I just added the entries for my domains in there and it worked.
No need for crappy HairpinNAT so thank you!
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Why (not) use Hairpin NAT

Tue Mar 12, 2019 5:25 pm

Firstly, thank you for linking my video 8)
I use home.mydomain.com for getting into certain things remotely and from home. These are differentiated by port number. I can't do that with internal DNS so it suits me quite well. I shared what I found as I initially had a lot of problems getting a hairpin NAT to work.

The post by thirdstreetzero is another prime example of why I love MikroTik so much. There are multiple ways of doing the same task, there is nothing to say who is correct or who is not or even who is more correct. Take a look at the comments in my video, there are a lot of people who have identified the need for a solution for the niche problem and have been very successful following my advice.

The bit about going round the block I don't fully agree with, ultimately the client needs to get somewhere so it queries the router where to go, router either says go down this cable it's on my LAN or it says goes down this cable it's on my LAN. I understand where the comment is coming from and why and can vouch for it never having caused me any queuing problems, mangling problems, security issues or even fasttrack problems.

Each to their own but if it triggers people so much that their solution is better because mine is not needed then maybe they should help others with that knowledge, make a YT video, title it MikroTik Hairpin NAT and then supersede me at the top of the search list? (That comment isn't intended as being arrogant although it may read that way).
ytnat.jpg
You do not have the required permissions to view the files attached to this post.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why (not) use Hairpin NAT

Wed Mar 13, 2019 6:12 am

So I missed this thread when it was new, but it's not too late to disagree now - hairpin NAT is awesome! ;)

Ok, that was just to even things out a little. Reality is that haipin NAT should be unnecessary and by long time obsolete hack from old IPv4 + NAT times that were supposed to end years ago. Unfortunately, since the world is clearly not as excited by IPv6 as I've been for last ~18 years (well, I'm not sure if I'm still excited, but that's another matter), we're still living in IPv4 + NAT times and things got only worse.

Hairpin NAT, even though it's still hack, is simple, foolproof and elegant way how to solve many problems. It's one single srcnat rule. You set it once and you can forget about it. It will transparently work with anything, any hostname, even without DNS, no future changes necessary. How can anyone not like it?

There's one downside, packets from LAN to public address on router, from which ports are forwarded to internal server in same LAN, will take unnecessary trip there and back to LAN. So if you expect heavy traffic, you better go with internal DNS. But that's it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1435
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Why (not) use Hairpin NAT

Wed Mar 13, 2019 6:57 am

So I missed this thread when it was new, but it's not too late to disagree now - hairpin NAT is awesome! ;)

Ok, that was just to even things out a little. Reality is that haipin NAT should be unnecessary and by long time obsolete hack from old IPv4 + NAT times that were supposed to end years ago. Unfortunately, since the world is clearly not as excited by IPv6 as I've been for last ~18 years (well, I'm not sure if I'm still excited, but that's another matter), we're still living in IPv4 + NAT times and things got only worse.

Hairpin NAT, even though it's still hack, is simple, foolproof and elegant way how to solve many problems. It's one single srcnat rule. You set it once and you can forget about it. It will transparently work with anything, any hostname, even without DNS, no future changes necessary. How can anyone not like it?

There's one downside, packets from LAN to public address on router, from which ports are forwarded to internal server in same LAN, will take unnecessary trip there and back to LAN. So if you expect heavy traffic, you better go with internal DNS. But that's it.

100% in agreement with above
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Why (not) use Hairpin NAT

Wed Mar 13, 2019 8:43 am

There's one downside, packets from LAN to public address on router, from which ports are forwarded to internal server in same LAN, will take unnecessary trip there and back to LAN. So if you expect heavy traffic, you better go with internal DNS. But that's it.
I do agree Hairpin NAT is a good thing.
But if you do have an internal DNS server (separat or on your MT Router), its just one line to add to the DNS so it goes to internal IP instead of external IP.

So its one line to configure Hairpin NAT and one line to configure DNS. Select what does works best for you :)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why (not) use Hairpin NAT

Wed Mar 13, 2019 2:18 pm

There are few more differences...

Why hairpin NAT is the best thing in the world (only slightly biased comparison with local DNS override :D)

Initial config:
  • common: nothing
  • dns: nothing
  • hairpin: add one srcnat rule
Ooops, hairpin is losing right from the start. Well...

Put company webserver behind router (www.company.tld and company.tld):
  • common: add one dstnat rule to forward ports 80 and 443 to internal server; in public dns, point two hostnames to router's public address
  • dns: add two hostnames in local dns
  • haipin: nothing to do, everything works
Add another virtual host (eshop.company.tld):
  • common: in public dns, point one hostname to router's public address
  • dns: add one hostname in local dns (it won't work for local users until you do)
  • haipin: nothing to do, everything works
Move eshop to different external server:
  • common: in public dns, point eshop hostname to different public address
  • dns: remove eshop hostname from local dns (if you don't, local users will keep connecting to local server, which either doesn't run the virtual host anymore or in worse case it has stale version, so it seemingly works, but has old data, e.g. new orders don't show up)
  • haipin: nothing to do, everything works
Move virtual hosts to different internal server:
  • common: change to-addresses in dstnat rule
  • dns: in local dns, change all hostnames to new address
  • haipin: nothing to do, everything works
Mail server (behind same router) uses common mail.company.tld for everything (smtp, imap, ...). For some reason, you need to split the server in two, with smtp port going to one and others to another. You'd like to keep mail.company.tld, because too many people have it configured in all their devices:
  • common: split dstnat rule for port 25 from the rest and set its to-addresses to another server
  • dns: "Houston, we have a problem..."
  • haipin: nothing to do, everything works
Someone scares CEO with DNS-hijacking and recommends to run DNSSEC validating resolver on his own notebook; CEO believes that it's the only way and refuses to consider any other solution:
  • common: nothing
  • dns: "oh no, not again..."
  • haipin: nothing to do, everything works
CEO has bookmarked company FTP server, which is behind same router, the bookmark is for public numeric address (no hostname) and he insists that it must work even from same LAN (and encryption is required, so there's no chance for any conntrack magic):
  • common: add one dstnat rule to forward control and passive data ports to internal server
  • dns: "that's it, I quit!"
  • haipin: nothing to do, everything works
Ok, I know I'm stretching it, but it's all true.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Deantwo
Member
Member
Posts: 308
Joined: Tue Sep 30, 2014 4:07 pm

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 2:29 pm

One reason not to use hairpin NAT that I haven't seen anyone mention here, is that you lose some of your ability to log what people on the LAN are doing to your servers. Not so much a difference is how difficult it is to setup, but keep in mind that some other things are lost when you just source NAT everything with a hairpin NAT rule.

For example in hairpin NAT'ed network, all connections from your LAN that access the company's FTP server's external IP-address will look like they are coming from the router rather than from the internal computers. Only way to track this is to log it on the NAT'ing router, which might have more than enough things being logged already.

Another issue I have with hairpin NAT'ing is when you have many different LANs. Either you have to make a very wide hairpin NAT rule, or keep adding a new hairpin NAT rule every time a new LAN is created. This is further complicated if your servers are also not all on one dedicated server LAN/DMZ, having to again make a wide hairpin NAT rule that covers all of them or keep adding new hairpin NAT rules as servers get setup on new LANs/DMZs. Mix those two and you need a lot of hairpin NAT rules or one very wide hairpin NAT rule that covers everything from your whole network to your whole network.

I agree that making internal DNS is a good idea for some things, but it all depends on how complex your network is. But you might also have some issues with troubleshooting when you use internal DNS, since you aren't technically pinging the same device as external people.
Not that I normally hear anyone suggesting that ICMP should be destination NAT'ed to the servers you are port-forwarding to. So in most causes you are just pinging the router and not the actual server when you ping a domain name. But at least you would be pinging the same device as the external people.

I have yet to actually work with IPv6, but the idea of not having NAT at all and just use simple stateful firewalls seems like a very nice and clean solution.
I wish my FTP was FTL.
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 3:09 pm

If you have publicly accessible service and thousand remote computers connect to it, it's possible that you will see just one source address, if they happen to be behind same remote NAT. If you can live with this, why you should be bothered when accesses from your LAN will be hidden behind one common address too?

Personally I don't like to see router's internal address as source, because that really looks confusing. But it doesn't have to be that, you can use action=src-nat instead of usual masquerade and set any address you like. I usually use router's public address, that looks right to me. Or you can use any random address you like and it will work too.

If you really can't live without telling one internal client from another, you can netmap real source addresses to some virtual subnet. But I still don't understand why. Hairpin NAT is a hack, it's convenient way to let internal clients use public entrance. It's less efficient, because traffic has to unnecesarily travel to router and back. But it's great, because things will still work instead of breaking up completely. If not being able to tell one internal client from another is problem for you, I'd say you're trying to see hairping NAT as something more than it actually is.

Many rules for large LANs with many subnets, well, that may be unfortunate, but that's to be expected that configuration for large network will be more complex than for small one.

Btw, one fresh point for hairpin NAT: When browsers enable DNS over HTTPS, everything will still work great and admin won't have to move the finger. Internal DNS overrides on the other hand, ...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 6:03 pm

Another issue I have with hairpin NAT'ing is when you have many different LANs. Either you have to make a very wide hairpin NAT rule, or keep adding a new hairpin NAT rule every time a new LAN is created. This is further complicated if your servers are also not all on one dedicated server LAN/DMZ, having to again make a wide hairpin NAT rule that covers all of them or keep adding new hairpin NAT rules as servers get setup on new LANs/DMZs. Mix those two and you need a lot of hairpin NAT rules or one very wide hairpin NAT rule that covers everything from your whole network to your whole network.
Nope.
Simply use address lists. 1 rule for hairpin and then add range to address list when needed.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Sob
Forum Guru
Forum Guru
Posts: 4796
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 10:05 pm

That will unnecessarily apply srcnat also to connections between different subnets where it could work without it.

And one more point for hairpin NAT (edit: actually, this is not exactly hairpin NAT itself, because srcnat would not be required; but it's related):

Let's say you do have larger LAN with multiple subnets and different access rules. For example four different LANs for servers, admins, employees and guests. Admins can access everything, others only internet and nothing else, i.e. there's no direct access to servers from employees or guests. Your website is on server in server's LAN and it should be accessible to anyone. If you use DNS override, you have to add new firewall filter rule(s) for that, to allow access from employees and guests LANs to given server, and it's another thing you need to keep in sync. With hairpin NAT, you again don't need to do anything (it's starting to get boring ;)), because everything will be allowed automatically with probably already existing:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Veteran
Forum Veteran
Posts: 749
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 11:37 pm

Personally i use Hair pin nat in the following cases (just an example)
I have a dns name which with the help of a script i update it with my public IP address and at the same time there is a static dns entry in my router with the same Dns name which points to my rourers IP...

This way i can access from a public place any device i wish in my Lan with the appropriate port forward...And at the same time when i am inside my Lan i can still do the same...

for example i can see my Dvr cameras from outside and inside the lan by using the exact same Dns name with no changes at all... so when i am outside the lan it resolves to my public IP, but when i am inside the Lan it resolves to the routers IP and with the help of hair pin nat, (masquerade and dst nat) i can access my Dvr...
 
User avatar
xvo
Long time Member
Long time Member
Posts: 586
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 11:45 pm

Personally i use Hair pin nat in the following cases (just an example)
I have a dns name which with the help of a script i update it with my public IP address and at the same time there is a static dns entry in my router with the same Dns name which points to my rourers IP...

This way i can access from a public place any device i wish in my Lan with the appropriate port forward...And at the same time when i am inside my Lan i can still do the same...

for example i can see my Dvr cameras from outside and inside the lan by using the exact same Dns name with no changes at all... so when i am outside the lan it resolves to my public IP, but when i am inside the Lan it resolves to the routers IP and with the help of hair pin nat, (masquerade and dst nat) i can access my Dvr...
And what is the role of hairpin nat in this scheme? Why can't you just point the inside DNS directly to the resource?!
 
Zacharias
Forum Veteran
Forum Veteran
Posts: 749
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Why (not) use Hairpin NAT

Tue Oct 08, 2019 11:52 pm

And what is the role of hairpin nat in this scheme? Why can't you just point the inside DNS directly to the resource?!
Because i dont want my Dns to point on a specific device..so simple...
 
User avatar
xvo
Long time Member
Long time Member
Posts: 586
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Why (not) use Hairpin NAT

Wed Oct 09, 2019 1:34 am

Ok, I get it.
Some people in this thread are from ip:port + hairpin nat camp.
Others from dns + reverse proxy camp.
You are somewhere in the middle :lol:

Who is online

Users browsing this forum: MSN [Bot] and 106 guests