Harpin NAT between two VLANs

nobody123 · Mon Mar 11, 2019 11:08 pm

Hi,

I have a webserver in IP Range 192.168.100.0/24 and I have a client in 192.168.0.0/24.

I can't connect over my domain address to my webserver from inside my network, that's why I would like to make a Hairpin NAT. I tried to do it after this tutorial: https://www.youtube.com/watch?v=_kw_bQy ... e=youtu.be but it doesn't work. I entered as Src. Address 192.168.100.0/24 and as Dst. Address 192.168.0.0/24.

I have a Filter Rule that drops every contact between both nets (and this I would like to keep: block every traffic between these two networks). I would like to make it work this way: PC <--> Internet <--> Webserver. This worked before, but now I have got a static IP and it won't work anymore...

What can I do?

Van9018 · Mon Mar 11, 2019 11:21 pm

You need 4 rules per hairpin. This tutorial worked for me: https://wiki.mikrotik.com/wiki/Hairpin_NAT

Or you can override DNS in the Mikrotik to repoint your website url to the LAN IP of your webserver.

nobody123 · Mon Mar 11, 2019 11:42 pm

4 rules? which do I need? The wiki only tells about one and the tutorial as well.

DNS: I'm using pi hole as a DNS for my Client, and 1.1.1.1 for my webserver. Should I modify my piHole?
Will this work even if I block all traffic between 192.168.100.0 and 192.168.0.0 with a firewall rule?

gotsprings · Mon Mar 11, 2019 11:45 pm

Export your
/IP firewall nat

sebastia · Tue Mar 12, 2019 12:16 am

Or just add that domain address in the dns cache of mikrotik pointing to the internal ip -> no need for natting

Van9018 · Tue Mar 12, 2019 1:05 am

Overriding www.yoursite.com would be less complicated. Do it in pi-hole if possible. If not, you can catch DNS requests in the Mikrotik, repoint the domains to your Mikrotik's DNS and override there.. You'd have to override yoursite.com and www.yoursite.com. You will need to allow port 80/443 to your webserver in your firewall between the two LANs.

For hairpin, I had to read that article a few times and in the end I implemented at a few places then I rolled it back as using DNS was so much easier. For the 4 rules, I meant 4 steps. You may have to follow it closely a few times to understand the 4 steps.

sebastia · Tue Mar 12, 2019 1:09 am

when adding the static dns cache entry to Tik, only the relevant address needs to be added, no need for parent domains.

Sob · Tue Mar 12, 2019 3:29 am

Hairpin NAT is only required when both client and server are in same subnet. You have two subnets => you don't need hairpin NAT. You do not need to override hostname either, that's useful intead of hairpin NAT to save packets trip to router and back. But if they are going through (I assume) same router anyway, it won't make things easier.

No matter what you do, you will have to allow this traffic in firewall filter... in some way. What you need is (example for web):

/ip firewall nat
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80,443 action=dst-nat to-adresses=192.168.100.x
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Second rule must be before the one used to block traffic between the two subnets. It allows previously dstnatted packets, so connection from 192.168.0.x to <public IP> forwarded to server 192.168.100.x will succeed, but direct connections from 192.168.0.x to 192.168.100.x will be still blocked by your original rule.

gotsprings · Tue Mar 12, 2019 5:17 am

If you go lazy and do the DNS thing... You can only port forward to one IP. Not good if you have different services on different devices.

Sob left out the
Subenet back on subnet on interface rule.

Sob · Tue Mar 12, 2019 6:23 am

If you mean the srcnat rule with same src/dst-address=<LAN subnet>/<mask> used with hairpin NAT, that's not needed here. It's needed when client thinks that it communicates with some external address, but server would see client's real address from same subnet, would reply directly and that would not work, because client expects reply from that external address. But in this case, even if server sees client's real address, the reply will still be sent to router, because the address is in another subnet. And it will work.

gotsprings · Tue Mar 12, 2019 1:35 pm

If you mean the srcnat rule with same src/dst-address=<LAN subnet>/<mask> used with hairpin NAT, that's not needed here. It's needed when client thinks that it communicates with some external address, but server would see client's real address from same subnet, would reply directly and that would not work, because client expects reply from that external address. But in this case, even if server sees client's real address, the reply will still be sent to router, because the address is in another subnet. And it will work.

Stated in his initial post that it doesn't work on his network.

Seems he would need to see that rule to get a concept for why it works.

Sob · Tue Mar 12, 2019 1:47 pm

My guess is that it's because firewall filter. We didn't see the config, but if it unconditionally blocks traffic between two LANs, it can't work no matter what's done with NAT.

nobody123 · Tue Mar 12, 2019 3:22 pm

Thanks so far guys!
I added a static DNS entry to my mikrotik and made and forward dstnat accept filter rule. But it still won't work.

Here is my exports:

export hide-sensitive 
# mar/12/2019 13:48:21 by RouterOS 6.44
# software id = XXX
#
# model = RB760iGS
# serial number = XXX
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether3 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 name=dhcp4
/dude
set enabled=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=XXX/30 interface=ether1 network=YYY
/ip dhcp-server lease
add address=192.168.0.136 allow-dual-stack-queue=no disabled=yes mac-address=00:00:00:00:00:00 server=server1
add address=192.168.0.113 allow-dual-stack-queue=no mac-address=00:00:00:00:00:00 server=server1
add address=192.168.0.26 client-id=00:00:00:00:00:00 mac-address=00:00:00:00:00:00 server=server1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.113,192.168.0.3 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.100.110 name=test.com
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-address=192.168.0.0/24 dst-port=80,443 protocol=tcp src-address=192.168.100.110 src-port=80,443
add action=accept chain=forward dst-address=192.168.100.110 dst-port=80,443 protocol=tcp src-address=192.168.0.0/24 src-port=80,443
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=XXX dst-port=80,443 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.100.110 to-ports=443
add action=dst-nat chain=dstnat dst-address=XXX dst-port=8444 in-interface=ether1 protocol=tcp to-addresses=192.168.100.110 \
    to-ports=443
add action=dst-nat chain=dstnat comment="HTTP an reverse proxy" disabled=yes dst-address=XXX dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.100.110 to-ports=80
add action=dst-nat chain=dstnat dst-address=XXX dst-port=50000 in-interface=ether1 protocol=tcp to-addresses=192.168.100.52 \
    to-ports=50000
add action=dst-nat chain=dstnat dst-address=XXX dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat dst-address=XXX dst-port=1195 in-interface=ether1 protocol=udp to-addresses=192.168.0.250 \
    to-ports=1195
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.11 dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.117 to-ports=26065
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=XXX dst-port=26065 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.117 to-ports=32400
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=XXX dst-port=26070 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.136 to-ports=32400
add action=masquerade chain=srcnat disabled=yes dst-address=XXX dst-port=443 out-interface=ether4 protocol=tcp src-address=\
    192.168.0.0/24
/ip firewall service-port
set ftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=YYY
/ip service
set telnet address=192.168.0.0/24 disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.0.0/24
set ssh address=192.168.0.0/24
set api address=192.168.0.0/24 disabled=yes
set winbox address=192.168.0.0/24
set api-ssl address=192.168.0.0/24 disabled=yes
/ip ssh
set allow-none-crypto=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add type=internal
add interface=ether1 type=external
/snmp
set enabled=yes trap-generators=""
/system clock
set time-zone-name=Europe/Berlin
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add interface=ether5
add interface=ether2
add interface=ether3
add interface=ether4
add interface=vlan20
add interface=vlan10
/tool mac-server ping
set enabled=no

nobody123 · Tue Mar 12, 2019 5:43 pm

I tried to disable the filter rule which blocks the traffic between both networks, but this didn't change anything. Still no access to my domain.

edit: If I add my domain and the IP of my reverse Proxy to the /etc/hosts file of my Win 10 computer AND if I disable the filter rules THEN it will work.
Now I know two things:
1. the static DNS entry into RouterOS doesn't work
2. the accept forward rule doesn't work either

gotsprings · Tue Mar 12, 2019 8:56 pm

Gotta use the EXTERNAL IP... interface won't do it.

Like SOB put it...
/ip firewall nat
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80,443 action=dst-nat to-adresses=192.168.100.x

PUBLIC IP.

anav · Tue Mar 12, 2019 9:10 pm

Gotta use the EXTERNAL IP... interface won't do it.

Like SOB put it...
/ip firewall nat
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80,443 action=dst-nat to-adresses=192.168.100.x

PUBLIC IP.

Okay so if this is all true, and not some sad sob story LOL, then shouldn't the rule include a source address list for added security??
add chain=dstnat dst-address=<public IP> protocol=tcp dst-port=80,443 action=dst-nat to-addresses=192.168.100.x \
source-address-list=Internal_Access

nobody123 · Tue Mar 12, 2019 10:03 pm

This dst Nat is already running, otherwise I won't have access from outside.
Here:
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=XXX dst-port=80,443 in-interface=ether1 \
protocol=tcp to-addresses=192.168.100.110 to-ports=443

XXX is my external IP.

gotsprings · Wed Mar 13, 2019 3:50 am

No in interface.

The external IP is what you need.
A separate rule deals with local-address list to local-address list on Local interface.

Sob · Wed Mar 13, 2019 4:54 am

You can drop these, no real-world connection will ever have both source and destination ports 80/443:

/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.0/24 dst-port=80,443 protocol=tcp src-address=192.168.100.110 src-port=80,443
add action=accept chain=forward dst-address=192.168.100.110 dst-port=80,443 protocol=tcp src-address=192.168.0.0/24 src-port=80,443

This rule is enough to allow any forwarded ports from anywhere to anywhere:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

And you should probably read some more about setting up useful firewall, because now you only block selected traffic between local subnets, but everything else is wide open. If someone in your ISP's network decided to connect to any of your 192.168.x.x devices, your routed would happily let them.

Next, I don't think you want dst-port=80,443 and to-ports=443 in same dstnat rule, because it will send both port 80 and 443 to port 443. If you don't forward outside port to different inside port, just leave to-ports blank.

And as was already pointed out, use only dst-address=XXX, not in-interface=ether1. I don't know why people always use in-interface for port forwarding, it will bite them sooner or later.

nobody123 · Wed Mar 13, 2019 10:35 am

I removed the In-Port but still no connection.

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 name=dhcp4
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=EXTERNAL IP/30 interface=ether1 network=AAA
/ip dhcp-server lease
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.100.110 name=domainA
add address=192.168.100.110 name=domainB
add address=192.168.100.110 name=domainC
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=EXTERNAL IP dst-port=80,443 protocol=tcp to-addresses=\
    192.168.100.110
add action=dst-nat chain=dstnat dst-address=EXTERNAL IP dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.0.113 \
    to-ports=1194
add action=dst-nat chain=dstnat comment="192.168.0.117: Plex Media Server" dst-address=EXTERNAL IP dst-port=26070 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.0.136 to-ports=32400
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=YYY

Where is the problem?
And as I understand my firewall, it will block everything except 1194, 26070, 443 and 80, which will be forwarded to the specific servers?

and what does this one does exactly:
"add action=accept chain=forward connection-nat-state=dstnat" ?

nobody123 · Wed Mar 13, 2019 12:36 pm

I got it running now.

forwarded the ports between my pc and server.

How can I harden my firewall?

Sob · Wed Mar 13, 2019 3:18 pm

And what exactly you did? The last config already looks ok. Except maybe those hostnames in "/ip dns static", if you were connecting to those, it couldn't work. You could either remove them or you'd need to specifically allow connections to 192.168.100.110:80/443 from anywhere.

The "add action=accept chain=forward connection-nat-state=dstnat" allows packets that belong to connections redirected by dstnat.

To make firewall more secure, you can start with default firewall, which is something like this (plus your blocking rules):

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24

It's a simple solution that still allows everything by default, but blocks new connections from internet, except forwarded ports.

Other approach is to drop everything by default and only specifically allow what you need. Based on above config:

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports"

add action=accept chain=forward in-interface-list=!WAN out-interface-list=WAN comment="all LANs can access internet"
add action=accept chain=forward src-address=192.168.0.0/24 dst-address=192.168.10.0/24
add action=accept chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/24
add action=accept chain=forward src-address=192.168.10.0/24
add action=accept chain=forward src-address=192.168.100.0/24 dst-address=!192.168.0.0/24

add action=log chain=forward log-prefix="BLOCK" comment="log what will be blocked"
add action=reject chain=forward reject-with=icmp-admin-prohibited disabled=yes comment="block it for real; only enable when you're sure that you allowed everything you need"

The middle block can be done in different ways, you can define additional interface list or address lists to group things together. Or you can be even more specific, e.g.:

add action=accept in-interface=ether5 src-address=192.168.0.0/24 out-interface-list=WAN
add action=accept in-interface=vlan20 src-address=192.168.20.0/24 out-interface-list=WAN
...

would also make sure that no one in LANs can try to send spoofed packets to internet. There are endless possibilities. And same way as forward (traffic through router), you can secure input (traffic to router).

nobody123 · Wed Mar 13, 2019 3:30 pm

I had to allow ports 443 and 80 between my client and the reverse proxy.

this is was my filter looks like now:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=accept chain=forward comment="Allow traffic between Workstation and Webserver" dst-address=192.168.100.110 dst-port=443,80 \
    protocol=tcp src-address=192.168.0.33
add action=accept chain=forward comment="Allow traffic between Workstation and Webserver" dst-address=192.168.0.33 protocol=tcp \
    src-address=192.168.100.110 src-port=443,80
add action=drop chain=forward comment="Block traffic between these subnets" dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block traffic between these subnets" dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment="Block traffic between these subnets" dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related in-interface-list=WAN log=yes
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=forward comment="Block Fressebuch" layer7-protocol="Block Site" src-address=192.168.0.0/24
add action=drop chain=forward in-interface=ether4 src-address-list=192.168.100.0/24
add action=drop chain=input comment="Block Russian, Chinese and Vietnam IPs" log=yes src-address-list=CountryIPBlocks
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=accept chain=input dst-port=161 protocol=udp
add action=drop chain=input comment="Block everything else"

anything wrong or improvable?

mkx · Wed Mar 13, 2019 5:12 pm

I don't know why people always use in-interface for port forwarding, it will bite them sooner or later.

Because they saw it in some youtube tutorial, which was made on basis of having dynamic WAN address (e.g. PPPoE or DHCP) ... and if that's so, one can not really use dst-address as dst-nat criteria.

gotsprings · Thu Mar 14, 2019 2:38 am

I don't know why people always use in-interface for port forwarding, it will bite them sooner or later.

Because they saw it in some youtube tutorial, which was made on basis of having dynamic WAN address (e.g. PPPoE or DHCP) ... and if that's so, one can not really use dst-address as dst-nat criteria.

They could make an address list entry using the IP Cloud address.

nobody123 · Thu Mar 14, 2019 12:57 pm

I have the problem that this rule:
add action=drop chain=input comment="Block everything else"
does what it says: blocking everything else. I'm not able to connect to the internet from my Server from eth4. How can I solve this?

Sob · Thu Mar 14, 2019 4:07 pm

I had to allow ports 443 and 80 between my client and the reverse proxy.

See the first paragraph of my previous reply.

You can improve order of rules in your firewall. In forward chain, packets for established connections will be most frequent, so it's best to have that rule as first one. You can also put related in same rule. If you drop invalid next, then everything else after that is new connections. If you don't like to drop everything by default and add exceptions for allowed stuff, but rather allow everything and block what you don't want (why not, there nothing wrong with that), then you want this rule:

/ip firewall filter
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN

Because as it is now, new connections from WAN are allowed.
You probably don't want your "Block Fressebuch" rule looking at all packets, regardless or protocol and port. Plus if it would be for tcp, it wouldn't do anything after you accept established connections.
And I don't know if I even want to know what those tcp, udp and icmp chains do.

For input chain (traffic to router itself), if you drop everything at the end, you don't need those three drop rules on WAN (ssh, ...). But you need to allow something. If server is not able connect to internet, and the last drop rule causes it (input rule don't affect traffic through router), it's probably because server uses router as dns resolver and you don't allow access to it. You could use e.g.:

/ip firewall filter
add chain=input protocol=udp dst-port=53 in-interface-list=!WAN
add chain=input protocol=tcp dst-port=53 in-interface-list=!WAN

You probably want to limit access to snmp port too and not allow whole world to connect to it.
And if you're connected to router with this config, don't close your WinBox, because right now you don't allow new WinBox connections from anywhere.

Sob · Thu Mar 14, 2019 4:15 pm

They could make an address list entry using the IP Cloud address.

There's also "dst-address-type=local dst-address=!<router's LAN address>". It's not perfect, because it can match other addresses where it's not desired (e.g. address that VPN client gets from server). And even if it can be solved using other rules, it would not longer be an elegant solution. But the main evil here is dynamic address for server.

anav · Thu Mar 14, 2019 4:32 pm

Okay i got lost trying to follow this thread.
You are saying that hairpin NAT is required, when people want to use their routers external WANIP address or a dyndns type name that points to the WANIP address, to reach an internal LAN server ON THE SAME SUBNET.

You are saying that hairpin NAT is NOT required, if the server behind a router is on a different subnet (like server on a lan on a bridge and a client pc on a lan off the bridge, or two different vlans (server on one, pc client on another etc........)

So if hairpin NAT is not required how the heck is an internal user going to use an destination nat rule to get to the server?
I thought the destination nat rule was primarily for unsolicited requests ORIGINATING from the WAN side of the universe??

My thinking was simply to access the server via its LANIP address or VLANIP address (and make appropriate firewall rules).
However people seem to love to complicate their networking lives LOL.

I understand Sebastia's concept of forcing a LAN users request for his OWN wanip destination address to be DNS resolved I think to the corret internal server?
Not quite sure how to do that but it sounds plausible LOL.
What I dont understand is your suggestion.

nobody123 · Thu Mar 14, 2019 4:40 pm

Ah ok, now I added some rules.

But why don't I allow any winbox connection anymore? I reopened it a few times in the last hours?

Sob · Thu Mar 14, 2019 5:32 pm

@anav: You know https://wiki.mikrotik.com/wiki/Hairpin_NAT, right? It has very nice explanation what happens when client and server are in same LAN and what fixes it. And don't overthink dstnat. It just changes destination address. It's not limited to just one use, you can do anything with it. Anything your imagination lets you. If you do:

/ip firewall nat
add chain=dstnat dst-address=1.2.3.4 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10

it just takes anything going to 1.2.3.4:80 and changes destination address to 192.168.88.10. And if the rule is like this, it doesn't matter from where those packets came. It doesn't even matter if 1.2.3.4 is your public address, or some random address you made up. Add this exact rule (literally keep "1.2.3.4") to your router, and it will work too (how much useful it can be, that's another matter).

But why don't I allow any winbox connection anymore? I reopened it a few times in the last hours?

In the config you posted, input chain was this:

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="drop ssh from wan" connection-state=related in-interface-list=WAN log=yes
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=input comment="Block Russian, Chinese and Vietnam IPs" log=yes src-address-list=CountryIPBlocks
add action=accept chain=input dst-port=161 protocol=udp
add action=drop chain=input comment="Block everything else"

And it doesn't allow any new connection except to udp port 161. If you could open new WinBox connection (except to MAC address) to router with this config, something would be really wrong.

anav · Thu Mar 14, 2019 5:50 pm

@sob, okay coolio, love that use of dstnat, and yes concur the rules are generic and can be manipulated in many ways...

The only logic question I have is.
User on an internal subnet trips dstnat rule and the router says hey the destination is the wanip of the router and the to address is a server on a different internal subnet with port xx.
According to what your saying is that the router will look at the forwarded traffic from the PC, see that its destination was the WANIP but its to address is also on the router and your saying just simply sends the data to the too address (like a redirect as the traffic never exits the router). (as explained the router identifies ........hmmm the traffic is headed to this wanip on this port, with the rules I have I am supposed to forward the traffic to this IP etc........)

I think thats the gist of it anyway.
So the obvious question, WHY NOT FOR THE SERVER AND PC ON THE SAME SUBNET??????????????????????????????????????????????????????
(I am wild ass guessing it may have to do with the return traffic from the server???)

Sob · Thu Mar 14, 2019 6:26 pm

All the effort that MikroTik put into writing the hairpin NAT article, explaining things in detail, ...

Ok, I'll copy the important part for you:

the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.

the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.

the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.
The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.

anav · Thu Mar 14, 2019 10:25 pm

All the effort that MikroTik put into writing the hairpin NAT article, explaining things in detail, ...

Ok, I'll copy the important part for you:

the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.

the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.

the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.
The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.

Aha Eureka LOL!!
So the reason the server sends it directly back to the originator is because it uses layer 2 connectivity first???
If the source is in a different subnet there is no layer2 window of opportunity!!
(ps watiing for your response on simplest route possible thread!!)

mkx · Thu Mar 14, 2019 10:38 pm

So the reason the server sends it directly back to the originator is because it uses layer 2 connectivity first???
If the source is in a different subnet there is no layer2 window of opportunity!!

99.9% correct ... more precisely: server sends reply directly because it was made to believe it's got L2 connectivity to originator due to its L3 settings (subnet mask). That L2 connectivity might be supported by some box performing proxy-ARP (so server doesn't really send ethernet frames to originator's MAC address but rather to the MAC address of a proxy-ARP-performing box) ... but this is not the most common scenario I must admit.

Harpin NAT between two VLANs

Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Re: Harpin NAT between two VLANs

Who is online