Community discussions

 
User avatar
wolfram
just joined
Topic Author
Posts: 7
Joined: Wed May 24, 2017 7:50 pm
Location: Czech Republic

ROS Hairpin NAT - preserving origin IP for log purpose

Tue Mar 19, 2019 11:05 pm

Just say thats not possible because of design, but maybe its some workaround here...

1, I have a hairpin NAT for LAN connections on local bridge - fully functional, no problems.
2, If someone from LAN connect to another LAN machine (server) with public IP - it works, but in server log is IP of local bridge (yes its normal behaviour).
3, Question is: Can I FORCE somehow to keep IP of original source IP ?

Please I just need to log real source IP on server, is there any mangle, post or pre routing magic?
 
Sob
Forum Guru
Forum Guru
Posts: 4358
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS Hairpin NAT - preserving origin IP for log purpose  [SOLVED]

Wed Mar 20, 2019 1:07 am

You can't have real source address, that's impossible. It's what you have without hairpin and it doesn't work. Hairpin makes it work, but you lose the real source address. It's a tradeoff, you can have one or another...

... or something in between. You can map original subnet to some virtual subnet, e.g. if you have hairpin rule:
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
You can change it to:
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=netmap to-addresses=10.168.88.0/24
And server will see 10.168.88.x, which is not real address, but you'll know that it means 192.168.88.x. It's not perfect, but better than nothing.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
wolfram
just joined
Topic Author
Posts: 7
Joined: Wed May 24, 2017 7:50 pm
Location: Czech Republic

Re: ROS Hairpin NAT - preserving origin IP for log purpose

Wed Mar 20, 2019 4:59 pm

Your workaround with netmap looks interesting.
It seems that last octet in netmaped address is always real octet from lan network.
I am happy, if I can rely on that behaviour, I am able to identify real source IP.

Thank you for your magic advice :-)
 
Sob
Forum Guru
Forum Guru
Posts: 4358
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS Hairpin NAT - preserving origin IP for log purpose

Wed Mar 20, 2019 7:31 pm

Manual says yes:
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 81 guests