The picture shows the hairpin NAT I tried to setup, the action is masquerade, it does not work from inside the network, even when I insert the dst nat port and src nat port, please assist.
Sent from my VTR-L09 using Tapatalk
-
-
caswell1000
just joined
- Posts: 12
- Joined:
Hairpin NAT not working as expected
Hi,
The picture shows the hairpin NAT I tried to setup, the action is masquerade, it does not work from inside the network, even when I insert the dst nat port and src nat port, please assist.
Sent from my VTR-L09 using Tapatalk
The picture shows the hairpin NAT I tried to setup, the action is masquerade, it does not work from inside the network, even when I insert the dst nat port and src nat port, please assist.
Sent from my VTR-L09 using Tapatalk
Re: Hairpin NAT not working as expected
For hairpin NAT you need 3 rules, not just one.
Common rule for Internet interface with destiantion nat from public to private for inbound interface
Destination nat from public to private with your source for inbound local interface
Masquerade nat from your source to private destination for outbound local interface
More control!
Common rule for Internet interface with destiantion nat from public to private for inbound interface
Destination nat from public to private with your source for inbound local interface
Masquerade nat from your source to private destination for outbound local interface
More control!
Re: Hairpin NAT not working as expected
@Anumrak,
I also need Hairpin NAT. Could you be more specific in the setup? Give example CLI commands to setup?
I do have a Dynamic WAN IP and NOT a static WAN IP
Thanx
Karel
I also need Hairpin NAT. Could you be more specific in the setup? Give example CLI commands to setup?
I do have a Dynamic WAN IP and NOT a static WAN IP
Thanx
Karel
Re: Hairpin NAT not working as expected
for dstnat you can specify input interface instead ip + you need public ip at the wan and dyndns
Re: Hairpin NAT not working as expected
No, you can't specify in-interface for dstnat rule, because then it won't match packets coming from LAN.
It's really simple. If router has static public address (best case), do e.g.:
(192.168.88.10 is internal server, 192.168.88.0/24 is local network, change it to what you have)
If public address is dynamic, then use this dstnat rule instead (srcnat rule stays the same):
(192.168.88.1 is router's LAN address and it's there to exclude connections to services on router from LAN side, in this case it could be WebFig on port 80)
It's really simple. If router has static public address (best case), do e.g.:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masqueradeIf public address is dynamic, then use this dstnat rule instead (srcnat rule stays the same):
Code: Select all
/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.88.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10-
-
caswell1000
just joined
- Posts: 12
- Joined:
Re: Hairpin NAT not working as expected
Thanks @Sob, it works.
Sent from my VTR-L09 using Tapatalk
Sent from my VTR-L09 using Tapatalk