Community discussions

 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

hair pin when out interface has different address

Wed Jul 17, 2019 6:10 pm

I have this scenario
a ISP provided router facing internet doing NAT, it's LAN address is 192.168.1.1
a mikrotik connected to it, fixed ip is 192.168.1.252, doing nat to, it's lan address is 10.0.1.1
There is a long range wifi link in between the routers, but that is working without adding route hops, so this can be ignored.

Now I have a web server at 10.0.1.206
I was looking at hair pin nat, but the router facing the internet seems not able to do it

Also the public internet IP is not fixed ip.

I guess hair pin would only work as the manual says if my out interface address where the public ip address, which in this case is not. Also I wouldn't like this traffic to bounce on the 192.168.1.1 router as it has the wifi link.

I guess router could do kind of NAT so I can reach my web server from within the 10.0.1.0/24 lan using the public IP but I am clueless.
The port forwarding works already, I can reach my web server from the internet no problems.

Thanks
Last edited by glmnet on Fri Jul 19, 2019 5:18 am, edited 1 time in total.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: hair pin when out interface has different address

Wed Jul 17, 2019 8:18 pm

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.
 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

Re: hair pin when out interface has different address

Thu Jul 18, 2019 8:02 pm

I already have a dns: xxx.duckdns.org, can I omit enabling the built in DDNS and adding this name to an address-list and follow steps from there?
the dns updates are working already.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: hair pin when out interface has different address

Thu Jul 18, 2019 8:13 pm

Yes, you can use the DDNS you already have setup.
 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

Re: hair pin when out interface has different address

Fri Jul 19, 2019 2:36 am

It's not working for some reason, external access works but when I put the name on a browser it takes me to my in-between router admin web page
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 
 1    chain=dstnat action=dst-nat to-addresses=10.0.1.206 protocol=tcp in-interface=ether1-cpe dst-port=443 log=no log-prefix="" 
 2    chain=srcnat action=masquerade protocol=tcp src-address=10.0.1.0/24 dst-address-list=my_duckdns out-interface=bridge dst-port=443 log=no log-prefix="" 
The my_duckdns seems to work ok, I see a dynamic entry created by Mikrotik with my public IP Address.
 #   LIST                                                     ADDRESS                                                          CREATION-TIME        TIMEOUT             
 0   my_duckdns                                               ****.duckdns.org                                                 jul/18/2019 19:44:27
 1 D ;;; ****.duckdns.org
     my_duckdns                                               <my public ip shows up here>                                     jul/18/2019 19:51:12
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: hair pin when out interface has different address

Fri Jul 19, 2019 4:13 am

I am sorry, I either miss read your original setup or confused it with another. You don't even need the ddns hack. Use dst-address=192.168.1.252.
/ip firewall nat 
add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge dst-port=443
 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

Re: hair pin when out interface has different address

Fri Jul 19, 2019 5:16 am

I've got it working at the end.

Thank you very much for your help

I ended up with two dst-nat rules, if I disable the first I cannot access from outside, if I disable any of the last two I cannot access from inside.
I don't know if I can simplify the rules as both have the same action.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 in-interface=ether1-cpe protocol=tcp to-addresses=10.0.1.206
add action=dst-nat chain=dstnat dst-address-list=my_duckdns dst-port=443 protocol=tcp to-addresses=10.0.1.206
add action=masquerade chain=srcnat dst-address=10.0.1.206 dst-port=443 out-interface=bridge protocol=tcp src-address=10.0.1.0/24
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: hair pin when out interface has different address

Fri Jul 19, 2019 5:31 am

You can:
/ip firewall address-list
add address=192.168.1.252 list=wan_ips
add address=****.duckdns.org list=wan_ips
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.1.206 protocol=tcp dst-address-list=wan_ips dst-port=443
add chain=srcnat action=masquerade src-address=10.0.1.0/24 dst-address=10.0.1.0/24
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

Re: hair pin when out interface has different address

Fri Jul 19, 2019 5:44 am

Ahh yes, looks better and works ok. Thanks!

Who is online

Users browsing this forum: No registered users and 70 guests