Community discussions

MikroTik App
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Questions regarding Hairpinning

Mon Oct 07, 2019 4:20 am

Hi fellow MikroTikers,

I have a couple of questions regarding NAT Hairpinning.

Reading this WikiTik: https://wiki.mikrotik.com/wiki/Hairpin_NAT

My questions are:

1. If we already created the rule below:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2
add chain=srcnat out-interface=WAN action=masquerade
Do we need to add the following rule:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
2. If the devices that are going to access the server is also on the LAN, to make uniformity (i.e. to access the server, just type the external address) can we just have NAT Hairpinning rule above, instead of port forwarding rule?

Any help would be appreciated.

Cheers 🍻
[ IMikroTik ] >
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 4:28 am

Update: I created the second rule, but both bytes and packets show 0.
Does that mean I don't need the second rule? Is it safe to remove them?

Image
[ IMikroTik ] >
 
Sob
Forum Guru
Forum Guru
Posts: 5586
Joined: Mon Apr 20, 2009 9:11 pm

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 4:46 am

If connections from LAN to public address work, but hairpin rule does not have any hits, it means that you already have another rule with the same effect higher in srcnat chain.

And no, hairpin rule (srcnat) does not replace port forwarding rule (dstnat), you need both.

Edit: And you don't need multiple hairpin rules for each forwarded port, just one common for all is enough:
/ip firewall nat
add chain=srcnat src-address=<LAN subnet> dst-address=<LAN subnet> action=masquerade
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 5:01 am

If connections from LAN to public address work, but hairpin rule does not have any hits, it means that you already have another rule with the same effect higher in srcnat chain.

And no, hairpin rule (srcnat) does not replace port forwarding rule (dstnat), you need both. <-- My port forwarding rule is not getting any hit since I created the hairpin rule above, any thoughts?

Edit: And you don't need multiple hairpin rules for each forwarded port, just one common for all is enough: <-- so the second rule on my post is actually the hairpin?
/ip firewall nat
add chain=srcnat src-address=<LAN subnet> dst-address=<LAN subnet> action=masquerade
[ IMikroTik ] >
 
Sob
Forum Guru
Forum Guru
Posts: 5586
Joined: Mon Apr 20, 2009 9:11 pm

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 5:22 am

It would be best to export and post what you actually have (whole firewall). In first post you just copied rules from wiki, second shows only part of your NAT rules, and nobody can know what other rules you have.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 5:49 am

Sure, why not. Here's my firewall export:
/ip firewall nat
add action=dst-nat chain=dstnat comment="http hairpin" dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="https hairpin" dst-address=1.1.1.1 dst-port=443 protocol=tcp to-addresses=192.168.1.2
add action=masquerade chain=srcnat comment="http intra" dst-address=192.168.1.2 dst-port=80 out-interface=bridge1-DIST protocol=tcp src-address=10.0.0.0/26
add action=masquerade chain=srcnat comment="https intra" dst-address=192.168.1.2 dst-port=443 out-interface=bridge1-DIST protocol=tcp src-address=10.0.0.0/26
add action=dst-nat chain=dstnat comment="http port fwd" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat comment="https port fwd" dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.2 to-ports=443
add action=masquerade chain=srcnat out-interface=pppoe-out1
[ IMikroTik ] >
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 6:00 am

Update:
Only the first and second rule got hit, the rest 4 rules didn't get any hit. Can I safely remove them? And will both port-forwarding and hairpin nat work just using the first two rules?

My goals are:
  • From LAN should be able to visit 1.1.1.1 and get to port 80 of 10.0.17.2
  • So does from WAN should be able to visit 1.1.1.1 and get to port 80 of 10.0.17.2
[ IMikroTik ] >
 
Sob
Forum Guru
Forum Guru
Posts: 5586
Joined: Mon Apr 20, 2009 9:11 pm

Re: Questions regarding Hairpinning

Mon Oct 07, 2019 3:12 pm

1) It would be good to decide what addresses you have. You know, if you want traffic forwarded to 10.0.17.2, dstnat rules with to-addresses=192.168.1.2 won't do it.

2) You don't need duplicate rules. These two do the same thing:
/ip firewall nat
add action=dst-nat chain=dstnat comment="http hairpin" dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="http port fwd" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.2 to-ports=80
Only the second one is limited version that will work only for connections from internet. You can get rid of it and first one will work for connections from both internet and LAN. Same for the other set (for https). And unless you require separate counters, then if destination address is the same, you can have both ports in one rule (dst-port=80,443), so in the end just one rule instead of current four.

3) You do need some srcnat rule (in addition to main masquerade). Probably this one (but possibly something else, depends on result of point 1):
/ip firewall nat
add chain=srcnat src-address=10.0.0.0/26 dst-address=10.0.0.0/26 action=masquerade
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: erlinden, eworm, Georgyo, Google [Bot], jebz, txfz and 69 guests