Community discussions

MikroTik App
 
alexsec
just joined
Topic Author
Posts: 8
Joined: Wed Jul 03, 2019 9:38 am

Implementation of Hairpin NAT question

Thu Nov 19, 2020 10:44 am

Hi people,

I have RB3011UiAS device ROS 6.45.9. My setup has 2 WAN connections each one connected to different ISP respectively with static Public IP addresses ( One serves as backup and it is active if first one fails), I also have multiple VLAN networks. My rule : chain=srcnat action=masquerade log=no log-prefix="" . Everything works but now as I publish web servers and so on ( doing port forwarding) Router is forwarding its ip address as source instead of public client IP address which are required for some of my services. How it is best to configure this? Do I need to create multiple masquerade rules for WAN interfaces and VLAN Networks? I have read many topics and I am confused now

Thanks,

Alex
 
mkx
Forum Guru
Forum Guru
Posts: 5015
Joined: Thu Mar 03, 2016 10:23 pm

Re: Implementation of Hairpin NAT question

Thu Nov 19, 2020 10:55 am

For hair-pin NAT (i.e. LAN clients connecting to WAN address which is NATed to server in same LAN subnet as clients) mapping source address (i.e. client's address) to router's own address is inevitable. When clients from other subnets (either other LAN subnets or internet) connect to LAN server this should not be necessary.

If you observe something else, then describe the case in detail ... and you might need to post full router config so that we can see what exactly is configured and how it might interfere with what you actually want to happen.
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 5015
Joined: Thu Mar 03, 2016 10:23 pm

Re: Implementation of Hairpin NAT question

Thu Nov 19, 2020 11:00 am

For hair-pin NAT (i.e. LAN clients connecting to WAN address which is NATed to server in same LAN subnet as clients) mapping source address (i.e. client's address) to router's own address is inevitable. When clients from other subnets (either other LAN subnets or internet) connect to LAN server this should not be necessary.

If you observe something else, then describe the case in detail ... and you might need to post full router config so that we can see what exactly is configured and how it might interfere with what you actually want to happen.
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 6260
Joined: Mon Apr 20, 2009 9:11 pm

Re: Implementation of Hairpin NAT question

Thu Nov 19, 2020 12:54 pm

If you have unconditional masquerade like this:
/ip firewall nat
add chain=srcnat action=masquerade
then it's wrong, because it affects everything. Hairpin NAT is for traffic from LAN back to same LAN, so you want something like:
/ip firewall nat
add chain=srcnat src-address=<LAN subnet 1> dst-address=<LAN subnet 1> action=masquerade
add chain=srcnat src-address=<LAN subnet 2> dst-address=<LAN subnet 2> action=masquerade
...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], devtomas2003, herwarth and 91 guests