Community discussions

MikroTik App
 
thompsontech
just joined
Topic Author
Posts: 15
Joined: Sat Nov 10, 2018 3:45 am

NAT HAIRPIN

Wed Jul 28, 2021 1:58 pm

I'm having trouble accessing my internal ftp with my public IP. When accessing outside the internal network, it works correctly.

The mikrotik is configured as follows:

ether-1 - PPPOE >> Public IP >> 127.104.81.xyz
ether-2 - LAN >> 10.10.1.0/24
IP Server FTP: 10.10.1.15
Rules dstnat:

Chain: dstnat
Dst.Addres: 127.104.81.xyz
Protocol: tcp
Dst.Port: 1024
In. Inteface: pppoe
Action: dst-nat
to Address: 10.10.1.15
to ports: 1024

Rules Hairping
Chain: srcnat

Src.Address: 10.10.1.0/24
Dst.Adrres: 10.10.1.15
Protocol: tcp
Dst.Port: 1024
Out.Interface: bridge

action: masquerade

I created some NAT rules but I don't trust this procedure. My RB is RB951Ui v6.48
Last edited by thompsontech on Wed Jul 28, 2021 6:17 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT HAIRPIN

Wed Jul 28, 2021 2:04 pm

post your config
/export hide-sensitive file=anynameyouwish
 
thompsontech
just joined
Topic Author
Posts: 15
Joined: Sat Nov 10, 2018 3:45 am

Re: NAT HAIRPIN

Wed Jul 28, 2021 2:16 pm

my settings are like this:


/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1024 in-interface="Vero - Internet" \
protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat comment="# Masquarade" out-interface=\
"Vero - Internet"
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1024 \
protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=1024 \
out-interface=bridge protocol=tcp src-address=10.10.1.0/24
add action=dst-nat chain=dstnat comment="FTP " dst-port=1024 in-interface=\
"Vero - Internet" protocol=tcp to-addresses=10.10.1.15 to-ports=1024
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=1024 \
out-interface=bridge protocol=tcp src-address=10.10.1.0/24
add action=dst-nat chain=dstnat comment="FTP Passiva" dst-port=5000-5200 \
in-interface="Vero - Internet" protocol=tcp to-addresses=10.10.1.15 \
to-ports=5000-5200
add action=masquerade chain=srcnat dst-address=10.10.1.15 dst-port=5000-5200 \
out-interface=bridge protocol=tcp src-address=10.10.1.0/24
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: NAT HAIRPIN

Wed Jul 28, 2021 4:32 pm

The answer is right here: viewtopic.php?t=172380#p869439
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT HAIRPIN

Wed Jul 28, 2021 4:40 pm

Since you refuse to post the config, others can help sufficiently.
One comes looking for help not knowing what their problem is but arrogantly think they know what they should provide to help.
Dont feel bad, seems to be a common problem.

I also detest others that attempt to help without the complete picture. ;-P
As if firewall rules dont have anything to to with port forwarding.

Besides I could always post this link..... but that would be lazy on my part.
viewtopic.php?f=13&t=175064&p=856786&hi ... at#p856786
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT HAIRPIN

Wed Jul 28, 2021 4:49 pm

>...<
Last edited by rextended on Wed Jul 28, 2021 7:16 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT HAIRPIN

Wed Jul 28, 2021 6:02 pm

hi rextended I hope using your Cray computer you hacked the password and have added in better security for the chap ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT HAIRPIN

Wed Jul 28, 2021 6:07 pm

Can't do that without bill... :))
 
thompsontech
just joined
Topic Author
Posts: 15
Joined: Sat Nov 10, 2018 3:45 am

Re: NAT HAIRPIN

Wed Jul 28, 2021 7:45 pm

Thank you all for your help. I used the procedure cited by "darknate" in the link

https://help.mikrotik.com/docs/display/ ... HairpinNAT

The procedure was performed on a client on the network cable. The tests I was doing were over wi-fi. I believe the IP of the Access Point device was interfering with the tests I was running on the notebook.

Who is online

Users browsing this forum: Ahrefs [Bot], BinaryTB, raphaps, rplant and 82 guests