Community discussions

MikroTik App
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Hairpin Nat

Sat Sep 11, 2021 1:03 pm

Good morning.
I have a mikrotik setup in the following way


Wan: 10.10.10.11
Lan 1: 192.168.1.X
Lan 2: 192.168.2.X

On Lan 2 I have a DVR device on port 443 on ip 192.168.2.200

I reach it with a public address from outside with the following dns

mynames.dns:443

But not from the inside, I have configured a nat hairpin but it doesn't work

192.168.1.200:443 internal work

Where am I wrong?

Could somebody help me out?

My configuration in attachments

Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Hairpin Nat

Sat Sep 11, 2021 3:11 pm

if the internal network is on your control, use on dhcp the router as DNS and put a static DNS that resolve mynames.dns to internal IP instead the external,
and you do not need the hairpin (and no NAT rules at all for this)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin Nat

Sat Sep 11, 2021 3:49 pm

For future issues, a one jpeg or snipped is rarely enough information.
Ideally, one provides
a. network diagram
b. full set of use case requirements (what users/devices should be able and should not be able to do, without noting any networking equipment or configuration words).
and finally if nothing else, the bare minimum you should post is........
C. /export hide-sensitive file=anynameyouwish

As for loopback or hairpin whatever.......
The easisest solution is to put your server(s) on a different subnet.
The issue of hairpin ONLY occurs if the users are:
a. on the same LAN subnet as the server
b. using the external DYDNS name to access the server

Thus in terms of solutions, from my viewpoint the recommendations start with.......
1. put server(s) on a different subnet or VLAN
2. get users to use the actual LANIP of the server, which is more direct anyway.
3. the solution that rextended noted.................. which uses DNS and avoids NAT
4. Other methods of doing hairpin NAT...........
viewtopic.php?f=13&t=175064&p=856786&hi ... at#p856786

Now lets take a closer look at what rextended is proposing.
To put in terms I can understand (guru by volume not by knowledge :-) )
He basically INTERCEPTS any request by someone ON THE LAN SUBNETS heading towards the public IP via the DOMAIN NAME and redirects that to the server.
This is done by the following IP DNS STATIC rule:
Using the secret code name (NSA approved) of regexep or something. ITS a funky word that no one has actually explained either stands for, means or does, but now would be a good time for somebody to do so!!
Lets look at the example. LANSUBNET= 88.1 server=88.68 dyndns domain name=www.vattelapesca.rex
/ip dns static
add address=192.168.88.68 regexp="(^|www\\.)vattelappesca\\.rex\$" ttl=5m

Who is online

Users browsing this forum: normis and 87 guests