Community discussions

MUM Europe 2020
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Hairpin NAT with bonded ADSL lines

Thu Sep 20, 2012 1:50 pm

Im looking for some assistance if there is any available. I have followed the online tutorial, but still come short when trying to get it to work. I've attached my support file if somebody can help me. I'm trying to get my internal network to be able to browse public addresses from within my LAN.

Please help have been struggling for some time with this issue.

Not sure how to send my configuration, tried to attach rif file but wont allow me.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Thu Sep 20, 2012 4:44 pm

Post in here the following
/ip firewall nat print
/ip firewall mangle print
/ip route print
-Toni-
Don't crash the ambulance, whatever you do
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Thu Sep 20, 2012 5:12 pm

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Internal NAT for Seagate 8002
chain=dstnat action=log protocol=tcp in-interface=ether
dst-port=8002 log-prefix="vtest"

1 chain=srcnat action=masquerade out-interface=ADSLLine2

2 chain=srcnat action=masquerade out-interface=ADSLLine1

3 ;;; NAT For Port 8002 - Seagate Drive
chain=dstnat action=dst-nat to-addresses=192.168.0.12 t
protocol=tcp in-interface=ADSLLine2 dst-port=8002

4 ;;; NAT For Port 51005 - Drive Cam
chain=dstnat action=dst-nat to-addresses=192.168.0.131
protocol=tcp in-interface=ADSLLine2 dst-port=51005

5 ;;; NAT For Port 8097 - Prodigy
chain=dstnat action=dst-nat to-addresses=192.168.0.27 t
protocol=tcp in-interface=ADSLLine2 dst-port=8097

6 ;;; NAT For Port 4125 - Home Serv
chain=dstnat action=dst-nat to-addresses=192.168.0.11 t

AND so on and so forth - all working from outside my LAN

/ip firewall mangle print

Flags: X - disabled, I - invalid, D - dynamic
0 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes in-interface=(unknown) connection-mark=no-mark

1 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes in-interface=(unknown) connection-mark=no-mark

2 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/0

3 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/1

4 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe1

5 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe2 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe2

6 X chain=output action=mark-routing new-routing-mark=to_pppoe1 passthrough=yes connection-mark=pppoe1

7 X chain=output action=mark-routing new-routing-mark=to_pppoe2 passthrough=yes connection-mark=pppoe2

8 chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,1

9 chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,2

10 chain=prerouting action=mark-routing new-routing-mark=odd passthrough=yes in-interface=ether2-master-local connection-mark=odd

11 chain=prerouting action=mark-routing new-routing-mark=even passthrough=yes in-interface=ether2-master-local connection-mark=even

12 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=MAIN-PPP2

13 ;;; New
chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes in-interface=ADSLLine1 connection-mark=no-mark

14 ;;; New
chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes in-interface=ADSLLine2 connection-mark=no-mark

15 ;;; Mikrotik SA
chain=output action=mark-routing new-routing-mark=even passthrough=yes dst-address=!192.168.0.0/16 connection-mark=even

16 ;;; Mikrotik SA
chain=output action=mark-routing new-routing-mark=odd passthrough=yes dst-address=!192.168.0.0/16 connection-mark=odd

/ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S 0.0.0.0/0 (unknown) 1
1 X S 0.0.0.0/0 (unknown) 1
2 A S 0.0.0.0/0 ADSLLine1 1
3 A S 0.0.0.0/0 ADSLLine2 1
4 ADS 0.0.0.0/0 196.215.207.1 1
5 DS 0.0.0.0/0 196.215.207.1 1
6 X S 0.0.0.0/0 (unknown) 1
7 X S 0.0.0.0/0 (unknown) 2
8 ADC 192.168.0.0/24 192.168.0.1 ether2-master-l... 0
9 ADC 196.215.207.1/32 196.215.207.106 ADSLLine1 0
ADSLLine2
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Fri Sep 21, 2012 9:02 am

Hi, bonding of 2 x ADSL lines works 100%
NAT from internet to inside LAN devices works 100%
Public address calls from inside LAN dont work.

/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Internal NAT for Seagate 8002
chain=dstnat action=log protocol=tcp in-interface=ether2-master-local dst-port=8002 log-prefix="vtest"

1 chain=srcnat action=masquerade out-interface=ADSLLine2

2 chain=srcnat action=masquerade out-interface=ADSLLine1

3 ;;; NAT For Port 8002 - Seagate Drive
chain=dstnat action=dst-nat to-addresses=192.168.0.12 to-ports=8002 protocol=tcp in-interface=ADSLLine2 dst-port=8002

4 ;;; NAT For Port 51005 - Drive Cam
chain=dstnat action=dst-nat to-addresses=192.168.0.131 to-ports=51005 protocol=tcp in-interface=ADSLLine2 dst-port=51005

5 ;;; NAT For Port 8097 - Prodigy
chain=dstnat action=dst-nat to-addresses=192.168.0.27 to-ports=8097 protocol=tcp in-interface=ADSLLine2 dst-port=8097

6 ;;; NAT For Port 4125 - Home Serv
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=4125 protocol=tcp in-interface=ADSLLine2 dst-port=4125

7 ;;; NAT For Port 443 - Home Serv
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=443 protocol=tcp in-interface=ADSLLine2 dst-port=443

8 ;;; NAT For Port 80 - Home Serv
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=80 protocol=tcp in-interface=ADSLLine2 dst-port=80

9 X ;;; NAT For Port 20817 - Home Serv Remote 2
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=20817 protocol=tcp in-interface=ADSLLine2 dst-port=20817

10 ;;; NAT For Port 65515 - Home Serv Remote
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=65515 protocol=tcp in-interface=ADSLLine2 dst-port=65515

11 ;;; NAT For Port 82 - Home Serv HSManage
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=82 protocol=tcp in-interface=ADSLLine2 dst-port=82

12 ;;; NAT For Port 1433 - Home Serv SQL
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=1433 protocol=tcp in-interface=ADSLLine2 dst-port=1433

13 ;;; NAT For Port 3389 - Home Serv RD Connect
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=3389 protocol=tcp in-interface=ADSLLine2 dst-port=3389

14 ;;; NAT For Port 56123 - Vulcano UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=56123 protocol=udp in-interface=ADSLLine2 dst-port=56123

15 ;;; NAT For Port 56123 - Vulcano TCP
chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=56123 protocol=tcp in-interface=ADSLLine2 dst-port=56123

16 ;;; NAT For Port 49177 - Vulcano TCP
chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=49177 protocol=tcp in-interface=ADSLLine2 dst-port=49177

17 ;;; NAT For Port 8004 - Boxee
chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=8004 protocol=tcp in-interface=ADSLLine2 dst-port=8004

18 ;;; NAT For Port 8067 - XBMC
chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=8067 protocol=tcp in-interface=ADSLLine2 dst-port=8067

19 ;;; NAT For Port 8007 - Xtreamer
chain=dstnat action=dst-nat to-addresses=192.168.0.31 to-ports=8007 protocol=tcp in-interface=ADSLLine2 dst-port=8007

20 ;;; NAT For Port 51009 - Gym Cam
chain=dstnat action=dst-nat to-addresses=192.168.0.132 to-ports=51009 protocol=tcp in-interface=ADSLLine2 dst-port=51009

/ip firewall mangle print


Flags: X - disabled, I - invalid, D - dynamic
0 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes in-interface=(unknown) connection-mark=no-mark

1 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes in-interface=(unknown) connection-mark=no-mark

2 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/0

3 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/1

4 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe1

5 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe2 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe2

6 X chain=output action=mark-routing new-routing-mark=to_pppoe1 passthrough=yes connection-mark=pppoe1

7 X chain=output action=mark-routing new-routing-mark=to_pppoe2 passthrough=yes connection-mark=pppoe2

8 chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,1

9 chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,2

10 chain=prerouting action=mark-routing new-routing-mark=odd passthrough=yes in-interface=ether2-master-local connection-mark=odd

11 chain=prerouting action=mark-routing new-routing-mark=even passthrough=yes in-interface=ether2-master-local connection-mark=even

12 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=MAIN-PPP2

13 ;;; New
chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes in-interface=ADSLLine1 connection-mark=no-mark

14 ;;; New
chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes in-interface=ADSLLine2 connection-mark=no-mark

15 ;;; Mikrotik SA
chain=output action=mark-routing new-routing-mark=even passthrough=yes dst-address=!192.168.0.0/16 connection-mark=even

16 ;;; Mikrotik SA
chain=output action=mark-routing new-routing-mark=odd passthrough=yes dst-address=!192.168.0.0/16 connection-mark=odd

/ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S 0.0.0.0/0 (unknown) 1
1 X S 0.0.0.0/0 (unknown) 1
2 A S 0.0.0.0/0 ADSLLine1 1
3 A S 0.0.0.0/0 ADSLLine2 1
4 ADS 0.0.0.0/0 196.215.207.1 1
5 DS 0.0.0.0/0 196.215.207.1 1
6 X S 0.0.0.0/0 (unknown) 1
7 X S 0.0.0.0/0 (unknown) 2
8 ADC 192.168.0.0/24 192.168.0.1 ether2-master-l... 0
9 ADC 196.215.207.1/32 196.215.207.106 ADSLLine1 0
ADSLLine2
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Fri Sep 21, 2012 9:11 am

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Internal NAT for Seagate 8002
     chain=dstnat action=log protocol=tcp in-interface=ether2-master-local dst-port=8002 log-prefix="vtest" 

 1   chain=srcnat action=masquerade out-interface=ADSLLine2 

 2   chain=srcnat action=masquerade out-interface=ADSLLine1 

 3   ;;; NAT For Port 8002 - Seagate Drive
     chain=dstnat action=dst-nat to-addresses=192.168.0.12 to-ports=8002 protocol=tcp in-interface=ADSLLine2 dst-port=8002 

 4   ;;; NAT For Port 51005 - Drive Cam
     chain=dstnat action=dst-nat to-addresses=192.168.0.131 to-ports=51005 protocol=tcp in-interface=ADSLLine2 dst-port=51005 

 5   ;;; NAT For Port 8097 - Prodigy
     chain=dstnat action=dst-nat to-addresses=192.168.0.27 to-ports=8097 protocol=tcp in-interface=ADSLLine2 dst-port=8097 

 6   ;;; NAT For Port 4125 - Home Serv
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=4125 protocol=tcp in-interface=ADSLLine2 dst-port=4125 

 7   ;;; NAT For Port 443 - Home Serv
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=443 protocol=tcp in-interface=ADSLLine2 dst-port=443 

 8   ;;; NAT For Port 80 - Home Serv
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=80 protocol=tcp in-interface=ADSLLine2 dst-port=80 

 9 X ;;; NAT For Port 20817 - Home Serv Remote 2
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=20817 protocol=tcp in-interface=ADSLLine2 dst-port=20817 

10   ;;; NAT For Port 65515 - Home Serv Remote
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=65515 protocol=tcp in-interface=ADSLLine2 dst-port=65515 

11   ;;; NAT For Port 82 - Home Serv HSManage
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=82 protocol=tcp in-interface=ADSLLine2 dst-port=82 

12   ;;; NAT For Port 1433 - Home Serv SQL
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=1433 protocol=tcp in-interface=ADSLLine2 dst-port=1433 

13   ;;; NAT For Port 3389 - Home Serv RD Connect
     chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=3389 protocol=tcp in-interface=ADSLLine2 dst-port=3389 

14   ;;; NAT For Port 56123 - Vulcano UDP
     chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=56123 protocol=udp in-interface=ADSLLine2 dst-port=56123 

15   ;;; NAT For Port 56123 - Vulcano TCP
     chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=56123 protocol=tcp in-interface=ADSLLine2 dst-port=56123 

16   ;;; NAT For Port 49177 - Vulcano TCP
     chain=dstnat action=dst-nat to-addresses=192.168.0.22 to-ports=49177 protocol=tcp in-interface=ADSLLine2 dst-port=49177 

17   ;;; NAT For Port 8004 - Boxee
     chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=8004 protocol=tcp in-interface=ADSLLine2 dst-port=8004 

18   ;;; NAT For Port 8067 - XBMC
     chain=dstnat action=dst-nat to-addresses=192.168.0.7 to-ports=8067 protocol=tcp in-interface=ADSLLine2 dst-port=8067 

19   ;;; NAT For Port 8007 - Xtreamer
     chain=dstnat action=dst-nat to-addresses=192.168.0.31 to-ports=8007 protocol=tcp in-interface=ADSLLine2 dst-port=8007 

20   ;;; NAT For Port 51009 - Gym Cam
     chain=dstnat action=dst-nat to-addresses=192.168.0.132 to-ports=51009 protocol=tcp in-interface=ADSLLine2 dst-port=51009 
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes in-interface=(unknown) connection-mark=no-mark 

 1 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes in-interface=(unknown) connection-mark=no-mark 

 2 X chain=prerouting action=mark-connection new-connection-mark=pppoe1 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/0 

 3 X chain=prerouting action=mark-connection new-connection-mark=pppoe2 passthrough=yes dst-address-type=local in-interface=ether2-master-local connection-mark=no-mark per-connection-classifier=both-addresses:2/1 

 4 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe1 

 5 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe2 passthrough=yes in-interface=ether2-master-local connection-mark=pppoe2 

 6 X chain=output action=mark-routing new-routing-mark=to_pppoe1 passthrough=yes connection-mark=pppoe1 

 7 X chain=output action=mark-routing new-routing-mark=to_pppoe2 passthrough=yes connection-mark=pppoe2 

 8   chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,1 

 9   chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes connection-state=new in-interface=ether2-master-local nth=2,2 

10   chain=prerouting action=mark-routing new-routing-mark=odd passthrough=yes in-interface=ether2-master-local connection-mark=odd 

11   chain=prerouting action=mark-routing new-routing-mark=even passthrough=yes in-interface=ether2-master-local connection-mark=even 

12 X chain=prerouting action=mark-connection new-connection-mark=to_pppoe1 passthrough=yes in-interface=MAIN-PPP2 

13   ;;; New
     chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes in-interface=ADSLLine1 connection-mark=no-mark 

14   ;;; New
     chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes in-interface=ADSLLine2 connection-mark=no-mark 

15   ;;; Mikrotik SA
     chain=output action=mark-routing new-routing-mark=even passthrough=yes dst-address=!192.168.0.0/16 connection-mark=even 

16   ;;; Mikrotik SA
     chain=output action=mark-routing new-routing-mark=odd passthrough=yes dst-address=!192.168.0.0/16 connection-mark=odd 
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/0                          (unknown)                 1
 1 X S  0.0.0.0/0                          (unknown)                 1
 2 A S  0.0.0.0/0                          ADSLLine1                 1
 3 A S  0.0.0.0/0                          ADSLLine2                 1
 4 ADS  0.0.0.0/0                          196.215.207.1             1
 5  DS  0.0.0.0/0                          196.215.207.1             1
 6 X S  0.0.0.0/0                          (unknown)                 1
 7 X S  0.0.0.0/0                          (unknown)                 2
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Tue Sep 25, 2012 2:31 pm

In the configuration you have posted, I don't see a hairpin nat rule implemented.
Have you done according to this webpage:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
-Toni-
Don't crash the ambulance, whatever you do
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Tue Sep 25, 2012 4:43 pm

I did try that originally, and I have done it again but to no avail - it doesn't even register traffic on that specific NAT rule.

See below for new /ip firewall nat print - the rest remains the same

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Internal NAT for Seagate 8002
chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24
dst-address=192.168.0.12 out-interface=ether2-master-local dst-port=8002


1 chain=srcnat action=masquerade out-interface=ADSLLine2

2 chain=srcnat action=masquerade out-interface=ADSLLine1

3 ;;; NAT For Port 8002 - Seagate Drive
chain=dstnat action=dst-nat to-addresses=192.168.0.12 to-ports=8002
protocol=tcp in-interface=ADSLLine2 dst-port=8002

4 ;;; NAT For Port 51005 - Drive Cam
chain=dstnat action=dst-nat to-addresses=192.168.0.131 to-ports=51005
protocol=tcp in-interface=ADSLLine2 dst-port=51005

5 ;;; NAT For Port 8097 - Prodigy
chain=dstnat action=dst-nat to-addresses=192.168.0.27 to-ports=8097
protocol=tcp in-interface=ADSLLine2 dst-port=8097

6 ;;; NAT For Port 4125 - Home Serv
chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=4125
protocol=tcp in-interface=ADSLLine2 dst-port=4125
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Tue Sep 25, 2012 8:30 pm

If it does not work again, then one of the rules that you are using in mangle for the route policy (load balance) is interfering with this rule.
My guess is that you should add a rule to bypass the mangle rules (and put it above the others):
/ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 dst-address=192.168.0.12 dst-port=8002 action=accept
In your mangle rules, there are these below which make sure that connections destined to the router, leave by the same interface:
/ip firewall mangle
13   ;;; New
     chain=prerouting action=mark-connection new-connection-mark=odd passthrough=yes in-interface=ADSLLine1 connection-mark=no-mark

14   ;;; New
     chain=prerouting action=mark-connection new-connection-mark=even passthrough=yes in-interface=ADSLLine2 connection-mark=no-mark

15   ;;; Mikrotik SA
     chain=output action=mark-routing new-routing-mark=even passthrough=yes dst-address=!192.168.0.0/16 connection-mark=even

16   ;;; Mikrotik SA
     chain=output action=mark-routing new-routing-mark=odd passthrough=yes dst-address=!192.168.0.0/16 connection-mark=odd 
Since these connections are intended for the router itself, in the first two you should use chain=input, so that they capture only the traffic for the router
and not the rest. A hairpin nat, is a connection that travels the router from LAN to WAN and back. So this connection is captured by the the rules above
and forced to be routed to ADSL1 or ADSL2 and not to LAN where it should be.
-Toni-
Don't crash the ambulance, whatever you do
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 5:39 am

Unless I'm missing something, this isn't really bonding, but load balancing, right?

Not that it matters, just doing a sanity check for my own benefit.
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 10:03 am

Hi guys

Yes it is load balancing - ADSL ISP's call it bonding sorry about the confusion.

Thanx again for the help. Did what you say but the rules are not even indicating traffic.

Maybe must try and mention the web call i'm using looks like this -> fishers.dyndns.biz:8002
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 10:07 am

If I do a log entry this is the info I get maybe help in identifying the issue;

07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51401->196.215.207.99:8002, len 52
07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51402->196.215.207.99:8002, len 52
07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51403->196.215.207.99:8002, len 52
07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51401->196.215.207.99:8002, len 52
07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51402->196.215.207.99:8002, len 52
07:05:14 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51403->196.215.207.99:8002, len 52
07:05:15 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51401->196.215.207.99:8002, len 48
07:05:15 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51402->196.215.207.99:8002, len 48
07:05:15 firewall,info testing prerouting: in:ether2-master-lo
o TCP (SYN), 192.168.0.11:51403->196.215.207.99:8002, len 48
07:05:54 system,info,account user admin logged in from 41.151
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 11:56 am

Reading the log of your firewall, it is clear that the connections starts from PC1, reaches the public interface
of your router (IP 196.215.207.99) on port 8002, than the router should NAT this request to the internal IP
of PC2, and this is the step where hairpinnat does it's job. PC2 should answer again to the router which would forward
then to the PC1.
My guess is that the connections brakes when PC2 answers back, those mangle rules which do load balancing would
route the packets randomly once to ADSL1 and once to ADSL2.
As a solution, I would suggest that PCC (http://wiki.mikrotik.com/wiki/PCC)is a better approach to the
load balancing because it tries to keep the connections on the same interfaces all the time. The one that you have used
would instead divide the packets exactly in two streams, sending one packet to one gateway and the other to the other
gateway, both this packets from the same device. This kind of fragmentation is not good for what you want to achieve.
-Toni-
Don't crash the ambulance, whatever you do
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 12:19 pm

Is there not another way around it? Would hate to reconfigure my device again. Even if its not pretty.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 12:33 pm

Can you see if the hairpin nat rule is doing it's job correctly? Does it mark any traffic?
With packet sniffer may be you can capture and see what happens to the connection.
As your configuration is I think that if hairpin nat is ok, then remains to solve the problem
from server to the router. This connection is captured by the mangle rules of load balncing.
We don't want that. So maybe adding a rule which would accept connections from sever to the
router may help (this should be placed above the others):
/ip firewall mangle
add chain=prerouting src-address=192.168.0.12 dst-address=your WAN dst-port=8002 action=accept
-Toni-
Don't crash the ambulance, whatever you do
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 1:58 pm

Added the rules in ip -> mangle. These rules are showing the data counters are moving.
ip -> NAT, the hairpin rule has no data traffic.
 
vaughnfisher
just joined
Topic Author
Posts: 11
Joined: Thu Sep 20, 2012 1:39 pm

Re: Hairpin NAT with bonded ADSL lines

Wed Sep 26, 2012 3:01 pm

Another problem is that my ISP does not give me a static ip address its dynamic.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1069
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Hairpin NAT with bonded ADSL lines

Thu Sep 27, 2012 4:09 pm

Another problem is that my ISP does not give me a static ip address its dynamic.
PCC is a better approach for load balancing. As a matter of fact it was introduced because of the connections issues
with the other methods. You can make a backup of the current configuration and then try PCC.
-Toni-
Don't crash the ambulance, whatever you do

Who is online

Users browsing this forum: eworm, kivimart and 89 guests