Community discussions

MikroTik App
 
Mordraug
just joined
Topic Author
Posts: 5
Joined: Thu Oct 20, 2016 4:38 am

Port forwarding with hairpin NAT and dynamic IP combo

Sat Jul 13, 2024 4:16 pm

I'm trying to figure out the best way to deal with NAT in my situation since recently my ISP was taken over by a different company that refuses to assign me a static IP.
I used to have all the dstnat rules setup with Dst Address set to my WANs ip, because it is no longer static I tried changing it so that the rule applies to the WAN interface (ether1). This works but unfortunately breaks the hairpin NAT because when sent from LAN even though packets are sent to my external ip they don't go through ether1 interface.
My current idea is to go back to the old setup with setting the Dst Address in NAT rules, and write a DHCP Client script to update all the rules whenever my ip changes, but maybe there is a better way?
 
User avatar
TheCat12
Member
Member
Posts: 384
Joined: Fri Dec 31, 2021 9:13 pm

Re: Port forwarding with hairpin NAT and dynamic IP combo

Sat Jul 13, 2024 5:23 pm

One way would be to use a DNS record - for example the one from IP/Cloud, which you could add in an address list and use dst-address-list instead of a dst-address. Another way is the one you mentioned - create a DHCP lease script. There is no better or worse way
 
Mordraug
just joined
Topic Author
Posts: 5
Joined: Thu Oct 20, 2016 4:38 am

Re: Port forwarding with hairpin NAT and dynamic IP combo

Sat Jul 13, 2024 5:53 pm

That's the solution I was looking for! I wasn't aware that you can put dns address in the address list, especially since you can't do that directly in dst address. I'm already using a DDNS so that was a plug and play solution, thanks!
 
llamajaja
Member Candidate
Member Candidate
Posts: 275
Joined: Sat Sep 30, 2023 3:11 pm

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 5:44 pm

Three things generally speaking.

a. use the same format as Static IP, but dst-address-list=MyWAN (vice dst-address=)
where as noted above one can use a dyndns URL as an address, could even be your IP cloud net.name.

b. ensure your hairpin nat rule is in the proper format
add chain=srcnat action=masquerade src-address=Serversubnet dst-address=Serversubnet.

Note: only need hairpin nat for users in the same subnet as the Server and requiring access to it by the dyndns name.

c. Dont use default rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


instead break it down like so

add chain=forward action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat
add chain=forward action=drop comment="drop all else"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 6:41 pm

The best is use seriously IPv6: no needed any form of NAT.
 
llamajaja
Member Candidate
Member Candidate
Posts: 275
Joined: Sat Sep 30, 2023 3:11 pm

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 7:09 pm

Sorry, none of MTs routers have the capacity to deal with the number of IPV6 numbers that one would get.
At least thats what a birdy told me, but I probably misinterpreted what I was being told.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 7:16 pm

Seriously?

I have one hEX S at my house and all working well......................

If you get one /64 or one /56 at home, that do not mean that you have 18446744073709551616 or 4722366482869645213696 of addresses on router....
 
User avatar
spippan
Member
Member
Posts: 430
Joined: Wed Nov 12, 2014 1:00 pm

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 7:57 pm

The best is use seriously IPv6: no needed any form of NAT.
but OP asked for help with port forwarding with hairpin NAT and dynamic IP combo 🤷‍♂️
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 10:19 pm

In fact, and I didn't change the subject, I proposed a better solution...
Last edited by rextended on Tue Jul 16, 2024 10:22 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20915
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 10:21 pm

You made assumptions, that the OP
a. gets IPV6 from the ISP
b. knows how to set it up

It would be prudent to ask first. Facts are your friend. :-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Tue Jul 16, 2024 10:23 pm

(Before IPv6) I have been an ISP since October 18, 2007 and there has never been a need to do a NAT hairpin...
Just organize things well, and the need for a hairpin disappears...



As the user is asking for help with NAT, he can ask for help with IPv6.
Then whether his ISP actually provides it or not, you are right, I take it for granted these days, like the MTU at 1500 when using pppoe...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20915
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Wed Jul 17, 2024 12:12 am

Yes of course, why have servers in same subnet as users, ridonkulous
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port forwarding with hairpin NAT and dynamic IP combo

Wed Jul 17, 2024 1:15 am

Thank goodness the OP seems to have solved it,
however a detailed network diagram would have helped to suggest something probably better than NAT...

Who is online

Users browsing this forum: ahpaul83 and 13 guests