Community discussions

 
pragmat
just joined
Topic Author
Posts: 4
Joined: Tue Nov 10, 2009 6:56 am

WAN services not available to local users, please help!

Tue Nov 10, 2009 7:12 am

I need your help with some very basic setup which I couldn't figure out on my own...
My router maps services for WAN ports to a LAN IP server as dstnat chains while my LAN users within the LAN subnet use one srcnat chain to NAT out. The problem is that while the rest of the world gains access to my WAN services the LAN users do not. The thing is even more confusing as some WAN TCP service ports such as 21 ar scannable from LAN while others such as 80 are not. Any ideas what is going on and what should be done?

Much appreciated!
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: WAN services not available to local users, please help!

Tue Nov 10, 2009 7:59 am

Search the forums for "hairpin NAT" and "split horizon DNS".
 
pragmat
just joined
Topic Author
Posts: 4
Joined: Tue Nov 10, 2009 6:56 am

Re: WAN services not available to local users, please help!

Wed Nov 11, 2009 3:51 am

Search the forums for "hairpin NAT" and "split horizon DNS".
Fewi, thanks for advice mate but there is very little ref to hairpin NAT and split horizon DNS in the forums.
I found though this one:
http://forum.mikrotik.com/viewtopic.php ... in#p170070
and tried to workout the solution with no luck.

I also tried the solution explained here:
http://forum.mikrotik.com/viewtopic.php ... 5&p=167859
1) Masquerade internal-to external
2) Port forwarding
3) Masquerade local to local using this rule:
/ip firewall nat chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-port=80 protocol=tcp

An interesting thing I forgot to mention is that VPN clients in the subnet don't have this problem; It is possible that VPN traffic uses a route not through VPN when the web server is at the same IP address with the vpn server. I will have to check that next time I'll get the chance.

Hence, my problem still remains. Could anybody please help?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: WAN services not available to local users, please help!

Wed Nov 11, 2009 5:01 am

I am currently only on a smartphone and can't easily do searches but I promise you there are threads with successful hairpin NAT configurations. I prefer split horizon DNS where you serve inside and outside clients different IP adresses for the host names. A simple way to do that is to configure the DNS proxy on the router and make static entries for your servers with their inside IPs, and configure the inside clients to use the router as their DNS server.
 
pragmat
just joined
Topic Author
Posts: 4
Joined: Tue Nov 10, 2009 6:56 am

Re: WAN services not available to local users, please help!

Thu Nov 12, 2009 7:18 am

I prefer split horizon DNS where you serve inside and outside clients different IP adresses for the host names. A simple way to do that is to configure the DNS proxy on the router and make static entries for your servers with their inside IPs, and configure the inside clients to use the router as their DNS server.
The split DNS method sounds like a good workaround which I was thinking to aproach in case I could not figure out a solution for the router problem. The thing with the workaround is that it will be high maintenance and a source of future other problems as there will always be two sets of IPs one internal and one external for all services.
I am now using my RB router for more than two years with this problem, but I am now feeling compelled to get to the bottom of it.
The more I think about it, two things keep bothering me the most:
1. Any cheap commercial router will never show this problem; therefore the mikrotik router takes everyone by surprise by exposing this.
2. Since this is such a common problem and I could see on this forum that it had been so much asking around for a solution to it, then why Mikrotik folks never documented it in their user manual? They could mention it as another nat rule forwarding local traffic for the wan port to the existing services in the same subnet. I would expected this rule to be provided together with the srcnat masquerade for outgoing traffic and desnat rule for port forwarding of the incoming traffic.

Just as a my two cents...
 
pragmat
just joined
Topic Author
Posts: 4
Joined: Tue Nov 10, 2009 6:56 am

Re: WAN services not available to local users, please help!

Thu Nov 12, 2009 11:09 am

I solved the problem. 8) Fewi, thanks for your hints mate!
/1. Services hairpin to .10
     chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp 
     dst-address=!192.168.10.0/24 dst-address-type=local 
     dst-port=80,21
/2. NAT all traffic from local to internet
     chain=srcnat action=masquerade src-address=192.168.10.0/24 
     out-interface=WAN 
/3. NAT all traffic from local to local
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 
     dst-port=80,21 
192.168.10.0/24 is the local network segment.
192.168.10.10 is the local IP of the WEB/FTP server
There are TWO rules to be added, 1. and 3. above. Rule 2 is also necessary and is the well known rule which provides NAT for the local clients to the internet.
Rule 1. hairpinning, helped with the client's packet to reach the server. Rule 3. is for the server's response to reach back the local client.

I hope this will be helpful to others and I also hope in the near future this is documented in under wiki or in the user manual to become common knowledge to the user. :-| [/color]
 
spotts78
newbie
Posts: 31
Joined: Thu Dec 03, 2009 5:59 pm
Location: Greensboro, NC - USA

Re: WAN services not available to local users, please help!

Thu Dec 03, 2009 6:12 pm

I have the same issue... We host our own web/FTP site (setup & works fines NAT, port forwarding, etc...) and clients on the LAN cannot access it by public IP.
Unfortunately I do not have write access to our router :( , only our ISP does :(

They seem to think that employing the below solution will 1. not work and 2. open a security hole that make us vulnerable to IP spoofing, hacking, etc...

Are they correct? What are the security risks?

I solved the problem. 8) Fewi, thanks for your hints mate!
/1. Services hairpin to .10
     chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp 
     dst-address=!192.168.10.0/24 dst-address-type=local 
     dst-port=80,21
/2. NAT all traffic from local to internet
     chain=srcnat action=masquerade src-address=192.168.10.0/24 
     out-interface=WAN 
/3. NAT all traffic from local to local
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 
     dst-port=80,21 
192.168.10.0/24 is the local network segment.
192.168.10.10 is the local IP of the WEB/FTP server
There are TWO rules to be added, 1. and 3. above. Rule 2 is also necessary and is the well known rule which provides NAT for the local clients to the internet.
Rule 1. hairpinning, helped with the client's packet to reach the server. Rule 3. is for the server's response to reach back the local client.

I hope this will be helpful to others and I also hope in the near future this is documented in under wiki or in the user manual to become common knowledge to the user. :-| [/color]
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: WAN services not available to local users, please help!

Thu Dec 03, 2009 6:31 pm

1. it will work
2. as long as you don't accept your internal IP address on the outside interface there's no increased danger of IP spoofing from outside. It does decrease security in that the web server will no longer be able to record accurately which internal client accessed resources since they will all appear to the be the router itself. I really don't like the hairpin NAT solution for that reason, and strongly prefer split horizon DNS. It's not that much maintenance overhead unless you have a very large number of hosts.

I do wish RouterOS's DNS resolver was able to dynamically inspect NAT rules to check whether DNS responses should be rewritten based on NAT, much like Cisco's ASAs and other vendor's solutions do.
 
TheMG
just joined
Posts: 15
Joined: Mon Mar 15, 2010 4:59 am

Re: WAN services not available to local users, please help!

Fri Apr 09, 2010 7:07 am

I've used pragmat's solution with success.

However there's an issue, I have multiple WANs (2 to be precise), how can I restrict the port forward to a specific WAN? If I specify an interface for any of those NAT rules I'm back to square one with not being able to access WAN services locally.
 
Pada
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: WAN services not available to local users, please help!

Wed Jun 30, 2010 1:34 am

I've had this kind of issue with other routers too, which cased lots of issues with hosting Warcraft III games on our local PvPGN server. Eventually I've written a patch for the PvPGN server where the people hosting the game can set their LAN IP address so that no masquerading have to be done when players from the same LAN joins. Ofcourse the patch only worked if the players used the same WAN interface to connect to the server.

Here's my version of pragmat's hairpin NAT solution, with a few added advantages:
/ip firewall mangle
0 ;;; Mark new hairpin connections
     chain=prerouting action=mark-connection new-connection-mark=hairpin
     passthrough=no connection-state=new src-address=192.168.10.0/24
     dst-address=!192.168.10.0/24 dst-address-type=local

/ip firewall nat
0 ;;; NAT - WAN 1
     chain=srcnat action=masquerade src-address=192.168.10.0/24
     out-interface=WAN-1

1 ;;; NAT - WAN 2
     chain=srcnat action=masquerade src-address=192.168.10.0/24
     out-interface=WAN-2

2 ;;; NAT - Hairpin
     chain=srcnat action=masquerade connection-mark=hairpin

3 ;;; Jump to Port-forward chain with incoming connections from WAN 1
     chain=dstnat action=jump jump-target=Port-forward
     in-interface=WAN-1

4 ;;; Jump to Port-forward chain with incoming connections from WAN 2
     chain=dstnat action=jump jump-target=Port-forward
     in-interface=WAN-2

5 ;;; Jump to Port-forward chain with hairpin connections
     chain=dstnat action=jump jump-target=Port-forward
     connection-mark=hairpin

6 ;;; Port Forward - FTP, HTTP & HTTPS Server
     chain=Port-forward action=dst-nat to-addresses=192.168.10.10
     protocol=tcp dst-port=21,80,443

7 ;;; Port Forward - PvPGN Server
     chain=Port-forward action=dst-nat to-addresses=192.168.10.11
     protocol=tcp dst-port=6112
The major differences between mine and pragmat's solution are:
1) Mine won't NAT local to local traffic, unless the destination address wasn't a local address
2) Mine requires only 1 port forward entry, and not 1 for the hairpin port forwarding and 1 for the WAN -> internal network port forwarding
3) I've added 2 WAN interfaces, and both port forward using common dst-nat entries.

* Notes:
1) I'm not sure if my connection marking would work for UDP connections too. I would appreciate it if someone could tell me if it would work or not!
2) Like fewi mentioned earlier: masquerading local IP addresses to a local server could mess up your tracking of local users.
The preferred solution is to use DNS, where your internal DNS server replies to local clients with the local IP address, but in some cases (like above, with the PvPGN server) where it's not working with DNS entries then you have to use a hairpin NAT solution OR patch the application.

----

@TheMG, could you perhaps say why you want to restrict the port forward to a specific WAN port? Also, are you talking about restricting the hairpin port forward to a specific WAN port or port forwarding from the Internet to a specific WAN port?
If you simply want to restrict the port forwarding to 1 WAN port from the Internet and you're using my solution, then simply remove rule #3 or #4 in my example :)
It would be quite complicated to restrict hairpin port forwarding to a certain WAN interface if the WAN interface has a dynamic IP! Then you'll probably have to write a script to update the rules, like the scripts used for updating DynDNS.
 
tarslana
just joined
Posts: 4
Joined: Mon Jul 18, 2011 11:45 am

Re: WAN services not available to local users, please help!

Tue Dec 11, 2012 4:16 pm

@Pada

I have implemented your solution to a slightly different problem of mine but it does not work quite the way it should. More precisely, I do not know how to tweak it to fix my problem.

The problem is as follows:

I have a ADSL modem/router set up as an Internet gateway.
Behind it, there is a RB1100AH as the main router.
There are two separate LAN subnets connected to the RB1100AH.
LAN A is a routed network of a couple of IP cameras and routers.
LAN B is my office computer network. 192.168.1.0/24
I have a website hosted on an off-site server.

Since the ADSL modem/router gets a new public IP address every time it restarts or every 12h, I have set up and DynDNS account and an address updater on the RB1100AH.
As I want to stream the IP cameras on the website, I have set up NAT rules on the ADSL modem/router and the RB1100AH and it works like a charm.
Except for one thing. I can not view the camera streams on the website when I access it from the LAN B.


As I said before, I have implemented your solution for one of the IP cameras (192.168.5.206) and all I get is that every address I want to open, gives me the IP camera website.

If you need more information in order to help me, I will post it.

Thank you.


Settings on the RB1100AH:

/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; New hairpin connections
     chain=prerouting action=mark-connection new-connection-mark=hairpin passthrough=no connection-state=new 
     src-address=192.168.1.0/24 dst-address=!192.168.1.0/24 dst-address-type=local 


/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT WAN
     chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether5_INTERNET 

 1   ;;; NAT - Hairpin
     chain=srcnat action=masquerade connection-mark=hairpin 

 2 I ;;; Jump to Port-forward for WAN
     chain=dstnat action=jump jump-target=Port-forward in-interface=ether5_INTERNET 

 3 I ;;; Jump to Port-forward for Hairpin
     chain=dstnat action=jump jump-target=Port-forward connection-mark=hairpin 

 4 X ;;; Port forward
     chain=Port-forward action=dst-nat to-addresses=192.168.5.206 to-ports=80 protocol=tcp 

 5   ;;; DstNAT Camera
     chain=dstnat action=dst-nat to-addresses=192.168.5.206 to-ports=80 protocol=tcp 
     in-interface=ether5_INTERNET dst-port=8081 




Settings on the ADSL modem/router:

External port: 8080
Protocol: TCP
Internal port: 8081
Server IP address: 192.168.1.73 <- RB1100AH address in LAN B

 
Pada
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: WAN services not available to local users, please help!

Tue Dec 11, 2012 9:38 pm

Hi tarslana,
I would suggest that you use an Address List to contain all the local subnets of yours, because the mangle rule was supposed to only mark Internet connections.
The "hairpin" connection-mark that I used should've been renamed to "internet-connection" or something in that line.
So add your 192.168.1.0/24 and 192.168.5.0/24 (or whatever subnets you have) to the same Address List, and then replace the "dst-address=!192.168.1.0/24" with "dst-address-list=!<your address list name here>"

Secondly, your NAT rule #4 (that is currently disabled) should remain disabled, because it will dst-nat ALL TCP connections, and not just ones on specific ports or traffic going to specific hosts.

Lastly, remove the in-interface=ether5_INTERNET from the NAT rule #5, otherwise the "hairpin" NAT won't work. When you leave it in that rule, the connections made from inside your network to your public IP:8080 won't be forwarded to your camera again.
I may be wrong here, because your ADSL modem would perhaps NAT it in any case, in which case you won't even need to bother with the whole hairpin NAT setup in the MikroTik!

I hope this fixes your issue.

Who is online

Users browsing this forum: MSN [Bot] and 37 guests