Community discussions

MikroTik App
 
kohral
just joined
Topic Author
Posts: 3
Joined: Mon May 25, 2020 1:33 pm

Nat Hairpin in Router OS 7.1.1

Sat Dec 25, 2021 8:42 pm

After upgrade CCR1009-7G-1C-1S+ from 6.49.2 to 7.1.1 Nat Hairpin stopped working (Downgrading to 6.49.2 make it works again) . All firewall rules and other setting are same in 7.1.1. What wrong with configuration? Thanks.
firewall.rsc
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nat Hairpin in Router OS 7.1.1

Sat Dec 25, 2021 9:03 pm

You have unconditional masquerade rule that affects any connection through router, and that covers what harpin NAT needs, so there's no reason why it wouldn't work.

As for what's otherwise wrong with your configuration, if this is your whole firewall, it's completely useless, because it allows pretty much everything, all connections through router and to router itself.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Nat Hairpin in Router OS 7.1.1

Sat Dec 25, 2021 9:24 pm

In nat, you do not need to specify to-port while its equal to dst-port
add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80  protocol=tcp to-addresses=192.168.29.174 to-ports=80
could be written:
add action=dst-nat chain=dstnat dst-address=217.72.x.xxx dst-port=80  protocol=tcp to-addresses=192.168.29.174

Last firewall rule should be "Drop all that is not allowed above"
My last rule:
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." \
    in-interface=ether1 log=yes log-prefix=FI_D_port-test
Do you need to have port 22 open? I would have use a random high port and mapped it to 22. So SSH to f.eks 45022 point to 22.
Prevents all SSH scanners from see the SSH port. (used as one of many security measure)

You should also remove serial number and public ip from your post.
Last edited by Jotne on Tue Jan 18, 2022 8:23 am, edited 1 time in total.
 
jurek1g
just joined
Posts: 1
Joined: Tue Dec 28, 2021 7:22 pm

Re: Nat Hairpin in Router OS 7.1.1

Tue Dec 28, 2021 7:28 pm

My nat
add action=masquerade chain=srcnat
after upgrading to 7.1.1 it also did not work, even if I turn off the whole firawall. After downgrading to 6.49.2 everything works.
 
chuk87
just joined
Posts: 2
Joined: Sat Jan 08, 2022 3:31 pm

Re: Nat Hairpin in Router OS 7.1.1

Sat Jan 08, 2022 3:45 pm

My nat
add action=masquerade chain=srcnat
after upgrading to 7.1.1 it also did not work, even if I turn off the whole firawall. After downgrading to 6.49.2 everything works.
+
Last edited by chuk87 on Mon Jan 10, 2022 9:38 am, edited 1 time in total.
 
chuk87
just joined
Posts: 2
Joined: Sat Jan 08, 2022 3:31 pm

Re: Nat Hairpin in Router OS 7.1.1

Sat Jan 08, 2022 10:47 pm

exactly the same situation
 
johnpaul24
just joined
Posts: 4
Joined: Mon Jan 17, 2022 2:37 am

Re: Nat Hairpin in Router OS 7.1.1

Mon Jan 17, 2022 2:40 am

exactly the same situation
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nat Hairpin in Router OS 7.1.1

Mon Jan 17, 2022 6:00 pm

As noted by sob,
add action=masquerade chain=srcnat is NOT correct!

Is unconditional....]
You need
add action=masquerade chain=srcnat out-interface=ether1 or out-interface-list=WAN (for dynamic wanip)

By the way if your WANIP is static fixed.......... the proper format is not masquerade
add action=src-nat chain=src nat to-address=fixedWANIP out-interface=ether1
 
johnpaul24
just joined
Posts: 4
Joined: Mon Jan 17, 2022 2:37 am

Re: Nat Hairpin in Router OS 7.1.1

Tue Jan 18, 2022 5:26 am

this is my configuration running on 6.49.2
action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.xxx.xxx.1 log-prefix=hairping src-address=192.xxx.xxx.0/24
As noted by sob,
add action=masquerade chain=srcnat is NOT correct!

Is unconditional....]
You need
add action=masquerade chain=srcnat out-interface=ether1 or out-interface-list=WAN (for dynamic wanip)
Following your suggestion and modified by this:
action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.xxx.xxx.1 log-prefix=hairping out-interface=ether1 src-address=192.xxx.xxx.0/24

but it still doesn't work for me in 7.1
 
johnpaul24
just joined
Posts: 4
Joined: Mon Jan 17, 2022 2:37 am

Re: Nat Hairpin in Router OS 7.1.1

Tue Jan 18, 2022 5:39 am

I have these records in the log:

harping srcnat: in:(unknown 0) out:bridge, proto UDP, 192.xxx.xxx.xxx:1900->192.xxx.xxx.xxx:23xx, len 275
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nat Hairpin in Router OS 7.1.1

Tue Jan 18, 2022 5:43 am

Let me guess, first xxx is 168 and second xxx is between 0 and 255. ;) Seriously, it's private subnet, not unique, millions of people have the same, there's no point masking it.

As for NATs, out-interface=WAN is obviously nonsense for hairpin NAT, because there the outgoing interface is LAN. The out-interface=WAN is for main NAT, for connections from LAN to internet. Hairpin NAT is usually src-address=<LAN subnet> dst-address=<LAN subnet>. But yours works too. In fact, without out-interface it can be dual-use rule for both LAN->internet and hairpin LAN->LAN. And there's no reason why it shouldn't work in v7. Post whole config, there should be some explanation for it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nat Hairpin in Router OS 7.1.1

Tue Jan 18, 2022 5:26 pm

Well your hairpin attempt is wrong.
this is my configuration running on 6.49.2
action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.xxx.xxx.1 log-prefix=hairping src-address=192.xxx.xxx.0/24

(Remove that stupid symbol/syntax 0 both source and destination address are identical (aka the one the server and users are both on)

And yes protecting a private IP is rather amusing.........
 
VarTok
just joined
Posts: 1
Joined: Fri Jan 21, 2022 9:46 pm

Re: Nat Hairpin in Router OS 7.1.1

Fri Jan 21, 2022 9:52 pm

It looks like something has changed in os version 7 that has srcnat masqurade fail for several people.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Nat Hairpin in Router OS 7.1.1

Mon Jan 24, 2022 12:06 am

While not completely impossible, it's very very unlikely. It's basic srcnat, almost everyone uses that. If there was something wrong with it, it wouldn't be just few people who would notice.
 
kusmierz
just joined
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Nat Hairpin in Router OS 7.1.1

Mon Feb 14, 2022 12:02 am

It seems there are more of us, as for example me. For 99% it's not my fault (but unfortunately I can't test it on 6.x, as there is no such version for RB5009).
# feb/13/2022 23:16:41 by RouterOS 7.1.2
# model = RB5009UG+S+
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24

/ip firewall filter
add action=accept chain=forward comment="Allow forward traffic for connection already established/related" connection-state=established,related
add action=accept chain=forward comment="Allow forward traffic for connection from LAN" connection-state=!invalid in-interface-list=LAN out-interface-list=WAN src-address=192.168.144.0/24
add action=accept chain=forward comment="Allow forward traffic for port redirections and DMZ" connection-nat-state=dstnat
add action=drop chain=forward comment="Deny rest of forward traffic"
add action=accept chain=output comment="Allow output traffic"
add action=accept chain=input comment="Allow input traffic for connection already established/related" connection-state=established,related
add action=accept chain=input comment="Allow ICMP ping requests" icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Allow ICMP messages about too big packet size (fragmentation required)" icmp-options=3:4 protocol=icmp
add action=accept chain=input comment="Allow init connection to winbox service on LAN" connection-state=new dst-address=192.168.144.1 dst-port=8291,22,80 in-interface-list=LAN protocol=tcp src-address=192.168.144.0/24
add action=accept chain=input comment="Allow requests to DNS service from LAN" connection-state=new dst-address=192.168.144.1 dst-port=53 in-interface-list=LAN protocol=udp src-address=192.168.144.0/24
add action=drop chain=input comment="Deny rest of input traffic"
Last edited by kusmierz on Mon Feb 14, 2022 12:19 am, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nat Hairpin in Router OS 7.1.1

Mon Feb 14, 2022 2:24 pm

Not that it may make a difference but worth a shot............... change order and modify the rule........

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
add action=masquerade chain=srcnat comment=HairpinNat dst-address=!192.168.144.1 src-address=192.168.144.0/24


/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNat dst-address=192.168.144.0/24 src-address=192.168.144.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="www" dst-address=!192.168.144.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.144.22 to-ports=80
 
kusmierz
just joined
Posts: 8
Joined: Sun May 09, 2021 9:06 am

Re: Nat Hairpin in Router OS 7.1.1

Mon Feb 14, 2022 3:00 pm

I've moved my problem here - viewtopic.php?p=912939, to be 100% sure it's not the configuration issue.

Who is online

Users browsing this forum: CGGXANNX, seriosha and 73 guests