Community discussions

MikroTik App
 
tnt25
just joined
Topic Author
Posts: 2
Joined: Tue Apr 12, 2022 9:41 am

Hairpin NAT issues

Wed May 25, 2022 9:26 pm

Hello everyone!

I read all available posts about hairpin DNS but I'm still not able to connect to my web server from LAN using WAN IP address.
Here's my configuration. The configuration is rather simple, no Vlans, no scripts. It should work flawlessly but it isn't. Please, help!
# may/25/2022 20:20:22 by RouterOS 6.49.6
# software id = NC7Z-YYDY
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0CE0494D
/interface bridge
add admin-mac=48:8F:5A:29:BA:2C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.250
add name=l2tp-vpn ranges=192.168.10.2-192.168.10.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge dns-server=8.8.8.8 local-address=l2tp-vpn name=l2tp-profile \
    remote-address=l2tp-vpn
/system logging action
add email-to=daper@daper.pl name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes \
    use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=1.2.3.4/30 interface=ether1-WAN network=83.3.240.96
/ip arp
add address=192.168.1.254 interface=bridge mac-address=D8:5D:4C:C5:80:3A
add address=192.168.1.251 interface=bridge mac-address=D0:67:E5:EB:C2:B8
add address=192.168.1.104 interface=bridge mac-address=\
    B0:83:FE:B3:CB:8A
add address=192.168.1.240 interface=bridge mac-address=24:5E:BE:13:AB:17
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf disabled=yes name=router.lan
/ip firewall address-list
add address=216.218.206.0/24 list=blacklist
add address=45.83.0.0/16 list=blacklist
add address=65.49.20.0/24 list=blacklist
add address=45.79.82.0/24 list=blacklist
add address=184.105.0.0/16 list=blacklist
add address=45.128.110.122 list=allow_vpn
add address=91.240.107.209 list=allow_vpn
add address=74.82.0.0/16 list=blacklist
add address=27.115.0.0/16 list=blacklist
add address=64.62.0.0/16 list=blacklist
add address=1.2.3.4 list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Drop blacklist" src-address-list=\
    blacklist
add action=accept chain=input comment="Allow coming from LAN" \
    in-interface-list=LAN
add action=accept chain=input comment="Accept VPN" dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop other inputs"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward connection-state=new in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Allow DSTNATED from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp user acces WAN" \
    in-interface=all-ppp in-interface-list=!WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp users access LAN" \
    in-interface=all-ppp in-interface-list=!WAN out-interface=bridge
add action=drop chain=forward comment="Drop other forwards" connection-state=\
    ""
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=ether1-WAN
add action=src-nat chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24 to-addresses=1.2.3.4
add action=dst-nat chain=dstnat comment="ALTI From WAN" dst-address=\
    1.2.3.4 dst-port=2222 in-interface=ether1-WAN protocol=tcp \
    to-addresses=192.168.1.252 to-ports=22
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-address-type=\
    local dst-port=80,443,3050,81 protocol=tcp to-addresses=192.168.1.252
/ip route
add distance=1 gateway=1.2.3.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=88
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=tnt25 profile=l2tp-profile service=l2tp
add name=mtomaszewska profile=l2tp-profile service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=email topics=error
/system ntp client
set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.1.251/32
/tool graphing queue
add allow-address=192.168.1.251/32
/tool graphing resource
add allow-address=192.168.1.251/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT issues  [SOLVED]

Fri May 27, 2022 9:30 pm

(1) Set this to none, at least during troubleshooting.
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN


(2) Redundant rule not required.
add action=drop chain=input comment="Drop blacklist" src-address-list=\
blacklist

Reason: Shortly thereafter you have this rule which DOES THE SAME THING!!
add action=drop chain=input comment="Drop other inputs"

You may have an argument if you are stating what you want is for them not to attempt access to your VPN since you leave that wide open and dont limit it to know WANIPs.
WHich in my view is a mistake as every person needing access either has a STATIC/fixed wanip or has access to FREE DYNDNS services and thus both could be added do an authorized firewall address list. In other words, better to limit access when it should be doable. If not dont wast input chain cycles, drop those IPs in IP firewall RAW.

(3) The use of NEW is not required, aka your lan to wan (internet access) forward chain rule and other rules.......

(4) Ding Ding -- Winner Winner Turkey Dinner

This rule is the cause of your issues most likely
FROM: add action=accept chain=forward comment="Allow DSTNATED from WAN" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

TO: add action=accept chain=forward comment="Allow DSTNATED" connection-nat-state=dstnat


(5) I understand the concept of wanting to let external users coming in on your router via L2TP, but not convinced these are the correct settings. Forward chain is correct but not the config...
add action=accept chain=forward comment="Allow l2tp user acces WAN" \
in-interface=all-ppp in-interface-list=!WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp users access LAN" \
in-interface=all-ppp in-interface-list=!WAN out-interface=bridge
?????

First, I have no idea what PPP is, but as far I know you cannot add it to the bridge ???
Maybe you can make a separate bridge here but youv'e used the same name as the other existing bridge ????

Why not
add action=accept chain=forward comment="Allow l2tp user acces WAN" \
src-address=192,168,10.0/24 out-interface-list=WAN
add action=accept chain=forward comment="Allow l2tp users access LAN" \
src-address=192.168.10.0/24 out-interface=bridge

Since bridge is in question here, safer to use
src-address=192.168.10.0/24 dst-address=192.168.1.0/24

(6) DING DING, another problem with your hairpin nat rules is duplication.
GET RID OF THIS SECOND ONE!
add action=src-nat chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.1.0/24 to-addresses=1.2.3.4


(7) Your DESTINATION NAT RULES ARE ILL=CONFIGURED. If indeed you have a STATIC/fixed WANIP, keep the dst-address= and REMOVE the in-interface..........
ex: add action=dst-nat chain=dstnat comment="ALTI From WAN" dst-address=\
1.2.3.4 dst-port=2222 in-interface=ether1-WAN protocol=tcp \
to-addresses=192.168.1.252 to-ports=22


Should look like: add action=dst-nat chain=dstnat comment="ALTI From WAN" dst-address=\
1.2.3.4 dst-port=2222 protocol=tcp to-addresses=192.168.1.252 to-ports=22[/i]

IF your WANIP is actually dynamic then you need to choose how to approach that in yoursetup.
Many make the WANIP a firewall address name, using an existing free dyndns provider or the built in mynetname in MT, where
then the dst-address=mynetname etc...........

(8) I dont see a vpn route but assuming there is one selected during ppp or vpn settings??
 
tnt25
just joined
Topic Author
Posts: 2
Joined: Tue Apr 12, 2022 9:41 am

Re: Hairpin NAT issues

Sat May 28, 2022 7:45 pm

Sir, you are a amazing!
This
(4) Ding Ding -- Winner Winner Turkey Dinner

This rule is the cause of your issues most likely
FROM: add action=accept chain=forward comment="Allow DSTNATED from WAN" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

TO: add action=accept chain=forward comment="Allow DSTNATED" connection-nat-state=dstnat
solved my problem! It works like a charm now.

Regarding other comments:
(2) I wanted to blacklist IPs that tried to vpn to my network. I quit after a while as there are countless attempts. So you are right, this rule is pointless.
(3) Did your mean this rule?
add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface-list=WAN
Without it browsing internet doesnt work. Or am I wrong?
(5) Noted, some changes will be made in my config.
(6) Got rid of this rule.
(7) Changed.
(8) I didn't export my ppp settings as I assumed that they work good enough.

I've spent so much time on trying to solve this problems. I appreciate your help and your time you spent on checking my config. Thanks bro!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT issues

Sat May 28, 2022 10:28 pm

Regarding (3) The rule is required just the use of the word 'NEW' is not required.

Have a read of Para 6 here - Halfway down the para roughly........ viewtopic.php?t=180838

Who is online

Users browsing this forum: Amazon [Bot], benshirazi, Jörg and 91 guests