Could someone please help me find a solution to the non-working Hairpin nat. When I add LAN network to Connected address list, then port forwarding doesn't work from WAN1. My default OUT interface is WAN2(pppoe).
Code: Select all
/interface bridge
add fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface pppoe-client
add disabled=no interface=ether2-WAN2 name=pppoe-out1 password="secret" user=pppoe_user
/interface list
add name=WAN
/ip pool
add name=LAN-pool ranges=192.168.1.101-192.168.1.199
add name=l2tp_pool ranges=172.10.0.101-172.10.0.199
/ip dhcp-server
add address-pool=LAN-pool disabled=no interface=LAN lease-time=4h name=LAN
/ppp profile
add bridge=LAN local-address=192.168.1.1 name=l2tp remote-address=l2tp_pool
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp enabled=yes ipsec-secret="secret" use-ipsec=yes
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=46.170.57.30/30 interface=ether1-WAN1 network=xxx.xxx.xxx.xxx
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1 ntp-server=213.222.200.99
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,194.204.15.34,1.1.1.1
/ip firewall address-list
add address=xxx.xxx.xxx.xxx/30 list=Connected
add address=yyy.yyy.yyy.yyy list=Connected
add address=10.0.0.1 list=Connected [color=#FF0000][i]- gateway of pppoe connection[/i][/color]
add address=192.168.1.0/24 list=LAN
add address=172.10.0.0/24 list=Connected
add address=192.168.1.0/24 disabled=yes list=Connected
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=accept chain=input comment="Winbox Access" dst-port=8391 in-interface-list=all protocol=tcp
add action=accept chain=input comment="Ssh Access" dst-port=4322 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=input connection-state="" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state="" dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment=WAN->ROS src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=WAN1->ROS passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=WAN2->ROS passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=TO_WAN2 passthrough=yes
add action=mark-connection chain=forward comment=WAN->LANs connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=WAN1->LAN passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=WAN2->LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1->LAN new-routing-mark=TO_WAN1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LAN new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment=LANs->WAN connection-mark=no-mark dst-address-list=!Connected dst-address-type=!local new-connection-mark=LAN->WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancing" connection-mark=LAN->WAN new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment="Stick connections after this" connection-mark=LAN->WAN new-connection-mark=Sticky_WAN1 passthrough=yes routing-mark=TO_WAN1
add action=mark-connection chain=prerouting connection-mark=LAN->WAN new-connection-mark=Sticky_WAN2 passthrough=yes routing-mark=TO_WAN2
add action=mark-routing chain=prerouting connection-mark=Sticky_WAN1 new-routing-mark=TO_WAN1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_WAN2 new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=46.170.57.30 dst-port=8088 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=46.170.57.30 dst-port=8180 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW Solary" dst-address=yyy.yyy.yyy.yyy dst-port=8180 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=yyy.yyy.yyy.yyy dst-address-type="" dst-port=8088 in-interface=pppoe-out1 protocol=tcp src-address-type="" to-addresses=192.168.1.10 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1-WAN1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=172.10.0.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="HairPin NAT" dst-address=192.168.1.0/24 dst-address-type=local src-address=192.168.1.0/24
/ip route
add check-gateway=ping distance=1 gateway=xxx.xxx.xxx.gw_ip/30 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=TO_WAN2
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=2 gateway=ether1-WAN1