Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 7:52 pm

Hello My friends..!
so alot of you see the last video by Normis that he was talking about Hairpin NAT
https://www.youtube.com/watch?v=1I5FywY6opQ&t=143s
please anyone can help me to understand what he meant by the statement in 2:20 minute..?
as i know the dst NAT rule doesnt work at all in case of the internal request, and he argue that the web server will see the request coming from inside the LAN..! but that's mean that the dst NAT rule is worked duo to this request from the user..? didnt it..?
Please if anyone can correct me..?!
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 7:54 pm

viewtopic.php?t=191536

and

This article can help you understand it correctly:

https://gregsowell.com/?p=4242
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 8:14 pm

Hello My friends..!
so alot of you see the last video by Normis that he was talking about Hairpin NAT
https://www.youtube.com/watch?v=1I5FywY6opQ&t=143s
please anyone can help me to understand what he meant by the statement in 2:20 minute..?
as i know the dst NAT rule doesnt work at all in case of the internal request, and he argue that the web server will see the request coming from inside the LAN..! but that's mean that the dst NAT rule is worked duo to this request from the user..? didnt it..?
Please if anyone can correct me..?!
HI Tech, the nub is that the PC asking to reach the server, sent the request to a specific address, the WANIP and thus the PC will accept responses back from the WANIP.
Without hairpin nat, the router when returning the info from the server knows the response is going back to a local user and thus efficiently does so and bypasses the initial WANIP routing and sends the return info direct from the server to the PC........
So the PC device gets a response but from the local server IP and not the WANP (original des address) and thus drops the packet.............
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 8:57 pm

really appreciate every single word here Mr anav..!
how big is this..
but still have a question in the same video, can you tell me in your simple words what you understand from 3:00 to the end of the video..?
still have some confusing about those statement..!
Last edited by BartoszP on Thu Dec 08, 2022 9:58 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 9:22 pm

The confusion is his paragraph 2< the written text in the second sentence is wrong. His words are correct in that the device making the request 10.0.0.2, besides being dst-natted (as per the correct first sentence), is also source-natted (by the hairpin nat rule) and is given a new source address of the IP of the lan interface 10.0.0.1.

So if there is confusion its in his text. His words are correct.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Loopback NAT or Hairpin on mikroitk

Thu Dec 08, 2022 9:59 pm

maybe this could enlight a little bit your problem

viewtopic.php?p=508981#p508981
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Loopback NAT or Hairpin on mikroitk

Fri Dec 09, 2022 8:06 am

The confusion is his paragraph 2< the written text in the second sentence is wrong. His words are correct in that the device making the request 10.0.0.2, besides being dst-natted (as per the correct first sentence), is also source-natted (by the hairpin nat rule) and is given a new source address of the IP of the lan interface 10.0.0.1.

So if there is confusion its in his text. His words are correct.
but when he saied "after all NAT is undone" that is make me ask another question about how MT router NAT algorithm work..??
why that happen..? can you tell me how this smart small device deal with this rule..?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Loopback NAT or Hairpin on mikroitk

Fri Dec 09, 2022 7:40 pm

It's connection tracking. If there's connection from x.x.x.x:x to y.y.y.y:y, router remembers that and knows that response from y.y.y.y:y to x.x.x.x:x belongs to same connection. That's the simple case without NAT. When there's NAT (srcnat, dstnat or both), it's the same principle, only with changed addresses.

So in this example:

- there's connection from 10.0.0.2:X (X = random port) to 172.16.16.1:443 and connection tracking remembers that
- dstnat changes destination to 10.0.0.3:443
- srcnat/masquerade changes source to 10.0.0.1:Y (Y may or may not be the same as X)
- connection tracking remembers that response packet will have source 10.0.0.3:443 and destination 10.0.0.1:Y
- then such packet comes from server
- connection tracking reverses previous srcnat and packet's destination becomes 10.0.0.2:X
- connection tracking reverses previous dstnat and packet's source becomes 172.16.16.1:443
- the same thing will be repeated for all futher packets that belong to same connection
- connection tracking will recognize client -> server packets, because they will match remembered 10.0.0.2:X -> 172.16.16.1:443
- connection tracking will recognize server -> client packets, because they will match remembered 10.0.0.3:443 -> 10.0.0.1:Y
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Loopback NAT or Hairpin on mikroitk

Fri Dec 09, 2022 11:24 pm

maybe this could enlight a little bit your problem

viewtopic.php?p=508981#p508981
Sob.

It seems that you described in other words what had been already described but not read :)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Loopback NAT or Hairpin on mikroitk

Sat Dec 10, 2022 2:52 am

Hey, sometimes different words help. And yes, sometimes it's waste of time.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 889
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Loopback NAT or Hairpin on mikroitk  [SOLVED]

Sat Dec 10, 2022 4:41 am

I think the MikroTik documentation could be improved. #1 all documentation should be using rfc5737 TEST-NET-1, TEST-NET-2 and TEST-NET-3 addresses to stand in for global ip addresses. Using rfc1918 addresses for "global ip addresses" is confusing to many people. There is no explanation given about how/why the "nat is undone". So I can understand why this is confusing to someone that doesn't know how dynamic nat translations work. At least a mention of connection tracking or nat translation table would have helped. I think both BartoszP's and Sob's explanations are clearer in the word explanation than the MikroTik explanation is.

I think a packet capture with the packets as they are sent and received would make things more clear for people that like to see how things work.

Greg Sowell's "solution" looks a bit more "general", i.e. it would if there are multiple "servers" on the same subnet. But I was surprised that the masquerade rule for hairpin didn't include out-interface=ether2, but since its the only interface that would match both src and dst addresses, I guess it is not ambiguous. See MikroTik Internal Hairpin for context

add action=masquerade chain=srcnat disabled=no dst-addresses=192.168.1.0/24 src-addresses=192.168.1.0/24
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Loopback NAT or Hairpin on mikroitk

Sat Dec 10, 2022 6:07 am

Hello Mr Buckeye..!
very grateful for you ..! and for every one who share his knowledge to illustrate the idea in this thread..!
well yes i understand what happen now, but also that's make me wounder how nothing i am in comapred with you.
Last edited by BartoszP on Sat Dec 10, 2022 8:31 am, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.

Who is online

Users browsing this forum: astelsrl, AtisE, Bing [Bot], CGGXANNX, syahmi5650 and 92 guests