Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Publishing LAN services to the internet with HairPin NAT solution

Post Reply
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Publishing LAN services to the internet with HairPin NAT solution

Sun Mar 05, 2023 6:37 pm

Hello all,

I am a relatively new for Mikrotik products, but has some clues/L2-L3 knowledge in the network management-working area.
Tried to search the Mikrotic DOCs and browsed some days for forum topics, without a solution.
Maybe the concern is in my head, but the know-how not in my mind, so i am not enough for the solution of my problem, and need some help to solve it.
So it has a chance that the solution is a much begginner, in that case please be patiente :)

I have a router (RB4011iGS+5HacQ2HnD), attached to it a Synology NAS (LACP), running web and sftp services, what i want publish on the internet.
LAN Access working perfect for them, regarding the HairPin NAT, if i try to access its, from phone - attached to the wifi, its working well.

The LAN endpoint - router WAN port - is DHCP, but Synology services gived me a DDNS name (not QuickConnect), what i can use and resolved in/with the router with firewall-address-list solution.

try to sniff here the adequate configuration lines, if not enough i will bring the neccessary lines :)
Code: Select all
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=********100-********200

/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf

/port
set 0 name=serial0
set 1 name=serial1

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge interface=bonding1

/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN

/ip address
add address=**********254/24 comment=defconf interface=bridge network=************

/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1

/ip dhcp-server lease
add address=********99 client-id=******* mac-address=*********** server=defconf use-src-mac=yes

/ip dhcp-server network
add address=**********/24 comment=defconf dns-server=*********** gateway=************ netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=************ comment=defconf name=router.lan

/ip firewall address-list
add address=**********/24 list=Local_LAN
add address=************.synology.me list=GW_IP

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow all from LAN to WAN && allow Conn NAT state dstnat" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat connection-state=""
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="HAIRpin NAT" dst-address-list=Local_LAN out-interface-list=LAN src-address-list=Local_LAN
add action=dst-nat chain=dstnat comment="Public WWW access - DNAT to Synology" dst-address-list=GW_IP dst-port=XXXX protocol=tcp to-addresses=******** to-ports=XXXX
add action=dst-nat chain=dstnat comment="Public SFTP access - DNAT to Synology" dst-address-list=GW_IP dst-port=AAAA protocol=tcp to-addresses=******** to-ports=AAAA
add action=dst-nat chain=dstnat comment="access - DNAT to MacOS" dst-port=BBBB protocol=tcp to-addresses=******** to-ports=BBBB
add action=dst-nat chain=dstnat dst-port=BBBB protocol=udp to-addresses=******** to-ports=BBBB
So the question is what i make wrong, or how would be these working?
Support is not on the top, 3 days ago no answer for the ticket... :(

Please help, best regards,

Ferenc
Last edited by BartoszP on Tue Mar 07, 2023 5:35 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Sun Mar 05, 2023 8:25 pm

Support is mainly for thing like bugs. There's nothing clearly wrong in your config (firewall rules could use some reordering, but they don't break anything). So, public IP address *1, do you know what it is and are you absolutely sure that you have one directly on your router *2?

*1 not 10.x.x.x, 100.64-127.x.x, 172.16-31.x.x, 192.168.x.x
*2 whatever ************.synology.me resolves to, is it also in IP->Addresses?
Top
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Mon Mar 06, 2023 9:19 am

Thank you, for the fast response! Going in line!
Thank you for the advices regarding the ordenance of FW rules, i made some re-order, but noobly forgot to have a screenshot before, how was before, so if we made (back) to a good one, the i would really appreciated.

The answer for your questions is the following:
*1 subnet is 172.10.*

*2 No, but dont understand why it is a must? I have it at IP - Firewall - Address List only.
If it is mandatory, then how could be these done with script, or some automation? (because the outside address is DHCP assigned)
I accept also rt(f)m link to make that for myself!


»»»» EDITED here
I had maded a try, to added the outside IP address of the IP - Addresses, but still not working...
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Tue Mar 07, 2023 12:16 am

The point is whether you have public address (= can have incoming connection from internet) at all. Because it's not automatic, there's shortage of public addresses, so ISPs "hide" their customers behind few public addresses using NAT. Outgoing connections to internet work, but incoming don't, because the target address is on ISP's router and not on client's.

Your 172.10.* is public, but it's also suspiciously close to non-public 172.16-31.x.x, so it could be ISP's mistake. One hint, 172.10.* is assigned to AT&T in US, are you anywhere close to that? Or even better, did your ISP tell you that you're supposed to have public address? Because if not, you probably don't.

You can also add temporary logging rule to see all incoming connections from internet, if there are any:
Code: Select all
/ip firewall nat
add chain=dstnat in-interface-list=WAN action=log log-prefix=new_from_internet place-before=0
Top
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Tue Mar 07, 2023 3:08 pm

I try to understand what you wrote... I write for you, from Hungary :)

To be clear, exactly these configuration worked, until i used dyndns DDNS service and Cisco RV series firewall.
So DDNS worked for me many years, and the ISP is the same at the last 10+ year period.
We have had a relocation, 2 years ago, but after that the above configuration still worked.

After these time-point, I had a must to switch my router, after 10 years of usage (power-unit broken down).
The new router is these Mikrotik, and try to figure out how it would work.

I had thinked on, that there is a little chance that my CH7465vf (ISP side endpoint) device is not in bridge mode, like before.
But i remember not, that i changed these settings.
The more better, that actually the ISP changed the device admin page and i cannot configure it - has access to the page, but the configuration option is hided, so i must call them. :(
Top
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Tue Mar 07, 2023 7:30 pm

I had make a call to ISP, DS-Lite ipv6 changed back to bridge mode IPv4.

Also made the adviced nat log rule, dont understand, whats is going on.
I see nothing come in on the config named ports (22222 and 8889).
i could check these last one with an old-installed solaris server sitting on the internet, with openssl s_client -connect

So interesting, that i could not see, that traceroute (from the solaris) arrive to the router IP.
Top
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Tue Mar 07, 2023 9:27 pm

Also an experience from a public internet server:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets
1 gw.serverfarm.hu (217.113.62.254) 0.166 ms 0.086 ms 0.067 ms
2 bix.google.com (193.188.137.163) 0.357 ms 0.405 ms 0.297 ms
3 74.125.242.225 (74.125.242.225) 1.547 ms 1.481 ms 74.125.242.241 (74.125.242.241) 0.393 ms
4 142.251.228.25 (142.251.228.25) 0.414 ms 142.251.65.217 (142.251.65.217) 0.367 ms 142.251.228.27 (142.251.228.27) 0.378 ms
5 dns.google (8.8.8.8) 0.322 ms 0.303 ms 0.302 ms

traceroute to .homeip.net (89.135.109.7*), 30 hops max, 40 byte packets
1 gw.serverfarm.hu (217.113.62.254) 0.140 ms 0.089 ms 0.077 ms
2 193.188.137.184 (193.188.137.184) 0.849 ms 0.791 ms 0.496 ms
3 * * *
4 catv-89-135-222-36.catv.fixed.vodafone.hu (89.135.222.36) 7.350 ms 7.342 ms 7.297 ms
5 catv-89-135-222-36.catv.fixed.vodafone.hu (89.135.222.36) 7.328 ms !H * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * catv-89-135-222-36.catv.fixed.vodafone.hu (89.135.222.36) 7.391 ms !H *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 catv-89-135-222-36.catv.fixed.vodafone.hu (89.135.222.36) 7.315 ms !H * *
28 * catv-89-135-222-36.catv.fixed.vodafone.hu (89.135.222.36) 3229.132 ms !H *
29 * * *
30 * * *
Top
 
junkertf
just joined
Topic Author
Posts: 7
Joined: Sun Jan 15, 2023 10:52 pm

Re: Publishing LAN services to the internet with HairPin NAT solution

Wed Mar 08, 2023 12:26 pm

Hello,

Problem solved.
ISP had changed the modem working method (to DS-lite) and the owner of the flat has more than one account/endpoint at the ISP.

So after more than five phone call, the problem is solved.
The router has public ipv4 address, and the configuration is working.

Next question, how would be worked if the DS-Lite method would be the standard...

Thank you for all the helps.

Best regards,

Ferenc
Top
Post Reply

Who is online

Users browsing this forum: phascogale and 34 guests
  4. RouterOS
  5. Beginner Basics