Community discussions

MikroTik App
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Hairpin NAT not working from local network

Mon Mar 20, 2023 8:15 pm

Dear people that are more clever then me,

I have read:
I am on the following network: 192.168.178.0/24

The goal is that the server with IP 192.168.178.85 should be reachable from the external network (is working) and from the internal network (not working).

This translates in my network to the following rules:
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public ip" in-interface=\
    pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT disabled=yes \
    dst-address=192.168.178.85 out-interface=pppoe-out1 src-address=\
    192.168.178.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.178.85 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.178.85 to-ports=443
add action=dst-nat chain=dstnat dst-port=51820 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.178.85 to-ports=51820
Obviously, I have an error here somewhere and after a full day of staring at them I am at the end of my knowledge.
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Hairpin NAT not working from local network

Tue Mar 21, 2023 1:12 am

Your ruleas are little bit wrong, with "in-interface" it will not work as you expected.
There is my working rules:
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-port=80,443 protocol=tcp src-address=172.16.11.0/24
add action=dst-nat chain=dstnat comment=web dst-address=91.xxx.yyy.zzz dst-port=80,443 protocol=tcp to-addresses=172.16.11.11
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network  [SOLVED]

Tue Mar 21, 2023 1:50 am

FIXED:
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT \
dst-address=192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat dst-port=80,443 dst-address-list=MYWANIP protocol=\
tcp to-addresses=192.168.178.85
add action=dst-nat chain=dstnat dst-port=51820 dst-address-list=MYWANIP \
protocol=udp to-addresses=192.168.178.85


where
/ip firewall address
add ip-address=867489403.sn.mynetname.netmynetname list=MYWANIP


Mynetname you get from IP cloud!!
+++++++++++++++++++++++++++++++++
Discussion:
(1) Firewall should be about allowed traffic and with drop rules at end 99.999 percent of traffic is handled just fine.
(2) The default rule for dstnat in the firewall forward chain is useless for loopback
(3) Dont need to ports if same as dst-ports
(4) Since your wanip is dynamic we need to mimic a dst-address approach used for static IPs. we do this by using your IP cloud name which is resolved to your IP by the router.
The in-interface approach does not work because your local users are not coming from the external
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sat Mar 25, 2023 10:50 pm

Thanks a lot! I have already dyndns set up, so no Cloud Domain from Mikrotik is needed. This worked instantly after trying it out. Didn't even need to reset the open connections.
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sat Apr 08, 2023 10:16 pm

After I messed up my configuration during an experiment I wanted to restore my old working config. It seems the backup I had was not recent enough...

Now the hairpin NAT is not working with the rules that were corrected by @anav.

What part of my config should I post here again other than the firewall that could help narrow down the problem? Or should I just post the full config?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network

Sat Apr 08, 2023 10:41 pm

always full LOL. Unless you have an effing 5 mile long black list and thus remove blacklist and dhcp server leases........
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sat Apr 08, 2023 11:03 pm

Capsman and scripts were removed for readability. Otherwise, this should be it...
# apr/08/2023 20:46:11 by RouterOS 7.5
# software id = RHQM-G990
#
# model = CCR2004-16G-2S+
# serial number = HD408E3HNNC
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes
/interface list
add name=listBridge
/ip pool
add name=dhcp_family_pool ranges=192.168.178.20-192.168.178.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_family_pool interface=bridge1 lease-script=\
    dhcp-lease-script-family name=family_server
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=cap3
add bridge=bridge1 interface=cap2
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=listBridge
/ip address
add address=192.168.178.1/24 interface=bridge1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.178.0/24 caps-manager=192.168.178.1 dns-server=\
    192.168.178.1 domain=home.lan gateway=192.168.178.1 netmask=24 \
    ntp-server=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip dns static
add address=192.168.178.1 comment="Manual: homerack-05-router" name=\
    homerack-05-router.home.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=vpn.4seul.de list=public_ip
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public ip" in-interface=\
    pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
    192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" \
    dst-address-list=public_ip dst-port=80,443 protocol=tcp to-addresses=\
    192.168.178.85 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS main server" \
    dst-address-list=public_ip dst-port=443 protocol=tcp to-addresses=\
    192.168.178.85 to-ports=443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
    dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
    192.168.178.85 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=172.30.0.0/24 gateway=192.168.178.85 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.179.0/24 gateway=192.168.178.85 \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=homerack-05-router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=2.europe.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system script
add dont-require-permissions=no name=dhcp-lease-script-family owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="<<REMOVED>>"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network

Sat Apr 08, 2023 11:42 pm

Change this firewall rule
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1 log=yes log-prefix=!NAT


To:
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=listBridge out-interface=pppoe-out1


Be sure at the very bottom last rule put,
add action=drop chain=forward comment="drop all else"
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 12:00 am

It is late here in Europe but I believe I applied this as you requested but I am still not being able to call services hosted on the target server from the internal network. Attached config is after applying your suggestion.

I am deeply sorry that I lack the understanding to debug this. My - arguably little - experience tells me to test in the following order:

- ping IP
- ping DNS
- traceroute
- ip r get

After that, I am letting a ping run forever and look at the counters of my firewall. If possible I would love to get a bit more knowledgeable about debugging problems like this myself. Any more tips on how to do that?
# apr/08/2023 22:54:09 by RouterOS 7.5
# software id = RHQM-G990
#
# model = CCR2004-16G-2S+
# serial number = HD408E3HNNC
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=0028346329705511387679220001@t-online.de
/interface list
add name=listBridge
/ip pool
add name=dhcp_family_pool ranges=192.168.178.20-192.168.178.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_family_pool interface=bridge1 lease-script=\
    dhcp-lease-script-family name=family_server
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=cap3
add bridge=bridge1 interface=cap2
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=listBridge
/ip address
add address=192.168.178.1/24 interface=bridge1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.178.0/24 caps-manager=192.168.178.1 dns-server=\
    192.168.178.1 domain=home.lan gateway=192.168.178.1 netmask=24 \
    ntp-server=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=192.168.178.1,8.8.8.8
/ip dns static
add address=192.168.178.1 comment="Manual: homerack-05-router" name=\
    homerack-05-router.home.lan
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=vpn.4seul.de list=public_ip
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=pppoe-out1 log=yes \
    log-prefix=!NAT
add action=accept chain=forward comment="Port Forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=listBridge out-interface=\
    pppoe-out1
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public ip" in-interface=\
    pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.178.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
    192.168.178.0 src-address=192.168.178.0
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" dst-address-list=\
    public_ip dst-port=80 protocol=tcp to-addresses=192.168.178.85 to-ports=\
    80
add action=dst-nat chain=dstnat comment="HTTPS main server" dst-address-list=\
    public_ip dst-port=443 protocol=tcp to-addresses=192.168.178.85 to-ports=\
    443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
    dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
    192.168.178.85 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=172.30.0.0/24 gateway=192.168.178.85 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.179.0/24 gateway=192.168.178.85 \
    routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=homerack-05-router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=2.europe.pool.ntp.org
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system script
add dont-require-permissions=no name=dhcp-lease-script-family owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="<<REMOVED>>"
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 4:34 am

Here is the issue,
From:
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0 src-address=192.168.178.0

TO:
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0/24 src-address=192.168.178.0/24



Also You didnt change your config to what I suggested at all in post#8 ???????????????????????

Okay good I see the last rule --> drop all else, but where are the first two rules??
And you didnt remove this rule......
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=pppoe-out1 log=yes \
log-prefix=!NAT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 5:10 am

As for the rest of the firewal rules........

# model = CCR2004-16G-2S+
# serial number = { removed for security }
/ip firewall address-list
add list=expected-address-from-LAN address=192.168.178.0/24
add list=expected-address-from-LAN address=0.0.0.0 comment="Current network"
add list=expected-address-from-LAN address=224.0.0.0/4 comment=Multicast
add list=expected-address-from-LAN address=255.255.255.255 comment="Local"

add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=vpn.4seul.de list=public_ip


/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=not_in_internet \
comment="drop non-legit src-addresses hitting WAN side" \
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!public_ip \
comment="drop non-legit dst-addresses hitting WAN side"
add action=drop chain=prerouting in-interface-list=LAN src-address-list=!expected-address-from-LAN \
comment="drop non-legit traffic coming from LAN"


/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=ICMP
add action=accept chain=input src-address=192.168.78.0/24
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related,Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=accept chain=forward in-interface-list=listBridge out-interface=\
pppoe-out1
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.78./0/24
add action=accept chain=forward comment="Port Forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.178.0/24 src-address=192.168.178.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" dst-address-list=\
public_ip dst-port=80 protocol=tcp to-addresses=192.168.178.85 to-ports=\
80
add action=dst-nat chain=dstnat comment="HTTPS main server" dst-address-list=\
public_ip dst-port=443 protocol=tcp to-addresses=192.168.178.85 to-ports=\
443
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 10:02 am

Also You didnt change your config to what I suggested at all in post#8 ???????????????????????

Okay good I see the last rule --> drop all else, but where are the first two rules??
And you didnt remove this rule......
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT'ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=pppoe-out1 log=yes \
log-prefix=!NAT
You should be able to see the rule directly under the disabled rule. I double-checked with my posted config and I am sure that I added them. I was able to spot them immediately.

Edit: After switching the Hairpin NAT Rule the sites showed up in the local network as desired.
Last edited by matrixfueller on Sun Apr 09, 2023 10:07 am, edited 1 time in total.
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 10:06 am

As for the rest of the firewall rules........
Thanks for the help on this side. If I may repeat my question: How would I have been able to debug and find these issues myself? You (and other well-known forum members) provide excellent help with fixing rules but I would rather enable myself to not be dependent on wizards like you.

For example, at the moment my network has no IPv6 enablement and this is something I would like to change in the mid-term. However, the resources there seem a lot more sparse than with IPv4. Unless I am not able to use Google properly again...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 1:40 pm

Well in this case, it was easy to spot an incorrectly formatted rule. The subnet was not identified and it was on the key rule for hairpin nat to work!
As to other items, well advice is to clean up router and not have old stuff hanging around if not required, easier to troubleshoot issues !!!
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Hairpin NAT not working from local network

Sun Apr 09, 2023 3:26 pm

Thanks for the tips. Router is working as expected and further work will be prepared a lot more thoroughly. I learnt a lot yesterday... Topic can again be seen as solved.

Who is online

Users browsing this forum: rplant and 31 guests