Community discussions

MikroTik App
 
twinge
just joined
Topic Author
Posts: 2
Joined: Tue Oct 06, 2015 8:49 pm

Unable to get Hairpin NAT to work

Tue Oct 06, 2015 9:35 pm

Hello Everyone,

After receiving my first RouterOS board last week I was able to set it up rather quickly. Most of the setup was pretty much the same as setting up iptables but with a nice GUI. After setup I replaced my router running Tomato (Shibby v130) with my new hEX and everything appeared to be working correctly. I patted myself on the back, prematurely apparently.

I noticed shortly afterward that if I tried to connect to a service being offered on my WAN IP address from a LAN IP address it would fail. NAT loopback/hairpinning was not working. It has now been 6 frustrating evenings and I figured I would try posting here before returning my device. There are many threads on these forums as well as some unofficial forums and blogs that deal with enabling hairpinning but I have been unable to get any of these suggestions to work. Naturally I tried the initial MikroTik wiki entry explaining how to enable hairpinning but when it would not work I tried suggestions from literally about 25-30 threads and still have experienced no luck.

My configuration is pretty simple:
Port 1> WAN via PPPoE which assigns me a public IP address
Port 2-5> Bridged together to connect my LAN devices (bridge1).
LAN is 192.168.121.0/24 with the MikroTik set to 192.168.121.1
DHCP enabled, scope is 192.168.121.100-192.168.121.199
I have one unusual NAT masquerade to allow me to get to my VDSL modem, assigned IP 10.10.10.10, on ether1 to track my DSL line states.
# oct/06/2015 14:10:57 by RouterOS 6.32.2
# software id = XXXX-XXXX (edited because I do not know if this is unique and should stay private)
#
/ip firewall filter
add chain=input comment="Allow Established" connection-state=established
add chain=forward comment="Allow Established" connection-state=established
add chain=input comment="Allow Related" connection-state=related
add chain=forward comment="Allow Related" connection-state=related
add chain=input comment="Allow Internal" in-interface=bridge1
add chain=forward comment="Allow Internal" in-interface=bridge1
add chain=input comment="Allow ICMP" protocol=icmp
add chain=forward comment="Allow DSTNAT packets" connection-nat-state=dstnat
add action=drop chain=input comment="Drop Invalid" connection-state=invalid log=yes log-prefix=DROPINVALID
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Drop All" log=yes log-prefix=DROPFROMWAN
add action=drop chain=forward comment="Drop All"


# oct/06/2015 14:12:36 by RouterOS 6.32.2
# software id = XXXX-XXXX (edited because I do not know if this is unique and should stay private)
#
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT - Do Not Disable" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="DSL Modem Access" dst-address=10.10.10.0/24 out-interface=ether1
add action=dst-nat chain=dstnat comment="Notebook RDP" dst-port=33389 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.99 to-ports=3389
add action=dst-nat chain=dstnat comment="Backup SSH" dst-port=2223 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.23
add action=dst-nat chain=dstnat comment="Killing Floor 1" dst-port=7707-7907,28852-30852,20560-20760 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.25
add action=dst-nat chain=dstnat comment="Killing Floor 2" dst-port=8777-8876,21560-21659,28015-28114 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.26
add action=dst-nat chain=dstnat comment=Rust dst-port=38015 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.27
None of the hairpinning rules are in the above dump as I had about 50-60 of them and as each did not work I would disable them. I removed them prior to making this dump as it was getting to be a mess.

Ideally I would like one rule or set of rules that will hairpin anything that hits my WAN IP from a LAN IP without the need to have to make individual rules for each service. Because it is easy to test I have been trying to get the "Backup SSH" to hairpin. Initially that rule accepted on port 2223 on my WAN IP and the dstnat rule port forwarded it to port 22 on 192.168.121.23 but in case that was causing issues I made the server listen on 2223 and forwarded it without changing the port.

Given the number of configurations I have tried I am guessing either there is something wrong with my base config or hairpinning is broken in some way. I know it was broken when using bridged LAN ports but that was supposed to be fixed according to the changelogs, has there been a regression? Anyway - I can post the various NAT rules I have tried but for the time being have left them out.

If anyone has any rules they think may work I'd love to try them. As stated before, not having to mirror my port forwarding rules with hairpinning rules would be nice if that is possible. If there is any information I have not included that may be helpful please let me know so I can post it. Thank you all,

David

P.S. Using separate internal DNS records is not an option. The Killing Floor 2 server doesn't use DNS and doesn't allow one to manually specify an IP so I have no choice but to use hairpinning.
 
twinge
just joined
Topic Author
Posts: 2
Joined: Tue Oct 06, 2015 8:49 pm

Re: Unable to get Hairpin NAT to work

Thu Oct 08, 2015 8:46 pm

Managed to fix this myself while waiting the few days it took to get the above post approved by a moderator. I just spent about 20 minutes typing an explanation of how I fixed it, what I did wrong and why I was able to fix it. I figured it would be of help to anyone else who runs into the same issue in the future. Unfortunately when I hit the "Submit" button the forum software sent me to a page asking for my login credentials and then, after entering my login and password, brought me back to a blank post. I don't feel up to typing everything out again from scratch so unfortunately anyone experiencing the same issue will probably have to look elsewhere.

Since it is quick and easy I will post my new NAT table below. The filter table did not change. I couldn't get a rule to work that will automatically hairpin all LAN ports that have forwarding rules so a seperate entry is required
# oct/08/2015 13:21:57 by RouterOS 6.32.2
# software id = XXXX-XXXX
#
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT Masquerade" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Hairpinning NAT Masquerade" src-address=192.168.121.0/24
add action=masquerade chain=srcnat comment="DSL Modem Access" dst-address=10.10.10.0/24 out-interface=ether1
add action=dst-nat chain=dstnat comment="Notebook RDP" dst-port=33389 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.99 to-ports=3389
add action=dst-nat chain=dstnat comment="Notebook RDP Hairpin" dst-address=!192.168.121.0/24 dst-address-type=local dst-port=33389 protocol=tcp to-addresses=192.168.121.99 to-ports=3389
add action=dst-nat chain=dstnat comment="Backup SSH" dst-port=2223 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.23 to-ports=22
add action=dst-nat chain=dstnat comment="Backup SSH Hairpin" dst-address=!192.168.121.0/24 dst-address-type=local dst-port=2223 protocol=tcp to-addresses=192.168.121.23 to-ports=22
add action=dst-nat chain=dstnat comment="Killing Floor 1" dst-port=7707-7907,28852-30852,20560-20760 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.25
add action=dst-nat chain=dstnat comment="Killing Floor 1 Hairpin" dst-address=!192.168.121.0/24 dst-address-type=local dst-port=7707-7907,28852-30852,20560-20760 protocol=udp to-addresses=192.168.121.25
add action=dst-nat chain=dstnat comment="Killing Floor 2" dst-port=8777-8876,21560-21659,28015-28114 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.26
add action=dst-nat chain=dstnat comment="Killing Floor 2 Hairpin" dst-address=!192.168.121.0/24 dst-address-type=local dst-port=8777-8876,21560-21659,28015-28114 protocol=udp to-addresses=192.168.121.26
add action=dst-nat chain=dstnat comment=Rust dst-port=38015 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.27
add action=dst-nat chain=dstnat comment="Rust Hairpin" dst-address=!192.168.121.0/24 dst-address-type=local dst-port=38015 protocol=udp to-addresses=192.168.121.27
Best regards,
David

Who is online

Users browsing this forum: No registered users and 56 guests