After receiving my first RouterOS board last week I was able to set it up rather quickly. Most of the setup was pretty much the same as setting up iptables but with a nice GUI. After setup I replaced my router running Tomato (Shibby v130) with my new hEX and everything appeared to be working correctly. I patted myself on the back, prematurely apparently.
I noticed shortly afterward that if I tried to connect to a service being offered on my WAN IP address from a LAN IP address it would fail. NAT loopback/hairpinning was not working. It has now been 6 frustrating evenings and I figured I would try posting here before returning my device. There are many threads on these forums as well as some unofficial forums and blogs that deal with enabling hairpinning but I have been unable to get any of these suggestions to work. Naturally I tried the initial MikroTik wiki entry explaining how to enable hairpinning but when it would not work I tried suggestions from literally about 25-30 threads and still have experienced no luck.
My configuration is pretty simple:
Port 1> WAN via PPPoE which assigns me a public IP address
Port 2-5> Bridged together to connect my LAN devices (bridge1).
LAN is 192.168.121.0/24 with the MikroTik set to 192.168.121.1
DHCP enabled, scope is 192.168.121.100-192.168.121.199
I have one unusual NAT masquerade to allow me to get to my VDSL modem, assigned IP 10.10.10.10, on ether1 to track my DSL line states.
None of the hairpinning rules are in the above dump as I had about 50-60 of them and as each did not work I would disable them. I removed them prior to making this dump as it was getting to be a mess.
Code: Select all
# oct/06/2015 14:10:57 by RouterOS 6.32.2 # software id = XXXX-XXXX (edited because I do not know if this is unique and should stay private) # /ip firewall filter add chain=input comment="Allow Established" connection-state=established add chain=forward comment="Allow Established" connection-state=established add chain=input comment="Allow Related" connection-state=related add chain=forward comment="Allow Related" connection-state=related add chain=input comment="Allow Internal" in-interface=bridge1 add chain=forward comment="Allow Internal" in-interface=bridge1 add chain=input comment="Allow ICMP" protocol=icmp add chain=forward comment="Allow DSTNAT packets" connection-nat-state=dstnat add action=drop chain=input comment="Drop Invalid" connection-state=invalid log=yes log-prefix=DROPINVALID add action=drop chain=forward comment="Drop Invalid" connection-state=invalid add action=drop chain=input comment="Drop All" log=yes log-prefix=DROPFROMWAN add action=drop chain=forward comment="Drop All" # oct/06/2015 14:12:36 by RouterOS 6.32.2 # software id = XXXX-XXXX (edited because I do not know if this is unique and should stay private) # /ip firewall nat add action=masquerade chain=srcnat comment="Default NAT - Do Not Disable" out-interface=pppoe-out1 add action=masquerade chain=srcnat comment="DSL Modem Access" dst-address=10.10.10.0/24 out-interface=ether1 add action=dst-nat chain=dstnat comment="Notebook RDP" dst-port=33389 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.99 to-ports=3389 add action=dst-nat chain=dstnat comment="Backup SSH" dst-port=2223 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.121.23 add action=dst-nat chain=dstnat comment="Killing Floor 1" dst-port=7707-7907,28852-30852,20560-20760 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.25 add action=dst-nat chain=dstnat comment="Killing Floor 2" dst-port=8777-8876,21560-21659,28015-28114 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.26 add action=dst-nat chain=dstnat comment=Rust dst-port=38015 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.121.27
Ideally I would like one rule or set of rules that will hairpin anything that hits my WAN IP from a LAN IP without the need to have to make individual rules for each service. Because it is easy to test I have been trying to get the "Backup SSH" to hairpin. Initially that rule accepted on port 2223 on my WAN IP and the dstnat rule port forwarded it to port 22 on 192.168.121.23 but in case that was causing issues I made the server listen on 2223 and forwarded it without changing the port.
Given the number of configurations I have tried I am guessing either there is something wrong with my base config or hairpinning is broken in some way. I know it was broken when using bridged LAN ports but that was supposed to be fixed according to the changelogs, has there been a regression? Anyway - I can post the various NAT rules I have tried but for the time being have left them out.
If anyone has any rules they think may work I'd love to try them. As stated before, not having to mirror my port forwarding rules with hairpinning rules would be nice if that is possible. If there is any information I have not included that may be helpful please let me know so I can post it. Thank you all,
P.S. Using separate internal DNS records is not an option. The Killing Floor 2 server doesn't use DNS and doesn't allow one to manually specify an IP so I have no choice but to use hairpinning.