Community discussions

 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

My NAT/Hairpin is not working

Sat Sep 15, 2018 9:30 pm

I just got a new RB3011 to replace my old X86 based router OS system. I am trying to get everything up and running, but haven't been able to get my webserver port forward working. I assume the issue Isn't actually with the NAT rules, but maybe the Firewall settings? can anyone spot my issue? If you look at about 20 lines up from the bottom, you will see one issue that I cant find in the config
 sep/15/2018 12:27:20 by RouterOS 6.43
# software id = TNH7-3XDV
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09FB0E18
/interface bridge
add admin-mac=B8:69:F4:0A:F2:DB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Home dhcp" ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool="Home dhcp" disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=CA enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=160.7.249.40/24 interface=ether1 network=160.7.249.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.11 client-id="West Mountain Link to Home" mac-address=78:8A:20:32:2D:D9
add address=192.168.1.10 client-id="Home Link to west mountain" mac-address=78:8A:20:32:29:09
add address=192.168.1.2 always-broadcast=yes client-id="Main ProCurve Switch" mac-address=00:1F:FE:9D:A8:80
add address=192.168.1.3 client-id="UTMesh Web Server" mac-address=00:15:17:28:16:7B
add address=192.168.1.4 client-id="Programming PI" mac-address=B8:27:EB:DD:57:E9
add address=192.168.1.7 client-id="Plex Media Server" mac-address=D4:C9:EF:EE:F0:72
add address=192.168.1.12 client-id="Jakes Ipad" mac-address=A0:4E:A7:C6:9E:11 server=defconf
add address=192.168.1.6 mac-address=00:1B:21:96:5C:E1
add address=192.168.1.5 client-id=1:b8:27:eb:b5:46:52 mac-address=B8:27:EB:B5:46:52 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=160.7.240.20,160.7.240.4
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=accept chain=input dst-address=160.7.249.40 dst-port=443 protocol=tcp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=67.199.160.0/24
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=160.7.240.0/24
add action=accept chain=input comment="Mikrotik Web interface" dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input comment="Accept rule for Mesh Map" dst-address=160.7.249.40 dst-port=82 protocol=tcp
add action=accept chain=input dst-address=192.168.1.1 protocol=icmp src-address=67.199.160.146
add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-nat-state=dstnat connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from Wa\\AN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
[size=150][b][u]!!!!!!!!!add action=masquerade chain=srcnat dst-address=192.168.1.3 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=92.168.1.3[/u][/b][/size]  THIS IS ONE THING THAT i NOTICED, THE TO-ADDRESS IS MISSING THE FIRST 1 ON 192.168.1.3, BUT IT IS THERE IN THE ROUTER CONFIG!!!!!!!!!
/ip route
add distance=1 gateway=160.7.249.1
/ip service
set www port=88
/lcd
set backlight-timeout=never default-screen=stats
/ppp secret
add local-address=192.168.1.1 name=kd7vea remote-address=192.168.1.201 service=sstp
add local-address=160.7.249.40 name=k7msh remote-address=67.199.160.146 routes="192.168.10.0/24 67.199.160.146 1" service=l2tp
/system clock
set time-zone-name=America/Denver
/system identity
set name="MikroTik RB3011"
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik RB3011] >
Last edited by kd7vea on Sun Sep 16, 2018 2:07 am, edited 1 time in total.
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Sat Sep 15, 2018 11:56 pm

so, the webfig showed all of the nat setting correctly where the teminal export showed the 1 missing from the webserver at 192.168.1.3, so I deleted the nat rule and went back to the terminal and set up the Nat again. and now it shows correct, but I still cant access the Webserver from the Wan side. the server IP is 192.168.1.3. any help would be greatly appreciated. here is the new export.
# sep/15/2018 14:52:38 by RouterOS 6.43
# software id = TNH7-3XDV
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09FB0E18
/interface bridge
add admin-mac=B8:69:F4:0A:F2:DB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Home dhcp" ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool="Home dhcp" disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=CA enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=160.7.249.40/24 interface=ether1 network=160.7.249.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.11 client-id="West Mountain Link to Home" mac-address=78:8A:20:32:2D:D9
add address=192.168.1.10 client-id="Home Link to west mountain" mac-address=78:8A:20:32:29:09
add address=192.168.1.2 always-broadcast=yes client-id="Main ProCurve Switch" mac-address=00:1F:FE:9D:A8:80
add address=192.168.1.3 client-id="UTMesh Web Server" mac-address=00:15:17:28:16:7B
add address=192.168.1.4 client-id="Programming PI" mac-address=B8:27:EB:DD:57:E9
add address=192.168.1.7 client-id="Plex Media Server" mac-address=D4:C9:EF:EE:F0:72
add address=192.168.1.12 client-id="Jakes Ipad" mac-address=A0:4E:A7:C6:9E:11 server=defconf
add address=192.168.1.6 mac-address=00:1B:21:96:5C:E1
add address=192.168.1.5 client-id=1:b8:27:eb:b5:46:52 mac-address=B8:27:EB:B5:46:52 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=160.7.240.20,160.7.240.4
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=accept chain=input dst-address=160.7.249.40 dst-port=443 protocol=tcp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=67.199.160.0/24
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=160.7.240.0/24
add action=accept chain=input comment="Mikrotik Web interface" dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input comment="Accept rule for Mesh Map" dst-address=160.7.249.40 dst-port=82 protocol=tcp
add action=accept chain=input dst-address=192.168.1.1 protocol=icmp src-address=67.199.160.146
add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-nat-state=dstnat connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from Wa\\AN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat dst-address=192.168.1.3 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.3
/ip route
add distance=1 gateway=160.7.249.1
/ip service
set www port=88
/lcd
set backlight-timeout=never default-screen=stats
/ppp secret
add local-address=192.168.1.1 name=kd7vea remote-address=192.168.1.201 service=sstp
/system clock
set time-zone-name=America/Denver
/system identity
set name="MikroTik RB3011"
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik RB3011] >
Last edited by kd7vea on Sun Sep 16, 2018 2:06 am, edited 1 time in total.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 1:47 am

Please edit your posts and place the config between code tags, i.e.
ggggg
MTCNA, MTCTCE, MTCRE & MTCINE
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 2:16 am

Sorry about that, I edited the code. I followed the NAT/Hairpin Wiki instructions, and I have had this working on my old X86 based router OS system, so I'm lost on why I cant get this working.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 966
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 5:59 pm

The traffic to 160.7.249.40 port 80 will get to the router and stop there cause of your 2nd firewall filter rule, i.e. add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp.
I don't have full view of your network config, but you will need some firewall filter rule to allow the dst-nat's, and by changing that rules chain from input to forward chain will probably resolve that specific port forwarding issue.

Instead of accepting each dst-nat separately in firewall filter, you can add one single rule that will allow anything that is dst-natt'ed, i.e.:
"add action=accept chain=forward comment="Allow if Destination NAT Rule" connection-nat-state=dstnat in-interface-list=WAN"

Also keep in mind Rule order is important here

As far as the hairpin NAT rule goes, not sure which Wiki you followed, but there is no "to address" in the Wiki example for thge hairpin NAT rule, see link below
https://wiki.mikrotik.com/wiki/Hairpin_NAT
MTCNA, MTCTCE, MTCRE & MTCINE
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 10:17 pm

The webserver I am trying to forward is for utmesh.com. I made the changes, I have moved firewall filters around, I even temporarily turned off my Drop filters, the only difference now is that I can access the site locally on my own network with either the internal address of 192.168.1.3, and also www.utmesh.com. but if I try www.utmesh.com from outside of the network, it times out. I have no idea where to go from here but I need this site back up. is my best bet to just wipe the router and start from scratch? It will take a couple of hours to get the rest of the config set up, but if it will work, that may be what I am forced to do. here is my config for one last chance at spotting my issue.
# sep/16/2018 13:11:11 by RouterOS 6.43
# software id = TNH7-3XDV
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09FB0E18
/interface bridge
add admin-mac=B8:69:F4:0A:F2:DB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Home dhcp" ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool="Home dhcp" disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=CA enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=160.7.249.40/24 interface=ether1 network=160.7.249.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.11 client-id="West Mountain Link to Home" mac-address=78:8A:20:32:2D:D9
add address=192.168.1.10 client-id="Home Link to west mountain" mac-address=78:8A:20:32:29:09
add address=192.168.1.2 always-broadcast=yes client-id="Main ProCurve Switch" mac-address=00:1F:FE:9D:A8:80
add address=192.168.1.3 client-id="UTMesh Web Server" mac-address=00:15:17:28:16:7B
add address=192.168.1.4 client-id="Programming PI" mac-address=B8:27:EB:DD:57:E9
add address=192.168.1.7 client-id="Plex Media Server" mac-address=D4:C9:EF:EE:F0:72
add address=192.168.1.12 client-id="Jakes Ipad" mac-address=A0:4E:A7:C6:9E:11 server=defconf
add address=192.168.1.6 mac-address=00:1B:21:96:5C:E1
add address=192.168.1.5 client-id=1:b8:27:eb:b5:46:52 mac-address=B8:27:EB:B5:46:52 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=160.7.240.20,160.7.240.4
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="Allow if Destination NAT Rule" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward dst-address=160.7.249.40 dst-port=80 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
add action=accept chain=input dst-address=160.7.249.40 dst-port=443 protocol=tcp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=67.199.160.0/24
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=160.7.240.0/24
add action=accept chain=input comment="Mikrotik Web interface" dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input comment="Accept rule for Mesh Map" dst-address=160.7.249.40 dst-port=82 protocol=tcp
add action=accept chain=input dst-address=192.168.1.1 protocol=icmp src-address=67.199.160.146
add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-nat-state=dstnat connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from Wa\\AN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=160.7.249.40 dst-port=80 protocol=tcp to-addresses=192.168.1.3
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat dst-address=192.168.1.3 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
/ip route
add distance=1 gateway=160.7.249.1
/ip service
set www port=88
/lcd
set backlight-timeout=never default-screen=stats
/ppp secret
add local-address=192.168.1.1 name=kd7vea remote-address=192.168.1.201 service=sstp
/system clock
set time-zone-name=America/Denver
/system identity
set name="MikroTik RB3011"
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik RB3011] >  
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 10:42 pm

It should work. Dstnat rule correctly forwards port 80 from public address to 192.168.1.3. Your forward chain is a mess, but nothing blocks the forwarded port.

You can either use Tools->Torch on bridge interface to see if packets to webserver pass through router, or you can log them using:
/ip firewall mangle
add chain=postrouting dst-address=192.168.1.3 protocol=tcp dst-port=80 action=log
If they do, the problem is elsewhere. Does the server use this router (192.168.1.1) as default gateway?
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: My NAT/Hairpin is not working

Sun Sep 16, 2018 10:57 pm

And about filter rules:
1: add action=accept chain=forward comment="Allow if Destination NAT Rule" connection-nat-state=dstnat in-interface-list=WAN
2: add action=accept chain=forward dst-address=160.7.249.40 dst-port=80 protocol=tcp
3: add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
4: add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-nat-state=dstnat connection-state=established,related in-interface=ether1
5: add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
6: add action=drop chain=forward comment="Drop all from Wa\\AN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
7: <implicit action=accept; not actual visible rule>
#1 is not needed, because dstnatted connection would normally be accepted by #7
#2 is completely useless
#4 should not include connection-nat-state=dstnat or in-interface=ether1

And for input:
1: add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
2: add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
3: add action=accept chain=input dst-address=160.7.249.40 dst-port=443 protocol=tcp
4: add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=67.199.160.0/24
5: add action=accept chain=input dst-port=500 protocol=udp
6: add action=accept chain=input dst-address=160.7.249.40 dst-port=80 protocol=tcp src-address=160.7.240.0/24
7: add action=accept chain=input comment="Mikrotik Web interface" dst-address=160.7.249.40 dst-port=88 protocol=tcp
8: add action=accept chain=input comment="Accept rule for Mesh Map" dst-address=160.7.249.40 dst-port=82 protocol=tcp
9: add action=accept chain=input dst-address=192.168.1.1 protocol=icmp src-address=67.199.160.146
10: add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
#4 and #6 are useless, because dstnat sends all connections meant for 160.7.249.40:80 to internal server, so they won't ever end up in input chain
#8 can't currently do anything useful, because I don't see any service configured on port 82
#9 is useless, because all icmp is already accepted by #1
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Mon Sep 17, 2018 12:13 am

Okay, I started fresh, I reset the router and with a clean config, I tried to get this working, but it still isn't, and the SRCNAT Masq rule count never goes up. I will post my current config and see if you can point me in the right direction.
# sep/16/2018 15:11:08 by RouterOS 6.43
# software id = TNH7-3XDV
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09FB0E18
/interface bridge
add admin-mac=B8:69:F4:0A:F2:DB auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=160.7.249.40/8 interface=ether1 network=160.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 client-id="UTMesh Web Server" mac-address=00:15:17:28:16:7B server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=160.7.240.4,160.7.240.20
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="UTMesh webserver Nat" dst-address=160.7.249.40 dst-port=80 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=masquerade chain=srcnat comment="UTMesh Hair Pin" dst-address=192.168.1.10 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip route
add distance=1 gateway=160.7.240.1
/ip service
set www port=88
/system clock
set time-zone-name=America/Denver
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Mon Sep 17, 2018 12:22 am

Okay, I started fresh, I reset the router and with a clean config, The web server is now on 192.168.1.10. I tried to get this working, but it still isn't, and the SRCNAT Masq rule count never goes up. I will post my current config and see if you can point me in the right direction.
# sep/16/2018 15:11:08 by RouterOS 6.43
# software id = TNH7-3XDV
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09FB0E18
/interface bridge
add admin-mac=B8:69:F4:0A:F2:DB auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=160.7.249.40/8 interface=ether1 network=160.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 client-id="UTMesh Web Server" mac-address=00:15:17:28:16:7B server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=160.7.240.4,160.7.240.20
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-address=160.7.249.40 dst-port=88 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="UTMesh webserver Nat" dst-address=160.7.249.40 dst-port=80 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=masquerade chain=srcnat comment="UTMesh Hair Pin" dst-address=192.168.1.10 dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip route
add distance=1 gateway=160.7.240.1
/ip service
set www port=88
/system clock
set time-zone-name=America/Denver
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: My NAT/Hairpin is not working  [SOLVED]

Mon Sep 17, 2018 12:41 am

Same as before, it doesn't look like the problem is in what you're showing (*). You have correct NAT rules, no filter rules blocking connections to forwarded port, it should work.

But there's not much point going after hairpin NAT, when even regular dstnat from outside does not work (I can't connect to your website now). Did you check what I suggested before, i.e. if you see dstnatted packets passing through router, is server has this router as default gateway, and if it sends something back?

(*) I'm pretty sure that your new netmask (/8) for public IP address is not correct. You also have different default gateway than before. Interestingly, I can ping the public address now, but I was also able to ping it before, which is suspicious. But I can't connect to port 88, which according to your config should be reachable from anywhere. So to me it looks like the real public address is in fact somewhere else and when I'm trying to connect to it, I'm not connecting to this router.
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Mon Sep 17, 2018 3:10 am

You pointed out a few tings that helped with the new config. the old config, I have no idea what was causing it, and I guess I never will, but what I can say is that it is working now. You pointed out that My ISP default gateway didn't match. I know I changed it, but for some reason, when I did it in the Quickfig, it all did not take, I'm not sure why, so I checked/modified all of my WAN settings again, and now its working. Thanks for sticking with me on this one, it was really starting to drive me crazy.
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: My NAT/Hairpin is not working

Mon Sep 17, 2018 3:18 am

Website works now from outside. But if the gateway was wrong, what was I pinging before? Wrong gateway would break all internet connectivity...
 
kd7vea
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Fri Dec 08, 2017 7:52 pm

Re: My NAT/Hairpin is not working

Mon Sep 17, 2018 6:20 pm

I put in the wrong gateway. I have setup about 10 MikroTiks for The city I work for, the City network gateway is very close to the public gateway, Thats a habit thats hard to break..

Who is online

Users browsing this forum: No registered users and 14 guests