Community discussions

MikroTik App
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 5:02 pm

I have a device which is 1:1 natted to a public IP address. I can access it just fine outside my network, and I can access it just fine inside my network on its LAN IP address. I can't access that device on its public IP address from the lan though. I assumed it would be setup like a hairpin nat, but I couldn't get that to work. I've tried several other configurations, and they don't work either. I'm not saying I'm doing them correctly, just that I can't get them to work.

I've been trying to find the answer to this for days, and I haven't found any other forum posts exactly like this, although I have found some that were close, but I couldn't get the advice on those to work for me.

Does anyone have any advice on how I can fix this?

Let's call the public IP address 172.16.0.5, and the LAN addresses are in the 10.0.1.0/24 range. The machine that the public IP is 1:1 natted to is 10.0.1.55.

Thanks
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 5:21 pm

Certainly it can be done with Hairpin NAT..
The example here can help you https://wiki.mikrotik.com/wiki/Hairpin_NAT
Or you can export your Firewall Nat configuration so we can see what is wrong with the way you tried to configure the Hairpin NAT...
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 7:09 pm

It doesn't seem to work with either a single port and protocol or everything. I would also like to just forward everything, and not have to do it port by port.
/ip firewall nat
add action=src-nat chain=srcnat out-interface="ether1 Gateway-2-Metro" \
    src-address=10.0.1.55 to-addresses=172.15.0.5
add action=dst-nat chain=dstnat dst-address=172.15.0.5 in-interface=\
    "ether1 Gateway-2-Metro" to-addresses=10.0.1.55
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=162.211.33.206 dst-port=80 \
    protocol=tcp src-address=10.0.1.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 7:16 pm

You had to complicate things with a 1:1 into the mix LOL. Hopefully sob or mkx will come by as this is beyond my meagre capabilities.
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 7:23 pm

I blame my ISP. I had no choice.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 9:00 pm

It doesn't seem to work with either a single port and protocol or everything. I would also like to just forward everything, and not have to do it port by port.
/ip firewall nat
add action=src-nat chain=srcnat out-interface="ether1 Gateway-2-Metro" \
    src-address=10.0.1.55 to-addresses=172.15.0.5
[b]add action=dst-nat chain=dstnat dst-address=172.15.0.5  Gateway-2-Metro" to-addresses=10.0.1.55[/b]
[i]add action=masquerade chain=srcnat out-interface-list=WAN[/i]
[b]add action=masquerade chain=srcnat dst-address=HERE YOU SHOUDL PUT THE LAN IP dst-port=80 \
    out-interface=YOUR LAN protocol=tcp src-address=10.0.1.0/24[/b]
For the Hairpin NAT you need the rules in Bold {b}... I corrected the last rule, you need the LAN IP there, because it has been NATed earlier from the previous rule...
I dont understand your rule No 0...
Also hide your Public IP...
Finally, i cant tell if the IP addresses you use are correct. You know that...
Last edited by Zacharias on Sun Mar 29, 2020 2:43 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 10:06 pm

Main problem is dstnat rule, you can't have in-interface="ether1 Gateway-2-Metro" (which I assume is WAN interface), because all connections from LAN will be coming from - no surprise - LAN. Using in-interface for dstnat rule is just a quick hack when you don't have static address, otherwise it's not needed.

The only thing changed by NAT 1:1 is that you need dstnat rule that will take both addresses:

- Private one on WAN interface to which ISP forward traffic from internet, that will be used by connections from outside.
- Real public address (which is otherwise on ISP's router), that will be used by connections from LAN.

Just put them both in address list and then use dst-address-list=<list>.
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 11:05 pm

Okay, I mistyped that 172.x.x.x address. I just tried to sub a private IP address for a public one, and I wrote 172.15.0.5 instead of 172.16.0.5. Anyway, the 172 address is just a placeholder for my actual public IP address.

As for rule 0, that's the outgoing 1:1 NAT rule. Rule 1 is the incoming 1:1 rule.

Anyway, as for your edit, I made that change, and a couple other changes. Instead of using the src-nat and dst-nat action, I changed them to netmap. Here are the current rules.
/ip firewall nat
add action=netmap chain=srcnat out-interface="ether1 Gateway-2-Metro" \
    src-address=10.0.1.55 to-addresses=172.16.0.5
add action=netmap chain=dstnat dst-address=172.16.0.5 in-interface=\
    "ether1 Gateway-2-Metro" to-addresses=10.0.1.55
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=10.0.1.55 dst-port=80 \
    out-interface=bridge1 protocol=tcp src-address=10.0.1.0/24
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sat Mar 28, 2020 11:26 pm

Main problem is dstnat rule, you can't have in-interface="ether1 Gateway-2-Metro" (which I assume is WAN interface), because all connections from LAN will be coming from - no surprise - LAN. Using in-interface for dstnat rule is just a quick hack when you don't have static address, otherwise it's not needed.

The only thing changed by NAT 1:1 is that you need dstnat rule that will take both addresses:

- Private one on WAN interface to which ISP forward traffic from internet, that will be used by connections from outside.
- Real public address (which is otherwise on ISP's router), that will be used by connections from LAN.

Just put them both in address list and then use dst-address-list=<list>.
Okay, I removed the WAN from the in-interface, and things still work the same at that point, so that is good. I don't quite understand what you are saying to put on the address list. Also, should I be putting the address list in both the incoming and outgoing rule?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 12:04 am

Normal configuration, when you have public address on your router, has default NAT rule to access internet:
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=srcnat to-addresses=<public address>
or:
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=masquerade
Then you forward ports using:
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
If you want to be able to connect to <public address> from LAN, you need hairpin NAT (it can also use action=src-nat with almost any address):
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
If you have NAT 1:1, the difference is that <public address> is not on your router, but elsewhere. Instead the router has some other private address on WAN interface (e.g. 10.20.30.40). So if you want to avoid in-interface hack, correct dstnat rule is:
/ip firewall nat
add chain=dstnat dst-address=10.20.30.40 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
But this breaks it for connections from LAN to <public address>, because it no longer matches. So you can either add second rule (same as the one for public address on router):
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
Or use address list:
/ip firewall address-list
add list=WAN_IP address=<public address>
add list=WAN_IP address=10.20.30.40
/ip firewall nat
add chain=dstnat dst-address-list=WAN_IP protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 1:02 am

Well Sob, you have me officially confused now. I'm not sure how to get from where I am to what you are thinking. I sincerely appreciate the help, but at this point I'm not sure if you are talking over my head, or trying too hard to hold my hand. LOL

I've been trying to understand and implement what you are talking about, but at this point, I don't know the right question to ask to get myself to understand what you are saying my problem is. I understand all the words you are saying, and I think I understand what each individual rule you wrote does on its own, but for the life of me, I can't figure out how to get what you said to work together.

I just sent a request to my ISP to route me a /29 instead of this crap. I don't know if they will do it, but I do know it would make my life easier. Every time I turn around, I'm finding something that won't work how I need it to, or I'm breaking something trying to get something else to work how I need it to.

If they tell me they won't do the /29, I'll be back here.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 1:28 am

I was going for really simple and easy to understand description. :D

You can describe what you do undestand, and I'm willing to try again. Or maybe there's some misundestanding. You can draw a diagram how is everything connected, where are what addresses, etc. Perhaps it could be something different than I think, and it could explain why my advice sounds confusing.
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 2:22 am

I thought you were going for really simple, but I am unsure which of those rules you are suggesting need to be used. On top of that, with the address list, I'm not sure why you suggest to use them. You add one that says <public address>, and another that says 10.20.30.40, which I believe you were using to denote a public address. What other address are you suggesting I need in a list?

When we get down to port forwarding, once I put the 1:1 rules in, all ports already go to the device. So, when this is in the rules:
/ip firewall nat
add action=netmap chain=dstnat dst-address=172.16.0.5 to-addresses=10.0.1.55
add action=netmap chain=srcnat src-address=10.0.1.55 to-addresses=172.16.0.5
add action=masquerade chain=srcnat out-interface-list=WAN
Things work from the outside world just fine, so I don't understand the
add chain=dstnat dst-address=10.20.30.40 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
. When I use that rule, I still get no response from the machine on port 80, so I added the other rule you said would fix the connections from lan to public address, and still no response.

At this point, the rules look like this:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=172.16.0.5 to-addresses=10.0.1.55
add action=src-nat chain=srcnat src-address=10.0.1.55 to-addresses=172.16.0.5
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=172.16.0.5 dst-port=80 protocol=tcp to-addresses=10.0.1.55
add action=dst-nat chain=dstnat dst-address=172.16.0.5 dst-port=80 protocol=tcp to-addresses=10.0.1.55
That leaves only the address list thing you said to try, but I don't know what addresses you are saying should go there.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 4:44 am

There's definitely some misundestanding. When you wrote that you have 1:1 NAT, I thought that ISP is doing that, but now it looks like you're the one who's doing it?

What I was describing is:

- ISP's router (which you don't have any access to) has public IP address, e.g. 2.2.2.2
- Your router's WAN interface has some private address (10.20.30.40 in my example)
- LAN behind your router is 192.168.88.0/24 in my example
- ISP is doing 1:1 NAT, which means that:
-- any packet to 2.2.2.2 gets new destination address 10.20.30.40
-- any packet from 10.20.30.40 gets new source address 2.2.2.2

Is this what you have, or is it something else?
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 5:42 am

No, the ISP routed 5 IP addresses to my ont. I am using one for the lan, one for another router, and one for a pbx. Needing to have people have access to phones outside the lan, since the shelter in place stuff is going on, I realized how limiting it was to not be able to access the pbx from inside the lan using the public ip, at least to provision phones. I tried just using a domain name and changing things on the dns server to the local ip, but there were unforeseen difficulties there too.

Anyway, I thought that just fixing the way things are on the router would save me the time of finding all the places an ip address was used instead of a domain on the pbx. I didn't realize that would probably have been faster.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 2:50 pm

To sum up the rules you need for the Hairpin NAT are:
add action=dst-nat chain=dstnat dst-address=Public IP protocol=tcp dst-port-80 to-addresses=LAN IP OF THE DEVICE
Here you can use as @sob said either the Public IP or your Routers Lan IP or make an Address List
add action=masquerade chain=srcnat dst-address=LAN IP OF THE DEVICE dst-port=80 \
    out-interface=YOUR LAN protocol=tcp src-address=LAN SUBNET
The basics of Hairpin NAT are those 2 rules, nothing more nothing less...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 8:07 pm

So you do have 5 public addresses on your router? Or does ONT also work as router, public addresses are there and it does 1:1 NAT to your router and other devices? And you're in fact not connecting back to same LAN, but to another device connected behind ONT? I'm affraid I got lost in it. Maybe a diagram would help, i.e. how exactly is everything connected, where is each address, etc.
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 9:49 pm

The 5 addresses are pointed to my router individually, but my router is not assigned its own subnet. It only gets 5 addresses on a /27 subnet. Because of that, I have to use 1:1 Nat to route them to my devices. I believe they use private ip addresses on the onts themselves, and send the 5 ip addresses with a vpn. I'm not 100% sure though.

As for a diagram, I'm replying to this on my phone right now. That will have to wait until I get to a regular pc.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 10:07 pm

Ok, so directly on your router you have the following?
/ip address
add interface=<WAN interface> address=<public address 1>/27
...
add interface=<WAN interface> address=<public address 5>/27
/ip route
add dst-address=0.0.0.0/0 gateway=<another address from same /27>
If that's so, you can probably make it work even without NAT.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 10:23 pm

@sob if it is that way, 5 static IP directly configured on ethernet interfaces, i would not say probably but certainly it can work with out Nat ..
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 10:43 pm

Ok, so directly on your router you have the following?
/ip address
add interface=<WAN interface> address=<public address 1>/27
...
add interface=<WAN interface> address=<public address 5>/27
/ip route
add dst-address=0.0.0.0/0 gateway=<another address from same /27>
If that's so, you can probably make it work even without NAT.
That is already how it is configured. How do I then route the traffic to the devices themselves? I couldn't figure it out without the router being the gateway, which is why I had to use the 1:1 NAT.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 10:49 pm

Source Nat the IP of the Device in the Lan to the Public IP address...
Also you still need a dst nat rule to port forward the traffic to the device when needed...
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 11:00 pm

Okay. That works for the traffic going out, but doesn't work for the traffic coming in. I want all traffic coming in to that IP address going to the device as well. I don't want to manage it with the Mikrotik router. This is where the dstnat rule works, hence the 1:1 nat.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 11:12 pm

Where do we disagree ?
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 11:28 pm

Well, a 1:1 nat contains the same address assignment, same routing assignment, and the same src-nat rule. The only difference between what you are saying and a 1:1 NAT is the dst-nat rule.

Essentially, this is how I have my setup working: https://wiki.mikrotik.com/wiki/How_to_l ... Local_ones
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Sun Mar 29, 2020 11:33 pm

The link you posted at #3 contains the dst-nat rule i told you about....
So i still do not understand...
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 12:04 am

Okay, I didn't catch one of your posts. I thought you were going off of what Sob wrote. Sorry.

I figured out something I was doing wrong, and it was with my other forwarding and hairpin nat rules. Now both sets of rules can live in harmony. The question remains, which was in my OP, is it possible to do this with all traffic to the pbx, or do I have to create rules for every port I might use?
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 12:10 am

Nevermind. I just answered my own question. I just removed the protocol and port from those forwarding rules and now everything seems to work.

That is actually what I was trying to do in the first place. It was just conflicting with other rules, and when I was testing without those other rules in place, I never got to the point of forwarding, or hairpinning.

Anyway, as painful as it was, thanks very much for everyone's help.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 12:28 am

Great...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 4:00 am

Funny thing is that you had the simple basic config with public addresses on router the whole time. :)

For the record, the NAT-less way I had in mind was to give public addresses directly to devices that need them. You could connect them to ONT directly, using either external switch, or you could switch/bridge ports on router (if you have enough of them), or make the public subnet available in LAN in tagged VLAN. Another way would be proxy ARP and then routing individual addresses in LAN, either as point to point over ethernet, or with PPPoE.
 
poduck
newbie
Topic Author
Posts: 33
Joined: Thu Apr 06, 2017 11:22 pm

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 4:26 pm

I am still having some audio issues with this setup for some reason, so those other options might actually be better.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Can't access 1:1 natted public IP from LAN

Mon Mar 30, 2020 8:38 pm

I am still having some audio issues with this setup for some reason, so those other options might actually be better.
For your PBX you must port forward the appropriate ports...
Check your Firewall also...
I guess you have audio problems when using the PBX from outside ?

Those are standard steps for PBX audio delivery probblems... No need to change your approach again...
 
orfin2
just joined
Posts: 2
Joined: Tue Mar 02, 2021 12:46 pm

Re: Can't access 1:1 natted public IP from LAN

Fri Jul 01, 2022 6:01 pm

There's definitely some misundestanding. When you wrote that you have 1:1 NAT, I thought that ISP is doing that, but now it looks like you're the one who's doing it?

What I was describing is:

- ISP's router (which you don't have any access to) has public IP address, e.g. 2.2.2.2
- Your router's WAN interface has some private address (10.20.30.40 in my example)
- LAN behind your router is 192.168.88.0/24 in my example
- ISP is doing 1:1 NAT, which means that:
-- any packet to 2.2.2.2 gets new destination address 10.20.30.40
-- any packet from 10.20.30.40 gets new source address 2.2.2.2

Is this what you have, or is it something else?
This is exactly my case. My ISP have a few public IP, and one of them NATing 1:1 to my private WAN IP address (all 65k ports to my 192.168.100.119). From outside connection is all right, i send public IP with port and it is, but if i send public IP from my home network (behind my MTIK) have no connection. How i make it? Harpin NAT?
Last edited by orfin2 on Fri Jul 01, 2022 6:02 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Can't access 1:1 natted public IP from LAN

Fri Jul 01, 2022 7:46 pm

Yes, hairpin NAT with proper dstnat rules is solution. With addresses from quoted post e.g.:
/ip firewall address-list
add list=nat_addrs address=2.2.2.2
add list=nat_addrs address=10.20.30.40
/ip firewall nat
add chain=dstnat dst-address-list=nat_addrs protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.100
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], jamesperks, patrikg and 80 guests