Community discussions

MikroTik App
  4. RouterOS
  5. General

2WAN and hairpin nat problem

Post Reply
 
kefflar
just joined
Topic Author
Posts: 7
Joined: Tue Apr 12, 2011 12:28 pm

2WAN and hairpin nat problem

Tue Jun 14, 2022 11:20 am

Hello,
Could someone please help me find a solution to the non-working Hairpin nat. When I add LAN network to Connected address list, then port forwarding doesn't work from WAN1. My default OUT interface is WAN2(pppoe).
Code: Select all
/interface bridge
add fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface pppoe-client
add disabled=no interface=ether2-WAN2 name=pppoe-out1 password="secret" user=pppoe_user
/interface list
add name=WAN
/ip pool
add name=LAN-pool ranges=192.168.1.101-192.168.1.199
add name=l2tp_pool ranges=172.10.0.101-172.10.0.199
/ip dhcp-server
add address-pool=LAN-pool disabled=no interface=LAN lease-time=4h name=LAN
/ppp profile
add bridge=LAN local-address=192.168.1.1 name=l2tp remote-address=l2tp_pool
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp enabled=yes ipsec-secret="secret" use-ipsec=yes
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=46.170.57.30/30 interface=ether1-WAN1 network=xxx.xxx.xxx.xxx
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1 ntp-server=213.222.200.99
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,194.204.15.34,1.1.1.1
/ip firewall address-list
add address=xxx.xxx.xxx.xxx/30 list=Connected
add address=yyy.yyy.yyy.yyy list=Connected
add address=10.0.0.1 list=Connected [color=#FF0000][i]- gateway of pppoe connection[/i][/color]
add address=192.168.1.0/24 list=LAN
add address=172.10.0.0/24 list=Connected
add address=192.168.1.0/24 disabled=yes list=Connected
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=accept chain=input comment="Winbox Access" dst-port=8391 in-interface-list=all protocol=tcp
add action=accept chain=input comment="Ssh Access" dst-port=4322 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=drop chain=input connection-state="" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state="" dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment=WAN->ROS src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=WAN1->ROS passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=WAN2->ROS passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=TO_WAN2 passthrough=yes
add action=mark-connection chain=forward comment=WAN->LANs connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=WAN1->LAN passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=WAN2->LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1->LAN new-routing-mark=TO_WAN1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LAN new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment=LANs->WAN connection-mark=no-mark dst-address-list=!Connected dst-address-type=!local new-connection-mark=LAN->WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancing" connection-mark=LAN->WAN new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment="Stick connections after this" connection-mark=LAN->WAN new-connection-mark=Sticky_WAN1 passthrough=yes routing-mark=TO_WAN1
add action=mark-connection chain=prerouting connection-mark=LAN->WAN new-connection-mark=Sticky_WAN2 passthrough=yes routing-mark=TO_WAN2
add action=mark-routing chain=prerouting connection-mark=Sticky_WAN1 new-routing-mark=TO_WAN1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_WAN2 new-routing-mark=TO_WAN2 passthrough=yes src-address-list=LAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=46.170.57.30 dst-port=8088 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=46.170.57.30 dst-port=8180 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW Solary" dst-address=yyy.yyy.yyy.yyy dst-port=8180 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="WWW SMDP" dst-address=yyy.yyy.yyy.yyy dst-address-type="" dst-port=8088 in-interface=pppoe-out1 protocol=tcp src-address-type="" to-addresses=192.168.1.10 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1-WAN1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=172.10.0.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="HairPin NAT" dst-address=192.168.1.0/24 dst-address-type=local src-address=192.168.1.0/24
/ip route
add check-gateway=ping distance=1 gateway=xxx.xxx.xxx.gw_ip/30 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=TO_WAN2
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=2 gateway=ether1-WAN1
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2WAN and hairpin nat problem

Wed Jun 15, 2022 3:51 am

In random order:

- You seem to be bad at masking public addresses.
- The dst-address-type=local means address assigned to router, so if you have it in hairpin srcnat rule, it means that the rule does nothing useful. You need it to match traffic from LAN to LAN and this doesn't. So either remove this option, or you can change it to src-address-type=!local, which excludes connections initiated by router (but in your case it won't really do anything useful).
- If dstnat rule should work from LAN, it can't have in-interface=<WAN>. Remove in-interface option and keep only dst-address=<WAN address> option, it's enough.
- I hope that I didn't overlook something, but it seems that your last six mangle rules aren't very useful. First two at least give you unique connection mark for outgoing connections, which will be immediatelly changed to another (Sticky_WAN2), but the two for WAN1 shouldn't get any hits at all.
Top
 
kefflar
just joined
Topic Author
Posts: 7
Joined: Tue Apr 12, 2011 12:28 pm

Re: 2WAN and hairpin nat problem

Thu Jun 23, 2022 10:21 pm

For my configuration I used https://mum.mikrotik.com/presentations/US12/tomas.pdf by Tomas Kirnak. So almost everything work's. After I changed src-address-type=!local and remove in-interface from dst-nat rules, everything starts working like I wanted.

Thank You for your help.

Last thing to do is Failover script - to switch default route after pppoe-out1 failed.
Top
Post Reply

Who is online

Users browsing this forum: AimiSayo, AshuGite, Google [Bot], ortdx, rkau045 and 75 guests
  4. RouterOS
  5. General