Hello fellow Mikrotikers!

I have a problem, which i cant figure out right now why its not working, i did this already in a "singel lan" environment and it worked perfectly, but now there are multiple vlans (192.168.3.0/24 and 192.168.13.0/24) and there is port which would be needed to be accessed from outside (public ip) and from the other lan range too.

So lets say: 192.168.3.100 has a port opened lets say 8888 (192.168.3.100:8888) and this needs to be accessed via public ip from 192.168.13.100 (or any other internal ip in 192.168.13.0/24).


What steps do i need to do to get this working? Thank you in advance!

(for singel lan environment i do two things: i make a nat rule (which is first in place) where source and destination address is the same and its source nat and on action tab its masquareded. second thins is the port forward where is put on the general tab in the destination address the wan ip address, like in this tutorial: https://www.youtube.com/watch?v=_kw_bQyX-3U).

What do i need to do else? Thank you!

Stop us from guessing your setup.
a. network diagram is a always a good idea.
b. /export file=anynameyouwish ( minus router serial # and any public WANIP information )

Without the export, help will not arrive or not be accurate

True, but didnt wanted to post it, cuz there are a lot of port forwards and firewall rules in my language, but i deleted all the firewallrules and the portforwards, maybe this way you could tell me what to do. I left the NAT rules (masquarade), but deleted the pf rules (bc lot of comments with maybe sensitive content). In the firewall rules there are two rules for blocking traffic from 192.168.3.0/24 to 192.168.13.0/24 and vice versa. [and as you will see, vlan99 is a bridged one because it was needed untagged from the router, but vlan 1 and 2 are tagged and go into a smart switch].

Thank you in advance!

two rules for haripin nat i tried to:


nat rule:

add action=masquerade chain=srcnat comment="NAT hairpin" disabled=yes \
dst-address=192.168.13.0/24 src-address=192.168.3.0/24

(tried with both of the address 192.168.3.0/24, still not working)

and the pf rule:

add action=dst-nat chain=dstnat comment=\
NAMEOFTHESOFTWARE disabled=yes dst-address=\
8MYPUBLICIP dst-port=8888 log=yes log-prefix=NAMEOFTHESOFTWARE \
protocol=tcp to-addresses=192.168.3.100 to-ports=8888

If your server is at 192.168.3.100, then your hairpin src-nat rule has src-address and dst-address swaped::

nat rule:

add action=masquerade chain=srcnat comment="NAT hairpin" disabled=yes \
dst-address=192.168.13.0/24 src-address=192.168.13.0/24

BTW, you don't need 3 masquerade rules for WAN access ... unless there's sone LAN segment with routable addresses? A single rule, similar to ones you have but without src-address property set, would do. What you definitely want to keep is out-interface property.

BTW2: the L2 config - bridge, ports, VLAN settings and VLAN interfaces - is pretty much wrong.

If your server is at 192.168.3.100, then your hairpin src-nat rule has src-address and dst-address swaped::

nat rule:

add action=masquerade chain=srcnat comment="NAT hairpin" disabled=yes \
dst-address=192.168.13.0/24 src-address=192.168.13.0/24

BTW, you don't need 3 masquerade rules for WAN access ... unless there's sone LAN segment with routable addresses? A single rule, similar to ones you have but without src-address property set, would do. What you definitely want to keep is out-interface property.

BTW2: the L2 config - bridge, ports, VLAN settings and VLAN interfaces - is pretty much wrong.

Hi!

Thanks for your answer.

Yeah, i edited it manually and i switchted the two up, put the 13 in the first part, because i assumed from left to right it will be source and destination, but yeah, its like how you wrote, souce is 13.0/24 and destination is 3.0/24, but there is no traffic, packets/bytes are still 0, while its the first rule in the NAT section.

"BTW2: the L2 config - bridge, ports, VLAN settings and VLAN interfaces - is pretty much wrong."
Could you elaborate what you mean?

Read this for the general idea. ---> viewtopic.php?t=143620 (forget that youtube )
Read para C for some guidance .. viewtopic.php?t=182373

Read this for the general idea. ---> viewtopic.php?t=143620 (forget that youtube )
Read para C for some guidance .. viewtopic.php?t=182373

curious, if i select az interface/port and press the "plus" icon and select VLAN and i give the vlan an ID (number) is a wrong setup of a vlan and thats why my hairpin nat is not working?

Read this for the general idea. ---> viewtopic.php?t=143620 (forget that youtube )
Read para C for some guidance .. viewtopic.php?t=182373

curious, if i select az interface/port and press the "plus" icon and select VLAN and i give the vlan an ID (number) is a wrong setup of a vlan and thats why my hairpin nat is not working?

because this is one of the way my mikrotik teacher showed me, it wouldnt be nice if it would be wrong, but couldnt imagine, because it works this way with every smart switch i configured.

Read this for the general idea. ---> viewtopic.php?t=143620 (forget that youtube )
Read para C for some guidance .. viewtopic.php?t=182373

the youtube link is not about vlans, its hairpin nat video, did you check it?

... if i select az interface/port and press the "plus" icon and select VLAN and i give the vlan an ID (number) is a wrong setup of a vlan ...

ROS is much too flexible for some UI (either CLI or GUI) to be able to verify corectness of all possible settings. So yes, ROS UI won't save you from making mistakes. There's even a notorious dedault setup which is not correct (and sometimes causes problems) ...

As to if incorrect VLAN setup prevents hairpin nat from working: does direct connection to internal server from the other VLAN work? I.e. connect to 192 168.3.100:8888 instead of <WAN-IP>:8888 and see if that works. If it doesn't, then that would indicate that incorrect VLAN setup could indeed be the root problem.

... if i select az interface/port and press the "plus" icon and select VLAN and i give the vlan an ID (number) is a wrong setup of a vlan ...

ROS is much too flexible for some UI (either CLI or GUI) to be able to verify corectness of all possible settings. So yes, ROS UI won't save you from making mistakes. There's even a notorious dedault setup which is not correct (and sometimes causes problems) ...

As to if incorrect VLAN setup prevents hairpin nat from working: does direct connection to internal server from the other VLAN work? I.e. connect to 192 168.3.100:8888 instead of <WAN-IP>:8888 and see if that works. If it doesn't, then that would indicate that incorrect VLAN setup could indeed be the root problem.

"I.e. connect to 192 168.3.100:8888 instead of <WAN-IP>:8888 and see if that works. If it doesn't, then that would indicate that incorrect VLAN setup could indeed be the root problem." -> the main reason for vlans in this case is to seperate the two network with vlans (l2) and firewall rules (l3), so no, i cant directly reach the other comuter from a seperate lan.

I begin every router config with a wipe and begin clean "from scratch", so the default config cant be a problem.
Its friday so i could detach for a few min everything from the router and if i disable my last rule in the firewall, which blocks all forward traffic (plus the two rules which block the l3 traffic between the two lans), it begins to work, so my haripin setup was correct, but somehow what i dont understand i need to adjust my firewall to allow it. I'll figure it out from now on, thanks, but i will speak to my mikrotik trainder, because he puts tutorial videos online for money and i will show him this thread and im curious what is wrong with my vlan setup, i did it exactly like he told me, the simple tagged ones and the bridged untagged ones too. Have a nice day!

update: i just needed to add an exclusive allow (firewall) rule for this to work. what should i do, i didnt got an aswer and this wont be usefull for anyone else, should i delete this thread?

The wrong (or at least highly weird) part is that you have bridge with single port which is access port for single VLAN .... why? You're using the rest of interfaces directly, why not ether4? If you omitted some config also there (which might make use of bridge more sensible), then ... well, good luck getting any useful answer to your questions in the future.

As to firewall rules ... since you removed all of them, we could not check if the problem lies there.

the main reason for vlans in this case is to seperate the two network with vlans (l2) and firewall rules (l3), so no, i cant directly reach the other comuter from a seperate lan.

Allowing connections between subnetA and server in subnetB only via using public address but blocking direct access ... might be doable, but in most convoluted way. What makes things slightly difficult is the order in which ROS executes different code chunks: first it does DST-NAT, then firewall and the last is SRC-NAT. So if you have hairpin nat in place, then dst-address will be changed first whilst keeping src-address intact. Then firewall rules get executed and if there's rule blocking all access from subnetA towards subnetB, it will trigger (and drop connection attempt). Only last step is to replace src-address with own address. Solution to the problem is the rule in post by @Sob above.

One important thing you missed, hairpin NAT (srcnat rule) is needed when client and server are both in same subnet. It's not needed when one is in 192.168.3.0/24 and another in completely different 192.168.13.0/24. And whether it's needed or not, in both cases you need to first allow the traffic through firewall filter. One universal rule for all forwarded ports is usually the thing you need:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

Some reading about the subject: viewtopic.php?t=179343

Thank you, i checked this and you are right, i dont need the "haripin nat" rule in this case, i only need to add the public ip to the destination in the port forward rule (without that it wont work, just checked). And yes, i needed (i updated my post already and its working but thank you very much, ill mark this as an aswer bc this was the solution) a firewall rule to allow from lanA to lanB (i made it only for the one computer and that one port, because i want to keep them sepereate). But i will test your method in a test environment! Thank you and have a nice day!

the main reason for vlans in this case is to seperate the two network with vlans (l2) and firewall rules (l3), so no, i cant directly reach the other comuter from a seperate lan.

Allowing connections between subnetA and server in subnetB only via using public address but blocking direct access ... might be doable, but in most convoluted way. What makes things slightly difficult is the order in which ROS executes different code chunks: first it does DST-NAT, then firewall and the last is SRC-NAT. So if you have hairpin nat in place, then dst-address will be changed first whilst keeping src-address intact. Then firewall rules get executed and if there's rule blocking all access from subnetA towards subnetB, it will trigger (and drop connection attempt). Only last step is to replace src-address with own address. Solution to the problem is the rule in post by @Sob above.

Yes, i needed a rule to allow direct access (edited: a firewall rule) after (edited: creating) the nat rule to make it work. Thanks and have a nice day.

The wrong (or at least highly weird) part is that you have bridge with single port which is access port for single VLAN .... why? You're using the rest of interfaces directly, why not ether4? If you omitted some config also there (which might make use of bridge more sensible), then ... well, good luck getting any useful answer to your questions in the future.

As to firewall rules ... since you removed all of them, we could not check if the problem lies there.

as i wrote in my second post, because i needed a direct port on the router which was untagged (vlan99), and the rest was tagged(vlan1 and 2) and connected to a smart switch. i didnt delete anything from that part, you can see it in the beginning in my config. this doesnt makes my configuration bad. but next time i will post the whole modified config.