Community discussions

MikroTik App
 
RSchnell
just joined
Topic Author
Posts: 7
Joined: Tue Aug 13, 2019 12:29 am

<SOLVED>NATing question (Hairpin or something else?)

Fri Mar 03, 2023 12:18 am

<SOLVED> I removed firewall rule #10 and it all started working.

I'm trying to figure out the best (or easiest) way to do this:

routable ip: yyy.xxx.36.18/22 gateway is yyy.xxx.36.1
non-routable ip 1: 172.27.27.1/24 gateway for 172.27.27.bbb
non-routable ip 2: 10.254.254.1/24 gateway for 10.254.254.ccc

routable ip and non routable ip1 exist on the same flat network
non-routable ip 2 exists on it's own network and comes in via ether3 and ether2 which are bridged together

what works:
pinging and surfing from 10.254.254.x
port fowarding through to 10.254.254.x
pinging any other active ip in the 172.27.27.x/24 range from the terminal on the router

what doesn't work:
pinging or surfing from 172.27.27.x though 172.27.27.1 to yyy.xxx.36.18 and on to yyy.xxx.36.1 and the rest of the internet.

I'm not sure if hairpin nat is what's needed. I'm not sure what I want to do is possible. Any direction or help would be appreciated.

Setup of router (if there are better ways to present this information I'd love to know :) )
[admin@Alarm-Tik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                        
 0   ;;; defconf
     10.254.254.1/24    10.254.254.0    bridge                           
 1   172.27.27.1/24     172.27.27.0     WAN-ether1                       
 2   yyy.xxx.36.18/22    yyy.xxx.36.0     WAN-ether1 
 
[admin@Alarm-Tik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 
 4 X  ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 
 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 
 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 
 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
11    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 
12    chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=35w3d dst-port=22 log=no log-prefix="" 
13    chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
14    chain=input action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 
15    chain=input action=add-src-to-address-list connection-state="" protocol=tcp address-list=ssh_stage1 address-list-timeout=10h dst-port=22 
16    ;;; drop ssh brute downstream
      chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

[admin@Alarm-Tik] >  ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 
 1    ;;; SecureNet Alarm Receiver
      chain=dstnat action=dst-nat to-addresses=10.254.254.100 to-ports=9999 protocol=tcp dst-port=9999 log=yes log-prefix="SecureNet" 
 2    ;;; DSC IP Alarm Receiver
      chain=dstnat action=dst-nat to-addresses=10.254.254.7 to-ports=3061 protocol=udp dst-port=3061 log=yes log-prefix="Alarm-p3061-"

[admin@Alarm-Tik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters chain=prerouting action=passthrough 
 1  D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 
 2  D ;;; special dummy rule to show fasttrack counters chain=postrouting action=passthrough 

[admin@Alarm-Tik] > ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters chain=prerouting action=passthrough 
 
 [admin@Alarm-Tik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          52.119.36.1               1
 1 ADC  10.254.254.0/24    10.254.254.1    bridge                    0
 2 ADC  52.119.36.0/22     52.119.36.18    WAN-ether1                0
 3 ADC  172.27.27.0/24     172.27.27.1     WAN-ether1                0

Who is online

Users browsing this forum: Majestic-12 [Bot], pmcsill, stefhapx6 and 71 guests