Hello
I have trouble with hairpin
Task is get access from LAN IP 192.168.1.20 to WAN IP+port 2112 and connect to 192.168.1.20 port 21...
I'm trying any solutions - but don't work.
Maybe problem on mangle rules
Because mikrotik have 2 WAN and accessed by mangle rules.
Router OS 6.47
Maybe someone has expirience with it.
Thank you.
Re: Hairpin NAT + Port Forwarding
Without your configuration, we're guessing. Please post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Re: Hairpin NAT + Port Forwarding
k6cc, that was torturous to read................... use the force !!! or least path of resistance!
@OP Para B. ---> viewtopic.php?t=191442
@OP Para B. ---> viewtopic.php?t=191442
Re: Hairpin NAT + Port Forwarding
Thanks for your discreet answer.Without your configuration, we're guessing. Please post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
My config.
Code: Select all
# apr/12/2023 19:44:02 by RouterOS 6.48.6
# software id = 2B91-MMSW
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC4F0F9B81DD
/interface bridge
add admin-mac=DC:2C:6E:F9:9D:A9 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out-Infomir \
use-peer-dns=yes user=st57505
add add-default-route=yes default-route-distance=2 disabled=no interface=\
ether2 name=pppoe-out-Infomir-2 user=st63245
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=no_country_set disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=CS_0372_M wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors \
frequency=auto mode=ap-bridge ssid=CS_0372_M wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IP-Pool-Vpn ranges=174.16.0.100-174.16.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=174.16.0.1 name=\
VPN-Profile remote-address=IP-Pool-Vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=VPN-Profile enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out-Infomir list=WAN
add interface=pppoe-out-Infomir-2 list=WAN
add interface=ether2 list=WAN
/interface pptp-server server
set authentication=mschap2 default-profile=VPN-Profile enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.20 mac-address=18:66:DA:36:18:A9 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=174.16.0.0/24 list=Local-Subnet
add address=192.168.1.0/24 list=Local-Subnet
add address=192.168.1.20 list=server1c
add address=79.142.205.251 list=wan_for_server1c
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=1723 in-interface-list=\
WAN protocol=tcp
add action=accept chain=input disabled=yes dst-port=500,1723,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked"
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!Local-Subnet \
new-routing-mark=To-ISP-2 passthrough=no src-address=192.168.1.20
add action=mark-connection chain=input in-interface=pppoe-out-Infomir \
new-connection-mark=From-ISP-1 passthrough=yes
add action=mark-routing chain=output connection-mark=From-ISP-1 \
new-routing-mark=To-ISP-1 passthrough=no
add action=mark-connection chain=input in-interface=pppoe-out-Infomir-2 \
new-connection-mark=From-ISP-2 passthrough=yes
add action=mark-routing chain=output connection-mark=From-ISP-2 \
new-routing-mark=To-ISP-2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=LAN1_Main src-address=\
192.168.88.0/24
add action=masquerade chain=srcnat comment=LAN2_for_server src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment=LAN3_for_VPNclients src-address=\
174.16.0.0/24
add action=dst-nat chain=dstnat comment=ftp_to_server1c dst-port=2112 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.20 to-ports=21
add action=dst-nat chain=dstnat comment=http_to_server1c dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.20 to-ports=\
8081
add action=dst-nat chain=dstnat comment=RDP_to_server1c dst-port=45389 \
protocol=tcp to-addresses=192.168.1.20 to-ports=3389
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=79.142.205.251 dst-port=2112 \
protocol=tcp to-addresses=192.168.1.20 to-ports=21
/ip route
add distance=1 gateway=pppoe-out-Infomir-2 routing-mark=To-ISP-2
add distance=1 gateway=pppoe-out-Infomir routing-mark=To-ISP-1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=User1 profile=VPN-Profile service=sstp
add name=User2 profile=VPN-Profile service=pptp
add name=User3 profile=VPN-Profile service=pptp
add name=User4 profile=VPN-Profile service=pptp
add name=User5 profile=VPN-Profile service=pptp
add name=User6 profile=VPN-Profile service=pptp
add name=User7 profile=VPN-Profile service=pptp
add name=User8 profile=VPN-Profile service=pptp
add name=User9 profile=VPN-Profile service=pptp
add name=User10 profile=VPN-Profile service=pptp
/system clock
set time-zone-name=Europe/Kiev
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Hairpin NAT + Port Forwarding
Pardon...k6cc, that was torturous to read................... use the force !!! or least path of resistance!
@OP Para B. ---> viewtopic.php?t=191442
Thank you for tutorial..
Who is online
Users browsing this forum: vingjfg and 51 guests