Community discussions

MikroTik App
 
pelikuin
just joined
Topic Author
Posts: 4
Joined: Wed Apr 19, 2023 12:37 am

Hairpin nat equivalent

Wed Apr 19, 2023 1:05 am

I'm a noob with a hAP AX Lite, and read other posts where @anav said hairpin nat isn't necessary if using a separate subnet. So I put my SSH server on a 172 subnet and my internal clients are on a 192 subnet. I use this dst-nat rule
add action=dst-nat chain=dstnat comment="DMZ-SSH:4322 -> myhost31:22" dst-port=\
    4322 in-interface-list=WAN log=yes log-prefix="DMZ: " protocol=tcp \
    to-addresses=172.16.16.31 to-ports=22
It works externally, but not from the 192 network.

If I remove "in-interface-list=WAN" then anything crossing the router port 4322 goes to the SSH server, which isn't desirable.

I believe I need to specify my external IP as the destination address in the dst-nat rule, and have confirmed this works by manually entering it. But, my external IP is dynamic (I use DuckDNS.org), so how can I create a rule with my dynamic public IP in the destination of the dst-nat rule?

Many thanks
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Hairpin nat equivalent

Wed Apr 19, 2023 2:19 am

/ip firewall address-list
add address="duck-dns-record.domain.tld" list=name
Now use this as a dst-address-list in your NAT rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin nat equivalent

Wed Apr 19, 2023 4:02 am

You need to read the complete article, snippets can get you in trouble........ context is always critical.
viewtopic.php?t=179343

Being in a different subnet absolves the admin of the need for the sourcenat hairpin rule yes, but it doesnt excuse the OP from constructing a proper
combination of forward chain rule and dst-nat rule based upon
a. whether the IP is dynamic
OR
b. whether the IP is static.

If you already have a dyndns URL, iP address, then its simple as using your IP cloud address.....
/ip firewall address list
add address=mynetname list=mywanip
OR
add address=duckdns.org list=mywanip

/ip nat
add chain=dstnat action=dst-nat dst-address=mywanip dst-port=XXXX protocol=udp/tcp? to=addresss=IPofServer to-ports= ( only required if diff from dst port! )


This in effect mimics the format of the static IP address.
Why do we do this,
a. because we want the rule to work in all cases aka when the iP changes,
b. because we recognize that in-interface=WAN is not accurate as it does not include members for different subnets accessing the router INTERNALLY via the WANIP. They are not comiing in on the in-interface=WAN!!!

Now as to the forward chain rule.......
What works in all cases and is generally recommended
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

This ensures both internal and external users will have no problem reaching the server.

However I do not understand this comment.......
.......... then anything crossing the router port 4322 goes to the SSH server, which isn't desirable.

Can you clearly describe what user traffic should access the server????
 
pelikuin
just joined
Topic Author
Posts: 4
Joined: Wed Apr 19, 2023 12:37 am

Re: Hairpin nat equivalent

Wed Apr 19, 2023 10:35 am

@anav, @own3r1138, many thanks, this was very clear - I hadn't realised that I can simply put in my public DNS in an address list.

I hadn't actually seen that hairpin nat article, only other posts. I will read it in full.

@anav said
However I do not understand this comment.......
.......... then anything crossing the router port 4322 goes to the SSH server, which isn't desirable.
Can you clearly describe what user traffic should access the server????
I meant that, when I set my dst-nat to
add action=dst-nat chain=dstnat comment="DMZ-SSH:4322 -> myhost31:22" dst-port=4322 protocol=tcp to-addresses=172.16.16.31 to-ports=22
(i.e. without "in-interface-list=WAN")
then any traffic on port 4322 was sent to the SSH server. E.g. from a clinet on the 192 network I could make up any non-existant 172 address and, provided it pointed to port 4322, it would end up at 172.16.16.31:22. But I now know how to restrict it to traffic destined for my WAN IP using the address list.

Also, thanks for the comments about the forward chain. I checked my rules and although I don't have a rule like
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
I do seem to have a rule like this at the very bottom
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
I think this came from a default configuration, and I'm guessing it does the same thing - although I do wonder if it's better practice to just have a drop at the bottom and have an explicit allow rule like you mentioned, but hesitate to assume I know better than the defaults.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin nat equivalent

Wed Apr 19, 2023 1:25 pm

Yes you are correct, explained here.... ( get rid of that default rule........but you will then need to add any traffic implicitly allowed such as LAN to internet traffic )
viewtopic.php?t=180838

Who is online

Users browsing this forum: Bing [Bot], NetTecture and 34 guests