Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

can not enable hairpin NAT on my network

Wed Apr 19, 2023 11:47 am

Hello for all Mikrotik People there...!
so i am trying to set Hairpin NAT on my RB951ui but with no avail
i follow Normis steps in his video on Mikrotik official channel but with no avail yet i dont have this complicated Network..!!
Just one WAN interface and Bridge that contain all LAN interface ..
here is my config
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: can not enable hairpin NAT on my network

Wed Apr 19, 2023 1:24 pm

 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: can not enable hairpin NAT on my network

Wed Apr 19, 2023 8:36 pm

Hello anav..!
thanks for your article.!
so in my configuration i apply the same rules as you mentioned and here is my problem..!! i couldn't identify why its not work..! :-(
really diappointed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: can not enable hairpin NAT on my network

Wed Apr 19, 2023 11:33 pm

Your config seems to be indicating issues???? What are those???

/interface list member
add interface=ether1 list=WAN
add interface=Bridge list=LAN
add interface=*9 list=LAN
add interface=*F list=LAN
add interface=*D list=LAN

and
/ip dhcp-server alert
add disabled=no interface=Bridge on-alert=\
":log error message=\"Rogue DHCP Server Discovered\""


Your using this crappy rule for port forwarding which one should not use with a more complex setup. Not in my setup!!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


The masquerade rule I show is also NOT THIS In fact this looks like butchery ...........
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN to-addresses=192.168.2.2

So its the wrong format altogether for normal nat rule,
You are missing the hairpin nat rule AND
all your dst-nat rules are in the wrong format.

Summary, you actually need to read it this time and take notes!!! ( and refrain from making false claims )
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: can not enable hairpin NAT on my network

Thu Apr 20, 2023 7:37 pm

Your config seems to be indicating issues???? What are those???

/interface list member
add interface=ether1 list=WAN
add interface=Bridge list=LAN
add interface=*9 list=LAN
add interface=*F list=LAN
add interface=*D list=LAN

and
/ip dhcp-server alert
add disabled=no interface=Bridge on-alert=\
":log error message=\"Rogue DHCP Server Discovered\""


Your using this crappy rule for port forwarding which one should not use with a more complex setup. Not in my setup!!
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


The masquerade rule I show is also NOT THIS In fact this looks like butchery ...........
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN to-addresses=192.168.2.2

So its the wrong format altogether for normal nat rule,
You are missing the hairpin nat rule AND
all your dst-nat rules are in the wrong format.

Summary, you actually need to read it this time and take notes!!! ( and refrain from making false claims )
So sorry Mr.anav..!
it seems that i sent to you the wrong configuration file..!
here is the router configuration
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: can not enable hairpin NAT on my network

Thu Apr 20, 2023 8:07 pm

Indeed LOL.

(1) If your ISP addresses are fixed.......
From:
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
TO:
add action=src-nat chain=srcnat out-interface=ether1 to-address=192.168.2.1
add action=src-nat chain=srcnat out-interface=ether2 to address=192.168.3.1

Since you have two static WANIPs.... Your dsnat rules format is not helpful to indicate which WAN??
add action=dst-nat chain=dstnat comment=PBX-1 dst-address=???
dst-port=9021 protocol=tcp to-addresses=192.168.1.100 to-ports=9021

(2) The role of WAN1 and WAN2 a seem clear
Primary and Failover..................
How do external users know which WAN they should come in on to reach server ???

(3) See nothing that should be stopping hairpin to work yet.......... Mainly because you have no firewall rules so all traffic should pass. ( if your dstnat rules are not the cause )

Who is online

Users browsing this forum: CGGXANNX, JDF, m4rk3J, mhn6868 and 37 guests