Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Endpoint-Independent NAT when applying Hairpin NAT

Sun Apr 30, 2023 12:26 pm

Hello my friends..!
so i am trying to solve a problem related to Hairpin NAT in my RB951ui, so i stop against this Endpoint-Independent NAT thing that i didn't find in my router
so anyone know any thing about it..?
also if anyone have any suggestion about what i am facing here is my problem:
i have a mikrotik router, and i apply this hairpin rule to open my duhua NVR using the public ip address on my app
first here is my dst nat rule chain=srcnat action=masquerade to-addresses=192.168.2.2 protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.122 dst-port=38888 log=no .
and here is my hairpin NAT rule
the second rule : 2 chain=dstnat action=dst-nat to-addresses=192.168.1.122 to-ports=38888 protocol=tcp dst-address=192.168.2.2 dst-port=38888 log=no .
i placed the hairpin nat before all rule.
the connection is working only for 2 second then the traffic stop and disconnect..
so what may case this to happen..?
is there is anything that i have to apply with this rule to make the connection persist..?
what case this connection to drop on the first place..?
You do not have the required permissions to view the files attached to this post.
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 276
Joined: Mon Mar 15, 2021 9:10 pm

Re: Endpoint-Independent NAT when applying Hairpin NAT

Sun Apr 30, 2023 12:54 pm

I suggest use zerotier and network routing this will help you a lot, no more hairpit nat issue, just my 0.2$
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Endpoint-Independent NAT when applying Hairpin NAT

Sun Apr 30, 2023 1:22 pm

I suggest use zerotier and network routing this will help you a lot, no more hairpit nat issue, just my 0.2$
zerotier on RB951ui? it will not work without unicorns
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Sun Apr 30, 2023 5:21 pm

hello @ Techsystem

i think your nat rules are ok, except maybe you forgot about the in-interface for the dstnat rule, prerouting.

and out-interface for your srcnat rule.

good luck 👍🏻
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Endpoint-Independent NAT when applying Hairpin NAT

Sun Apr 30, 2023 6:01 pm

You wrote a lot but missed imporatant information!

Simple solution, put the device (your HUNAHUNA-stuff) in another VLAN - problem solved, because cleint und server are in different VLANs.

More Complex solution:
chain=dstnat action=dst-nat to-addresses=192.168.1.122 to-ports=38888 protocol=tcp dst-address=192.168.2.2 dst-port=38888 log=no
You DNAT 192.168.2.2:38888 (this should be your public IP!) to 192.168.1.122:38888

Second rule (here we have to change the source-IP from the inital-device to the IP of the router):
chain=srcnat action=masquerade to-addresses=192.168.2.2 protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.122 dst-port=38888 log=no
Is 192.168.2.2 the IP of your router in this network?

After both NAT-rules, the HUNAHUNA-device sees a packet:
Destination-IP: 192.168.1.122:38888
Source-IP: ????????????:38888

PROBLEM: In the Masquerade-Action you cant specify a "to-address". Masquarde is a dynmic-action which uses the IP of the router in that network.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Mon May 01, 2023 9:26 am

You wrote a lot but missed imporatant information!

Simple solution, put the device (your HUNAHUNA-stuff) in another VLAN - problem solved, because cleint und server are in different VLANs.

More Complex solution:
chain=dstnat action=dst-nat to-addresses=192.168.1.122 to-ports=38888 protocol=tcp dst-address=192.168.2.2 dst-port=38888 log=no
You DNAT 192.168.2.2:38888 (this should be your public IP!) to 192.168.1.122:38888

Second rule (here we have to change the source-IP from the inital-device to the IP of the router):
chain=srcnat action=masquerade to-addresses=192.168.2.2 protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.122 dst-port=38888 log=no
Is 192.168.2.2 the IP of your router in this network?



After both NAT-rules, the HUNAHUNA-device sees a packet:
Destination-IP: 192.168.1.122:38888
Source-IP: ????????????:38888

PROBLEM: In the Masquerade-Action you cant specify a "to-address". Masquarde is a dynmic-action which uses the IP of the router in that network.
Hello Mr.Guscht ..!
yes you can pretend the 192.168.2.2 as the public IP..
for the second complex solution that's didn't work on my scenario, yet i am curious to know how can i put my NVR inside different VLAN
so in my network i have a bridge interface that contain all interface except the ether-1
this NVR is connected to poe switch and the switch connected to the router through one of router interface -(i think ether3)- so how can i apply VLAN for this specific IP address..?
you mean to create Enter-Vlan routing..?
 
User avatar
Ca6ko
Member
Member
Posts: 498
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Endpoint-Independent NAT when applying Hairpin NAT

Mon May 01, 2023 5:02 pm

Why do you create several threads with the same problem.viewtopic.php?t=195707
Your task is to make it as clear as possible to other users to ask a question and then get help.
To do this, it is best to draw a network diagram.
.
yes you can pretend the 192.168.2.2 as the public IP..
There is no need to use 192.168.0.0/16 for public addresses in the examples, so as not to mislead others. There is a pool of special addresses for that, 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24
Endpoint-Independent NAT does not work at all for you because it does not work with the TCP protocol

I have had several devices working steadily for years. You only need to replace the public address with your own.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Videoreg NVR" dst-port=38888 in-interface=ether1 protocol=tcp to-addresses=192.168.1.122
add action=dst-nat chain=dstnat dst-address=198.51.100.28 dst-port=38888 in-interface=Bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.122
add action=masquerade chain=srcnat dst-port=38888 protocol=tcp src-address=192.168.1.0/24

If you had asked the questions correctly, you would have got the solution long time ago.
Feature of Dahua registrars, you can not reassign ports. That is, the device port 38888 and the router must also be the port 38888 if you make a port change will not always work.
In the dst-nat rule, if the input and output ports are the same, there is no need to specify the output port.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Mon May 01, 2023 7:41 pm

Why do you create several threads with the same problem.viewtopic.php?t=195707
Your task is to make it as clear as possible to other users to ask a question and then get help.
To do this, it is best to draw a network diagram.
.
yes you can pretend the 192.168.2.2 as the public IP..
There is no need to use 192.168.0.0/16 for public addresses in the examples, so as not to mislead others. There is a pool of special addresses for that, 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24
Endpoint-Independent NAT does not work at all for you because it does not work with the TCP protocol

I have had several devices working steadily for years. You only need to replace the public address with your own.
/ip firewall nat
add action=dst-nat chain=dstnat comment="Videoreg NVR" dst-port=38888 in-interface=ether1 protocol=tcp to-addresses=192.168.1.122
add action=dst-nat chain=dstnat dst-address=198.51.100.28 dst-port=38888 in-interface=Bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.122
add action=masquerade chain=srcnat dst-port=38888 protocol=tcp src-address=192.168.1.0/24

If you had asked the questions correctly, you would have got the solution long time ago.
Feature of Dahua registrars, you can not reassign ports. That is, the device port 38888 and the router must also be the port 38888 if you make a port change will not always work.
In the dst-nat rule, if the input and output ports are the same, there is no need to specify the output port.
No..!
not that way..!
first this didn't work on my situation viewtopic.php?t=195707
i make it like crystal, i have a DMZ inside my asus router and i don't want to make this situation very complicated, so for that i have dst-nat like 192.168.2.2 so this represent my router out interface ip address, and sure i know that already its work. as i said that i can see my device as normal from outside.

i run a sniffer inside my LAN and what i notice that this hairpin NAT rule that i created work for one time, then disappear form the trace, so is this normal..?
also i mentioned previously that the rule is working however there is a huge delay in traffic -(if i open my app inside my local network with 1 public ip assigned to this app it work for 4 second as a real time live stream then stopped then after 20 second run again ...etc)- . so i asked a solution to this specific case.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Endpoint-Independent NAT when applying Hairpin NAT

Mon May 01, 2023 7:59 pm

Endpoint-Independent NAT does not work at all for you because it does not work with the TCP protocol
@techsystem, are you sure the "streaming" isn't using TCP?
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Tue May 02, 2023 5:26 am

Endpoint-Independent NAT does not work at all for you because it does not work with the TCP protocol
@techsystem, are you sure the "streaming" isn't using TCP?
how cam i know..? you mean from Tracefile..?
 
User avatar
Ca6ko
Member
Member
Posts: 498
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Endpoint-Independent NAT when applying Hairpin NAT

Wed May 03, 2023 3:22 pm

You don't have a public address on the mikrotik so it has nothing to do with it. You have an Asus for Hairpin NAT.
You don't understand the situation correctly and are therefore looking for the wrong solutions.
Mikrotik's Hairpin NAT settings will allow you to access its external address 192.168.2.2 from the network 192.168.1.0/24 !!!

You are making a few Dahua related mistakes when setting up Mikrotik.
Enable port forwarding 38888 on the Asus to the internal 192.168.2.2 address and disable the DMZ. Warning In the screenshot port forwarding is disabled
Screenshot_30.jpg
On the Mikrotik make these settings, put these rules above your own and remove unnecessary rules. viewtopic.php?t=195707#p998939
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=38888 protocol=tcp to-addresses=192.168.1.122
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

After that, everything will work correctly.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Wed May 03, 2023 8:04 pm

You don't have a public address on the mikrotik so it has nothing to do with it. You have an Asus for Hairpin NAT.
You don't understand the situation correctly and are therefore looking for the wrong solutions.
Mikrotik's Hairpin NAT settings will allow you to access its external address 192.168.2.2 from the network 192.168.1.0/24 !!!

You are making a few Dahua related mistakes when setting up Mikrotik.
Enable port forwarding 38888 on the Asus to the internal 192.168.2.2 address and disable the DMZ. Warning In the screenshot port forwarding is disabled
Screenshot_30.jpg
On the Mikrotik make these settings, put these rules above your own and remove unnecessary rules. viewtopic.php?t=195707#p998939
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=38888 protocol=tcp to-addresses=192.168.1.122
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

After that, everything will work correctly.

You don't understand the situation correctly and are therefore looking for the wrong solutions
i agree, maybe really i don't understand my situation, but
what make me do that is that i have a DMZ in my asus and alot of port forwarding rule in mikrotik not asus and it work well..!!
i will apply your solution and give you the output, hope that all this work.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Thu May 04, 2023 9:25 am

You don't have a public address on the mikrotik so it has nothing to do with it. You have an Asus for Hairpin NAT.
You don't understand the situation correctly and are therefore looking for the wrong solutions.
Mikrotik's Hairpin NAT settings will allow you to access its external address 192.168.2.2 from the network 192.168.1.0/24 !!!

You are making a few Dahua related mistakes when setting up Mikrotik.
Enable port forwarding 38888 on the Asus to the internal 192.168.2.2 address and disable the DMZ. Warning In the screenshot port forwarding is disabled
Screenshot_30.jpg
On the Mikrotik make these settings, put these rules above your own and remove unnecessary rules. viewtopic.php?t=195707#p998939
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=38888 protocol=tcp to-addresses=192.168.1.122
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

After that, everything will work correctly.
Hello Mr.Ca6ko..!
so i am in my lab right now and i just apply your rules.
First: so ok i disable the DMZ in asus and apply your rule and it work fine for the out internet connection as its before so no thing change -(as i said i can open my NVR using public ip from outside)- so its another way to apply port forwarding without DMZ..OK
second: for my main problem that doesn't change any thing ..!
still the same problem, so still i can't open my NVR using my public IP inside my LAN.
i apply this rule that you mentioned to add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=38888 protocol=tcp to-addresses=192.168.1.122
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

for this rule add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN i put the to address as 192.168.2.2
also i try to put the src-add as 192.168.1.0/24 and the dst-add as 192.168.1.122 and the action as Masqurade but also that's didn't work..!
 
User avatar
Ca6ko
Member
Member
Posts: 498
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Endpoint-Independent NAT when applying Hairpin NAT

Thu May 04, 2023 10:04 am

Show the mikrotik configuration after applying my recommendations
viewtopic.php?p=999909#p999769
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Thu May 04, 2023 11:02 am

Show the mikrotik configuration after applying my recommendations
viewtopic.php?p=999909#p999769
so here is my config after your recommendations
You do not have the required permissions to view the files attached to this post.
 
User avatar
Ca6ko
Member
Member
Posts: 498
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Endpoint-Independent NAT when applying Hairpin NAT

Thu May 04, 2023 10:52 pm

Techsystem wrote Wed Apr 26, 2023 7:35 pm
give an advise or explaination about how can i config this ...
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
.
Ca6ko wrote Fri Apr 28, 2023 10:40 am
For mikrotik you have to turn on the standard NAT and disable unnecessary rules.
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
.
Techsystem wrote Sun Apr 30, 2023 12:26 pm
is there is anything that i have to apply with this rule to make the connection persist..?
.
Ca6ko wrote Wed May 03, 2023 3:22 pm
put these rules above your own and remove unnecessary rules
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
.
Techsystem wrote Thu May 04, 2023 11:02 am
so here is my config after your recommendations
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
I give up :shock:

.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: Endpoint-Independent NAT when applying Hairpin NAT

Fri May 05, 2023 6:42 am

Techsystem wrote Wed Apr 26, 2023 7:35 pm
give an advise or explaination about how can i config this ...
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
.
Ca6ko wrote Fri Apr 28, 2023 10:40 am
For mikrotik you have to turn on the standard NAT and disable unnecessary rules.
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
.
Techsystem wrote Sun Apr 30, 2023 12:26 pm
is there is anything that i have to apply with this rule to make the connection persist..?
.
Ca6ko wrote Wed May 03, 2023 3:22 pm
put these rules above your own and remove unnecessary rules
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
.
Techsystem wrote Thu May 04, 2023 11:02 am
so here is my config after your recommendations
add action=src-nat chain=srcnat comment="defconf: masquerade" out-interface-list=WAN to-addresses=192.168.2.2
I give up :shock:

.
sorry but really i didn't understand what you meant..!
it seems that i have a logistic problem with your explanation..! do you have a problem with my NAT rule..? here is it as its in the router, just rewrit it in this thread and to agree on some colour
any unnecessary rule write it in Red and any additional rule write it in Green, if the rule didn't need change keep it as black.

my NAT rules:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.122 dst-port=38888 \
out-interface=Bridge protocol=tcp src-address=192.168.1.0/24 \
to-addresses=192.168.2.2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=38888 \
protocol=tcp to-addresses=192.168.1.122 to-ports=38888
add action=src-nat chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN to-addresses=192.168.2.2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=34567 \
protocol=tcp to-addresses=192.168.1.10 to-ports=34567
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=554 \
protocol=tcp to-addresses=192.168.1.244 to-ports=554

as i say i apply your rule from asus side.

well i also will be crateful if you explain this line from this post viewtopic.php?p=1000101#p999769
Mikrotik's Hairpin NAT settings will allow you to access its external address 192.168.2.2 from the network 192.168.1.0/24 !!!
so you mean this is not achievable..? or my understanding of the Hairpin NAT is wrong..?


to update my situation its still not work...

Who is online

Users browsing this forum: Bing [Bot] and 42 guests