Community discussions

MikroTik App
 
User avatar
stefki
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Mon Aug 29, 2016 2:13 pm

Hairpin NAT not working on v7.9

Thu May 11, 2023 2:58 pm

Hello. I have strange problem after upgrade my HEX to v7.9 . NAT hairpin is not connecting anymore. It was working very stable on v6.48.6.

I have few ports forwarded they work very good on external network. But I am not able to communicate from my local are network.

ports 443 and port 80 are for my local web server. Both ports works form outside WAN. But not working inside on my local network.

This is my config.
please check it :)
/interface bridge
add name=Loopback0
/interface ethernet
set [ find default-name=ether1 ] comment="WAN1 Kabelnet" mac-address=\
    F4:F2:6D:32:40:73
set [ find default-name=ether2 ] comment="WAN2 Maxnet"
/interface vpls
add arp=enabled disabled=no mac-address=02:73:CB:DF:CB:AA mtu=1500 name=\
    Varos_Helios_doma->CCR peer=10.1.255.1 pw-l2mtu=1508 vpls-id=20:35
add arp=enabled disabled=no mac-address=02:F7:0C:9E:57:C4 mtu=1500 name=\
    Varos_Stefan_doma->CCR peer=10.1.255.1 pw-l2mtu=1508 vpls-id=20:36
/interface wireguard
add listen-port=43231 mtu=1420 name=wireguard
/interface vlan
add interface=ether3 name=vlan-management vlan-id=99
add interface=ether3 name=vlan1-kabelnet vlan-id=100
add interface=ether3 name=vlan2-maxnet vlan-id=200
add interface=ether3 name=vlan3-maxnet-stefan vlan-id=300
/interface pppoe-client
add add-default-route=yes disabled=no interface=Varos_Helios_doma->CCR name=\
    pppoe-out-maxnet user=mail.server
add add-default-route=yes disabled=no interface=Varos_Stefan_doma->CCR name=\
    pppoe-out-stefan user=stefan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool3 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan1-kabelnet name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2-maxnet name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3-maxnet-stefan name=dhcp3
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=10.1.255.35
/routing ospf area
add area-id=2.2.2.2 disabled=no instance=ospf-instance-1 name=area2 \
    no-summaries type=stub
/routing table
add disabled=no fib name="mark=DHCP1_TO_KABELNET_WAN1"
add disabled=no fib name=DHCP2_TO_MAXNET_WAN2
add disabled=no fib name=DHCP3_TO_MAXNET_STEFAN_WAN3
/ip neighbor discovery-settings
set discover-interface-list=none
/interface wireguard peers
add allowed-address=173.1.1.2/32 interface=wireguard public-key=\
    "Kxx="
add allowed-address=173.1.1.3/32 interface=wireguard public-key=\
    "xxx="
/ip address
add address=192.168.1.1/24 interface=vlan1-kabelnet network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2-maxnet network=192.168.2.0
add address=192.168.3.1/24 interface=vlan3-maxnet-stefan network=192.168.3.0
add address=172.1.1.1/24 interface=vlan-management network=172.1.1.0
add address=10.1.255.35 interface=Loopback0 network=10.1.255.35
add address=10.24.3.2/29 interface=ether2 network=10.24.3.0
add address=173.1.1.1/24 interface=wireguard network=173.1.1.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.3.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.2.0/24 comment=maxnet list=dhcp2
add address=82.2xx.xxx.5 list=maxnet_wan
add address=192.168.1.0/24 comment=kabelnet list=dhcp1
add address=2xx.xx.xx.xx list=kabelnet_wan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=43231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    173.1.1.0/24
/ip firewall mangle
add action=accept chain=prerouting comment="pristap od dhcp1 do dhcp2" \
    dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=accept chain=prerouting comment="pristap do antene kabelnet" \
    dst-address=10.0.0.0/8 src-address=192.168.1.0/24
add action=accept chain=prerouting comment="pristap do vlan management" \
    dst-address=172.1.1.0/24 src-address=192.168.1.0/24
add action=accept chain=prerouting comment="Pristap do antene maxnet" \
    dst-address=10.0.0.0/8 src-address=192.168.2.0/24
add action=accept chain=prerouting comment="Pristap do local WireGuard" \
    dst-address=173.1.1.0/24 src-address=192.168.0.0/16
add action=accept chain=prerouting comment="Pristap do antene Stefan-maxnet" \
    dst-address=10.0.0.0/8 src-address=192.168.3.0/27
add action=accept chain=prerouting comment=\
    "Allow ping gateway dhcp1-kabelnet" dst-address=192.168.1.1 src-address=\
    192.168.1.0/24
add action=accept chain=prerouting comment="Allow ping gateway dhcp2-maxnet" \
    dst-address=192.168.2.1 src-address=192.168.2.0/24
add action=accept chain=prerouting comment="Allow ping gateway dhcp3-stefan" \
    dst-address=192.168.3.1 src-address=192.168.3.0/24
add action=mark-routing chain=prerouting comment="dhcp1 go to kabelnet wan1" \
    new-routing-mark="mark=DHCP1_TO_KABELNET_WAN1" passthrough=yes \
    src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="dhcp2 go to maxnet wan2" \
    new-routing-mark=DHCP2_TO_MAXNET_WAN2 passthrough=yes src-address=\
    192.168.2.0/24
add action=mark-routing chain=prerouting comment=\
    "dhcp3 go to maxnet_stefan wan3" new-routing-mark=\
    DHCP3_TO_MAXNET_STEFAN_WAN3 passthrough=yes src-address=192.168.3.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT Kabelnet" dst-address-list=kabelnet_wan \
    new-connection-mark="Hairpin NAT_kabelnet" passthrough=yes \
    src-address-list=dhcp1
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT maxnet" dst-address-list=maxnet_wan \
    new-connection-mark="Hairpin NAT_maxnet" passthrough=yes \
    src-address-list=dhcp2
/ip firewall nat
add action=masquerade chain=srcnat comment="pristap do antene" dst-address=\
    10.0.0.0/8 out-interface=ether2 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Kabelnet out-interface=ether1 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="WireGuard Kabelnet" src-address=\
    173.1.1.0/24
add action=masquerade chain=srcnat comment=maxnet out-interface=\
    pppoe-out-maxnet src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=maxnet-stefan out-interface=\
    pppoe-out-stefan src-address=192.168.3.0/24
add action=dst-nat chain=dstnat comment="WireGuard VPN" dst-address-list=\
    kabelnet_wan dst-port=43231 protocol=udp to-addresses=192.168.1.1 \
    to-ports=43231
add action=dst-nat chain=dstnat comment="https 443" \
    dst-address-list=maxnet_wan dst-port=443 protocol=tcp to-addresses=\
    192.168.2.242 to-ports=443
add action=dst-nat chain=dstnat comment="http 80" dst-address-list=\
    maxnet_wan dst-port=80 protocol=tcp to-addresses=192.168.2.242 to-ports=\
    80
    192.168.2.242 to-ports=22
add action=masquerade chain=srcnat comment="Hairpin NAT Kabelnet" \
    connection-mark="Hairpin NAT_kabelnet"
add action=masquerade chain=srcnat comment="Hairpin NAT Maxnet" \
    connection-mark="Hairpin NAT_maxnet"
/ip proxy
set src-address=xxxxx
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-stefan \
    pref-src="" routing-table=DHCP3_TO_MAXNET_STEFAN_WAN3 scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=213.135.179.1 \
    pref-src="" routing-table="mark=DHCP1_TO_KABELNET_WAN1" scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-maxnet \
    pref-src="" routing-table=DHCP2_TO_MAXNET_WAN2 scope=30 \
    suppress-hw-offload=no target-scope=10
/mpls interface
add disabled=no interface=ether3 mpls-mtu=1550
/mpls ldp
add disabled=no lsr-id=10.1.255.35 transport-addresses=10.1.255.35
/mpls ldp interface
add disabled=no interface=ether2
/routing ospf interface-template
add area=area2 disabled=no interfaces=Loopback0 networks=10.1.255.35/32
add area=area2 disabled=no interfaces=ether2 networks=10.24.3.0/29
/system ntp server
set broadcast-addresses=172.1.1.1


Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], neki, UncleGringo and 50 guests