Community discussions

MikroTik App
 
stevester
just joined
Topic Author
Posts: 8
Joined: Wed Feb 22, 2023 3:53 am

Help with hairpin NAT between VLAN's

Tue Oct 31, 2023 10:30 pm

Having an issue accessing an internally hosted mail server that I can access fine from the internet, but not from the local network.

My LAN users are in the 192.168.88.0/24 subnet, and my mail server is located in the 192.168.89.0/24 subnet in a VLAN. My LAN devices can access/see the mail server just fine, however the problem seems to be it is unable to resolve the WAN IP (hairpin NAT type issue as I understand it?).

I have a dual WAN setup, with my LAN primarily using using WAN1 (sfp1) and my mail server primarily using WAN2 (macvlan1).

My configuration is uploaded below:
https://pastebin.com/80ufmrfB

Any pointers about how I can resolve this matter? Thanks in advance!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22173
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with hairpin NAT between VLAN's

Wed Nov 01, 2023 4:02 pm

Hairpin NAT would not be the issue as the other LAN users are on a different subnet/vlan.
Hairpin would exist if you also also had users on the 192.168.89.0 subnet attempting to reach the server by WANIP.

In firewall rules one only needs the plain rule in forward chain which you already have!
add chain=forward action=accept connection-nat-state=dstnat

I see you kept the default forward chain rule which incorporated dst-nat and WAN, which would have been a problem but its further down the rule list to the above rule so not the problem here.

The destination nat rule needs to be properly configured as well. It would appear that is okay as well, but suggest trying using your IP Cloud address like so just to be sure!! So instead of in-interface=spf1

/ip firewall address-list
add address=mynetname.net list=WAN-address comment="my ip cloud address"

add chain=dst-nat action=dst-nat dst-address=WAN-Address etc etc..........

+++++++++++++++++++++++++
Personally, I am surprized anything works, it would appear to me your config is overly complex and hosed, you dont even have bridge vlan filtering enabled and yet purport to be using vlan on bridge and I have no idea what ether1 (wan port?) [ EDIT: okay see wan port is spf1 and its disabled ] is doing on the bridge either. Not familiar with bonding or macvlan so cannot comment on those.
 
stevester
just joined
Topic Author
Posts: 8
Joined: Wed Feb 22, 2023 3:53 am

Re: Help with hairpin NAT between VLAN's

Wed Dec 06, 2023 12:53 am

Hey thanks for your help,

Using the actual IP address of the WAN interfaces (as opposed to the interface name) in the dst-nat rules did the trick. Does seem odd though as the interface name method should in theory work as well you'd think but nonetheless happy with the outcome.

Also cleaned up my config considerably after doing more reading on Mikrotik, my new config is here if anyone else runs into the same issue and wants to review.
https://pastebin.com/PPz549nv