Hairpin NAT on RB2011UAS-2HnD-IN

Mattie · Tue Dec 03, 2013 5:07 pm

Hi,

I'm having trouble getting hairpin NAT to work on my RB2011UAS-2HnD-IN (version 6.5)

I currently have this NAT settings:

[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0 / 1 -> disabled rules

 2   ;;; masquerade
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 4   ;;; Hairpin NAT rule
     chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.250 

 5   ;;; SERV: FTP (this is a normal nat rule that works fine)
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21

The best option for me would something line this
- request to external IP
- router parses request, checks NAT rules to see what IP to forward and relays packet to that IP

However as far as I understand i need to add a special NAT rule for EVERY devices (the most rules go to 192.168.1.250) so that would be fine as well.

Thanks for any advice!

Joe1vm · Tue Dec 03, 2013 10:30 pm

5 ;;; SERV: FTP (this is a normal nat rule that works fine)
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21

!

Hi Mattie,
I am not a specialist, but Hairpin NAT is working properly for me on the same router - since version 6.7 -including "fixed hairpin nat on bridge with use-ip-firewall=yes;"

I think, you may want to check http://wiki.mikrotik.com/wiki/Hairpin_NAT carefully together with highlighted rule. I would say, that the traffic from LAN will hardly achieve enther1-gateway as in-interface - this I would expect to work from outside only. But maybe I am wrong....

Regards
Josef

pcunite · Wed Dec 04, 2013 3:48 pm

ROS v6.7 fixed my hairpin nat issues too ... update.

Mattie · Thu Dec 05, 2013 1:05 pm

Hi,

Even when i update to 6.7 i still don't get it to work. Can you share your NAT rule?

Mattie · Thu Dec 05, 2013 2:26 pm

Hi,

Even when i update to 6.7 i still don't get it to work. Can you share your NAT rule?

edit:

it works when i reboot my router!

However i now have the following problem:

I want all traffic to my external IP just to go back intern. so i added the following rule:

 3   ;;; Hairpin NAT rule
     chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24

However when i use the following:

 4   ;;; SERV: FTP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80

It doesn't work, so i remove the "in-interface" :

 4   ;;; SERV: FTP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp dst-port=80

But: now al my outgoing internet traffic is transferred to my server!

So now i make this rule (where 1.1.1.1 is my external IP):

5   ;;; SERV: HTTP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp dst-address=1.1.1.1 dst-port=80

But: i have a dynamic IP so i don't want to change it all the time.

How can I forward all packets to my EXTERNAL ip with origin my internal network "back" into the network without having to set my external dynamic IP ?

marcus65 · Tue Dec 10, 2013 9:00 pm

I'm a beginner but hairpin nat worksfor me on my RB2011 with an out interface, not a dst-address. I'm sending local traffic (192.168.1.0/24) to the local bridge.

6 ;;; Hairpin NAT
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24
out-interface=bridge-local dst-port=21,22,25,80,143,587,993,443

Hairpin NAT on RB2011UAS-2HnD-IN

Hairpin NAT on RB2011UAS-2HnD-IN

Re: Hairpin NAT on RB2011UAS-2HnD-IN

Re: Hairpin NAT on RB2011UAS-2HnD-IN

Re: Hairpin NAT on RB2011UAS-2HnD-IN

Re: Hairpin NAT on RB2011UAS-2HnD-IN

Re: Hairpin NAT on RB2011UAS-2HnD-IN