Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Having trouble with Hairpin

Post Reply
 
JaySmith1112
just joined
Topic Author
Posts: 8
Joined: Tue Apr 26, 2016 12:12 am
Location: Santa Monica, CA, USA
Contact:
Contact JaySmith1112

Having trouble with Hairpin

Tue Oct 04, 2016 12:51 am

Hello there, I'm having an issue with Hairpin NAT. I'm unable to make one of my LAN's see a server on a different LAN, but connected to the same RB device. I have followed the directions in the wiki, but still can't get the computers to see the server on the other LAN. Any and all help is greatly appreciated.

Trying to get the 32.0/24 LAN to see the 224.0/24 LAN from the WAN port.
Code: Select all
/ip firewall filter
add chain=forward dst-port=3389 in-interface=ETH1_Main_WAN protocol=tcp
add chain=input dst-address=xx.xx.xx.36 dst-port=8080 in-interface=ETH1_Main_WAN protocol=tcp
add chain=forward comment="VoIP SIP" port=5060-5070 protocol=udp
add chain=forward comment="VoIP RTP" port=10000-20000 protocol=udp
add chain=input dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ETH1_Main_WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface=ETH1_Main_WAN
add chain=forward port=3389 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Hairpin to 172.20.224.19" disabled=yes dst-address=!172.20.224.0/24 dst-address-type=local \
    dst-port=8080 protocol=tcp to-addresses=172.20.224.19 to-ports=8080
add action=masquerade chain=srcnat comment="Local to Local NAT" disabled=yes dst-port=8080 out-interface=ETH1_Main_WAN protocol=tcp \
    src-address=172.20.224.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=172.20.224.19 dst-port=8080 protocol=tcp src-address=172.20.32.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=172.20.224.0/24 dst-port=8080 out-interface="ETH5 - Public LAN" protocol=tcp \
    src-address=172.20.32.0/24 to-addresses=172.20.224.19 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=xx.xx.xxx.35 dst-port=3389 protocol=tcp to-addresses=172.20.224.55 to-ports=3389
add chain=dstnat dst-port=3389 protocol=tcp
add action=dst-nat chain=dstnat in-interface=ETH1_Main_WAN protocol=tcp to-addresses=172.20.224.19
add action=masquerade chain=srcnat disabled=yes dst-address=172.20.224.19 dst-port=80 out-interface=bridge protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ETH1_Main_WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.20.32.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat port=3389 protocol=udp to-addresses=172.20.224.55 to-ports=3389
Top
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Having trouble with Hairpin

Tue Oct 04, 2016 5:12 am

If you are having trouble connecting from 172.20.32.0/24 to the internal server at 172.20.224.19, then you have a dst-nat issue.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ETH1_Main_WAN protocol=tcp to-addresses=172.20.224.19
This will only work for traffic coming in on ETH1_Main_WAN and since 172.20.32.0/24 is coming from a local LAN it never hits this interface. You have to specify your WAN IP like the other dst-nat rule you have. (It is also better to add the dst-ports that you need instead of sending all the ports.)
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=xx.xx.xxx.35 dst-port=xx protocol=tcp to-addresses=172.20.224.19 to-ports=xx
And then a simple Hairpin NAT should work.
Code: Select all
/ip firewall nat
add action=masqureade chain=srcnat dst-address=172.20.224.19 src-address=172.20.32.0/24 out-interface=ETH5 - Public LAN comment="Hairpin to 172.20.224.19"
Top
Post Reply
  4. RouterOS
  5. Forwarding Protocols