here is my config, i can access via internet, but not from the local lan! can someone help me?
add action=dst-nat chain=dstnat comment="OPEN 443 WEB, RULE 25-40 PACKETS PER SECOND" dst-address-type="" dst-limit=25,40,dst-address/1m dst-port=443 \
in-interface=all-ethernet log=yes log-prefix="WEB CONNECTION" protocol=tcp to-addresses=192.168.10.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.10.10 to-ports=80
I ADDED these two lastly, after 230942 attempts to make it work, but i continuos wrong.
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-address-type="" protocol=tcp src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.10.1 dst-address-type=local protocol=tcp
Re: HAIRPIN HAT not working
try to add this one
Code: Select all
/ip firewall nat add action=netmap chain=dstnat dst-address=WAN_IP dst-port=443,80 protocol=tcp to-addresses=192.168.10.10-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
thanks for your reply, but still can not enter from local lan.. i can from outside of the office..try to add this oneCode: Select all/ip firewall nat add action=netmap chain=dstnat dst-address=WAN_IP dst-port=443,80 protocol=tcp to-addresses=192.168.10.10
Re: HAIRPIN HAT not working
Read this: viewtopic.php?f=2&t=126724&p=623599#p623599 post and quoted thread in it.
or directly this: viewtopic.php?f=2&t=102483&p=508981#p508981
or directly this: viewtopic.php?f=2&t=102483&p=508981#p508981
Re: HAIRPIN HAT not working
after you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24
Re: HAIRPIN HAT not working
It is better to do src-nat with specified IP instead of masquarade.
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
after you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.10 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.10.0/24
still not working :S . thanks dude
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
how would you change what he said?It is better to do src-nat with specified IP instead of masquarade.
also i tried this
add action=masquerade chain=srcnat comment="Hairpin NAT Masq" disabled=yes out-interface=ether1 src-address-list=Local
add action=netmap chain=dstnat disabled=yes dst-address="wanip" dst-port=443,80 protocol=tcp src-address-list=\
Local to-addresses=192.168.10.10
and there if i look on packets, they start to flush, but still cannot reach the site
Re: HAIRPIN HAT not working
Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN.
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface="your global interface"
protocol=tcp to-addresses=192.168.10.10 to-ports=80
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface="your global interface"
protocol=tcp to-addresses=192.168.10.10 to-ports=80
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
Set only three rules. Simple dst-nat for connectivity from Internet and my previous 2 rules to hook the global IP from LAN. With this setup I have web access to web resource with global IP from LAN.
First rule is
ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface="your global interface"
protocol=tcp to-addresses=192.168.10.10 to-ports=80
Ok my friend, now i have only these rules enabled.
/ip firewall nat
1 chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp dst-address-type=local in-interface=ether1 dst-port=443
dst-limit=25,40,dst-address/1m log=yes log-prefix="WEB CONNECTION"
9 chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp src-address=192.168.10.0/24 dst-address="GLOBAL IP" in-interface=ether1
dst-port=443
10 chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 out-interface=ether1 dst-port=443
not working, idk why
Re: HAIRPIN HAT not working
ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
Re: HAIRPIN HAT not working
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working
What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
Re: HAIRPIN HAT not working
I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
-
-
rodrigobenta
newbie
- Posts: 28
- Joined:
Re: HAIRPIN HAT not working [SOLVED]
I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.What rule exacly? Maybe your LAN interface belongs to some master port or bridge? Then, you need point this bridge or master port in 9 and 10 rules. Or you have to extract this port from bridge or slave entity. You have to point LAN interface of your web server, otherwise you can't establish hairpin nat mechanic.ether1 is LAN interface or WAN?
your 9 and 10 rules must have LAN interface. 9 rule in and 10 is out
ether1 is my wan.. but if i put the etherX where i have my server, it doesn't let me finish the rule, an error pop out
now you say that, i have this rule, created by mikrotik itself, i never wrote this.
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
men, you are a f********ng GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD! if i could, i would go to you and give you a hug men jaja
Re: HAIRPIN HAT not working
i have exactly same problem like @rodrigobenta
i've tried a lot of solution from google search and mikrotik forum search.
i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.165) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.165) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.165) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
RouterOS 6.40.1
RouterBOARD 3011UiAS
/ip firewall nat export
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ;;; [ETH1]-LINK_GIRIS
RADIO-LINK ether 1500 1598 8156
1 R ;;; [ETH2]-VDSL_GIRIS
VDSL-ETH ether 1500 1598 8156
2 S ether3 ether 1500 1598 8156
3 S ether4 ether 1500 1598 8156
4 S ether5 ether 1500 1598 8156
5 RS ether6 ether 1500 1598 8156
6 RS ether7 ether 1500 1598 8156
7 RS ether8 ether 1500 1598 8156
8 S ether9 ether 1500 1598 8156
9 S ether10 ether 1500 1598 8156
10 sfp1 ether 1500 1600 8158
11 R ;;; [ETH3-ETH10]-LOCAL_NETWORK_192.168.0.1/24
Local bridge 1500 1598
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 1.1.1.10/30 1.1.1.8 RADIO-LINK
1 10.1.1.121/24 10.1.1.0 VDSL-ETH
2 192.168.0.1/24 192.168.0.0 Local
I have 2 INTERNET input. (Load balancing in local network)
RADIO-LINK connect on port 1 directly.
RADIO-LINK's static IP is: 1.1.1.10
VDSL-ETH connect port 2 over adsl modem.
mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.
It is possible? Where do i make mistakes?
i've tried a lot of solution from google search and mikrotik forum search.
@rodrigobenta, please share me all rules. i want give a hug toomen, you are a f********ng GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD! if i could, i would go to you and give you a hug men jaja
@Anumrak, your solution have not worked for me.I'm talking about 9 and 10 rules only. Forget about classic masquerade. Change interfaces on them.
i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.165) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.165) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.165) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
RouterOS 6.40.1
RouterBOARD 3011UiAS
/ip firewall nat export
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ;;; [ETH1]-LINK_GIRIS
RADIO-LINK ether 1500 1598 8156
1 R ;;; [ETH2]-VDSL_GIRIS
VDSL-ETH ether 1500 1598 8156
2 S ether3 ether 1500 1598 8156
3 S ether4 ether 1500 1598 8156
4 S ether5 ether 1500 1598 8156
5 RS ether6 ether 1500 1598 8156
6 RS ether7 ether 1500 1598 8156
7 RS ether8 ether 1500 1598 8156
8 S ether9 ether 1500 1598 8156
9 S ether10 ether 1500 1598 8156
10 sfp1 ether 1500 1600 8158
11 R ;;; [ETH3-ETH10]-LOCAL_NETWORK_192.168.0.1/24
Local bridge 1500 1598
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 1.1.1.10/30 1.1.1.8 RADIO-LINK
1 10.1.1.121/24 10.1.1.0 VDSL-ETH
2 192.168.0.1/24 192.168.0.0 Local
I have 2 INTERNET input. (Load balancing in local network)
RADIO-LINK connect on port 1 directly.
RADIO-LINK's static IP is: 1.1.1.10
VDSL-ETH connect port 2 over adsl modem.
mikrotik support team from in my country (TR) say this is not possible. But i can see from videos and forum posts that can be done.
It is possible? Where do i make mistakes?
Re: HAIRPIN HAT not working
In your , I can see you translate the source IP of the TCP requests, coming from your local subnet and forwarded to the server at 192.168.0.52, to Mikrotik's own IP address using the following rule:
This forces the server at 192.168.0.52 to send the response to Mikrotik rather than directly to the client (which would normally be the case as the client and the server are in the same subnet).
But even though the response packet is forced through Mikrotik this way, the client in 192.168.0.0/24 still gets the response from 192.168.0.52 while it has sent its request to 1.1.1.10, which may confuse it. Now a srcnat rule implicitly creates, thanks to "connection tracking", an equivalent of a dstnat rule for the opposite direction, so the Mikrotik changes the destination IP in the received response from its own one to that of the real client. However, I'm not sure the same is the case for dstnat rules. So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
Code: Select all
/ip firewall nat exportCode: Select all
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24But even though the response packet is forced through Mikrotik this way, the client in 192.168.0.0/24 still gets the response from 192.168.0.52 while it has sent its request to 1.1.1.10, which may confuse it. Now a srcnat rule implicitly creates, thanks to "connection tracking", an equivalent of a dstnat rule for the opposite direction, so the Mikrotik changes the destination IP in the received response from its own one to that of the real client. However, I'm not sure the same is the case for dstnat rules. So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
Code: Select all
add chain=srcnat src-address=192.168.0.52 protocol=tcp src-port=629 out-interface=Local action=srcnat to-addresses=1.1.1.10 to-ports=629Re: HAIRPIN HAT not working
i added too this src-nat rule. should i remove dst-nat rule?So I would manually add another srcnat rule, mirroring the dstnat one which would translate the destination IP of the request from 1.1.1.10 to 192.168.0.52:
all of rules are like this: (bold line is newly added)
add action=masquerade chain=srcnat dst-address=192.168.0.52 dst-port=629 out-interface=Local protocol=tcp src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629
add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
unfortunately still not working
when i check with torch, only 1 package showing, then connection refused. Red area is RADIO-LINK's external IP (eg: 1.1.1.10)
You do not have the required permissions to view the files attached to this post.
Re: HAIRPIN HAT not working
I've tried to implement a subset of your scenario. My PC is connected to the LAN interface of a RB, and the gateway to the internet is connected to the WAN interface of the same RB. There already was a srcnat masquerade rule on the WAN interface, and I've added a dstnat rule for ssh (proctocol=tcp,dst-port 22) for dst-address matching the WAN IP of the RB which redirects the packet to the internet gateway. This rule alone was enough to log in to the internet gateway from a PC in the LAN subnet when indicating RB's WAN IP as destination and, noteworthy, to translate the source address of the TCP response from the internet gateway to RB's WAN IP when forwarding the response to the PC. So the dst-nat rule automatically works as src-nat in the opposite direction for related packets. The nat configuration and the resulting connection look as follows:
So "normally", i.e. when the client and server are connected to different subnets and different physical ports, these two rules alone are sufficient to make things work properly - at TCP level, both the server and the client think they talk to the RouterBoard, and connection tracking handles that as a single connection. So the srcnat rule I've suggested before is redundant, and the reason why it does not work in your scenario is different. Can you please paste here the export of your "/ip firewall filter" rules? If they are not responsible, then it must be the hairpinning itself, but it does not seem logical to me.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.5.173 dst-port=22 protocol=tcp to-addresses=192.168.5.1
/ip firewall connection print detail where src-address~":22" || dst-address~":22" || reply-src-address~":22" || reply-dst-address~":22"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC Fsd protocol=tcp src-address=192.168.88.253:54434 dst-address=192.168.5.173:22 reply-src-address=192.168.5.1:22
reply-dst-address=192.168.5.173:54434 tcp-state=established timeout=23h45m orig-packets=18 orig-bytes=2 356 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=19 repl-bytes=2 893 repl-fasttrack-packets=9 repl-fasttrack-bytes=1 713 orig-rate=0bps repl-rate=0bpsRe: HAIRPIN HAT not working
add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
Wrong idea.
You need only 4 NAT rules:
1) Classic masquerade for your local network in order to go to Internet;
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.
And absence of different firewall rules which can do collision of packets flow.
Wrong idea.
You need only 4 NAT rules:
1) Classic masquerade for your local network in order to go to Internet;
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.
And absence of different firewall rules which can do collision of packets flow.
Re: HAIRPIN HAT not working
here are my firewall filters:Can you please paste here the export of your "/ip firewall filter" rules?
ordinary drop port rules for each in-iterface
Code: Select all
;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=8080 log=no
log-prefix=""
;;; PROXY-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=8080 log=no
log-prefix=""
;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=VDSL-ETH dst-port=53 log=no
log-prefix=""
;;; DNS-ATAK-DROP
chain=input action=drop protocol=tcp in-interface=RADIO-LINK dst-port=53 log=no
log-prefix=""Re: HAIRPIN HAT not working
If firewall would be preventing the client on LAN from connecting to the server also on LAN redirected from the WAN IP of the Mikrotik, rules in filter chain "forward" would be responsible. So if no such rules exist, the reason must be different. I'll rearrange my test setup a bit to fully match yours and see what happens.
Re: HAIRPIN HAT not working
Hi Anumrak, for your described 4 rules, i checked my rules again. now my rules are shown like this:add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
Wrong idea.
You need only 4 NAT rules:
1) Classic masquerade for your local network in order to go to Internet;
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.
And absence of different firewall rules which can do collision of packets flow.
1) Classic masquerade for your local network in order to go to Internet;
add action=masquerade chain=srcnat out-interface=RADIO-LINK src-address=192.168.0.0/24
2) Destination NAT IN rule for your provider interface in order to get access to your web server from outside;
add action=dst-nat chain=dstnat dst-port=629 in-interface=RADIO-LINK protocol=tcp to-addresses=192.168.0.52 to-ports=629
3) Destination NAT IN rule for your LAN interface in order to translate IP packets from global destination to local destination;
add action=dst-nat chain=dstnat dst-address=1.1.1.10 dst-port=629 in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.52 to-ports=629
4) Source NAT OUT rule for your LAN interface in order to translate IP packets from local source ip to your router's IP.
add action=src-nat chain=srcnat out-interface=Local protocol=tcp src-address=192.168.0.52 src-port=629 to-addresses=1.1.1.10 to-ports=629
Still it is not working
In torch tool only "Local" interface was catches packages. (I guess this is normal)
You do not have the required permissions to view the files attached to this post.
Re: HAIRPIN HAT not working
What is the device 192.168.0.52?
Re: HAIRPIN HAT not working
This is the server which I want to reach in local network.What is the device 192.168.0.52?
i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.195) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.195) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.195) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
Re: HAIRPIN HAT not working
What exactly is this server? Does it have iptables or something?This is the server which I want to reach in local network.What is the device 192.168.0.52?
i want to reach to local server (192.168.0.52) in local network (my local ip: 192.168.0.195) with external ip (1.1.1.10). (My external IP is static)
When i try reach from out network (e.g. 2.2.2.2) to (1.1.1.10) -> SUCCESS
When i try reach from in network (192.168.0.195) to (192.168.0.52) -> SUCCESS
When i try reach from in network (192.168.0.195) to (1.1.1.10) -> FAIL : ERR_CONNECTION_REFUSED
Re: HAIRPIN HAT not working
This is QNAP NAS server.What exactly is this server? Does it have iptables or something?
OS: QTS 4.3.4.0.4.35
In web panel, it hasn't iptables configuration. It has only TCP/IP network configuration.
You do not have the required permissions to view the files attached to this post.
Re: HAIRPIN HAT not working
Instead of torch, use packet sniffing to file and Wireshark to see what the response from the server was. At this stage we need to know whether the Mikrotik rejects the TCP session establishment or the server does. @Anumrak's question expresses a suspicion that the server may refuse requests coming from Mikrotik's own address (which is the case when the client connects to 1.1.1.10 and Mikrotik does a dst-nat and src-nat while forwarding the request) while it accepts requests coming from another address in the same subnet (which is the case when the client connects to 192.168.0.52 which means that routing and all firewall rules on Mikrotik are bypassed).
Re: HAIRPIN HAT not working
Wireshark result with filter (port 629) from client. (192.168.0.195)
You do not have the required permissions to view the files attached to this post.
Re: HAIRPIN HAT not working
You have TCP Reset segments. They transmitted because of wrong or not existing connection. Try to make hairpining to something else in your LAN.
Re: HAIRPIN HAT not working
What I can see in the capture is that the initial SYN packet from the client goes to the public address, but the response SYN,ACK from the server comes from the real address of the server, which makes the client send a RST as the SYN,ACK comes from an unexpected source. So the src-nat action (not necessarily rule!) in the server->client direction fails.
@emrah, I assume the client and the server are connected directly to RouterBoard's physical ports, or, if some other switching gear is between them and the RouterBoard, that it is possible for you to re-arrange cabling in such a way that the client is connected through one physical port of the RouterBoard and the server through another one. Once you are sure that the physical path between the cleint and server goes through the RouterBoard, sniff at both ports simultaneously. And set a display filter "tcp.port == 629 or icmp" when taking the screenshot of the result in Wireshark.
Either one of your NAT rules does not work as expected (maybe because connection tracking does not work), or the RouterBoard sends an icmp redirect to the server when it finds out that it should forward a packet to the same subnet from which it has arrived, so the server re-sends the packet directly to the client.
@emrah, I assume the client and the server are connected directly to RouterBoard's physical ports, or, if some other switching gear is between them and the RouterBoard, that it is possible for you to re-arrange cabling in such a way that the client is connected through one physical port of the RouterBoard and the server through another one. Once you are sure that the physical path between the cleint and server goes through the RouterBoard, sniff at both ports simultaneously. And set a display filter "tcp.port == 629 or icmp" when taking the screenshot of the result in Wireshark.
Either one of your NAT rules does not work as expected (maybe because connection tracking does not work), or the RouterBoard sends an icmp redirect to the server when it finds out that it should forward a packet to the same subnet from which it has arrived, so the server re-sends the packet directly to the client.
Re: HAIRPIN HAT not working
Anumrak can help?Your welcome
I have problem with hairpin. It's not working.
3 rules:
Code: Select all
add action=dst-nat chain=dstnat dst-address=GLOBALIP dst-port=80 protocol=tcp src-address=!192.0.0.0/23 to-addresses=192.0.0.13 to-ports=80
add action=dst-nat chain=dstnat dst-address= GLOBALIP dst-port=80 in-interface=bridge1 protocol=tcp src-address=192.0.0.0/23 to-addresses=192.0.0.13 to-ports=80
add action=masquerade chain=srcnat dst-address=192.0.0.13 dst-port=80 out-interface=bridge1 protocol=tcpit's working from other network, locally not.
bridge1 was default defined in rb, is this problem?