Routing traffic to external url within LAN

eduardoha · Sat Nov 11, 2017 11:45 pm

Hi,
I have a NAS which allows me to log into it from the internet by using DDNS and a hostname. I’ve forwarded some ports in my gateway router so my Services are working from the outside. But... if I try to reach my hostname from a device inside my LAN (e.g. tablet), my Services do not work. It only works if instead of looking for the hostname I enter the local IP address.
Is there a way of “routing back” my traffic going to the hostname so that I can use it instead of my local private NAS IP address?
Thanks in advance!

stoser · Sun Nov 12, 2017 12:39 am

See hairpin NAT

https://wiki.mikrotik.com/wiki/Hairpin_NAT

Or just set up the DNS cache on your mtik and set up static entry for local IP address

Steveocee · Tue Nov 14, 2017 5:07 pm

Hairpin NAT (as mentioned above)

Create a rule that NAT's LAN range to LAN range with masquerade
Change port forward rules a little so destination IP is your WAN IP (see note below), remove in-interface as your WAN interface isn't used when you access from locally

**This approach works great unless you are using a dynamic WAN IP at which point you can use IP>Firewall>Address-Lists and resolve your DDNS name within the router and then use dst-address list as your "WAN IP", this gives a "dynamic" hairpin NAT.
***I generally tend to use IP>Cloud when doing this as it is then a DDNS client built into the router.

eduardoha · Wed Nov 15, 2017 12:51 am

Hairpin NAT (as mentioned above)

Create a rule that NAT's LAN range to LAN range with masquerade
Change port forward rules a little so destination IP is your WAN IP (see note below), remove in-interface as your WAN interface isn't used when you access from locally

**This approach works great unless you are using a dynamic WAN IP at which point you can use IP>Firewall>Address-Lists and resolve your DDNS name within the router and then use dst-address list as your "WAN IP", this gives a "dynamic" hairpin NAT.
***I generally tend to use IP>Cloud when doing this as it is then a DDNS client built into the router.

Thanks for the tip. I did some tests with hairpin but didn't work. I need to spend a bit more time to review my setup and check my config. Silly question though. The port to which my NAS is connected is acting as switch at the moment. Does that have any influence on hairpin NAT or is it transparent to it?
Indeed, the WAN IP allocated by my ISP is dynamic. I managed to resolve my DDNS with IP>Firewall>Addresses. Now how do I use that as argument to set-up the hairpin NAT?
In the example provided by the hairpin NAT documentation:
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.2
I understand I should replace 1.1.1.1 by the resolved DDNS IP address and 192.168.1.2 by my NAS's local private IP address.
Is there a way I can easily provide it as an argument instead of entering an actual IP address?

Will let you know the outcome. Thanks again for your precious help!

Steveocee · Wed Nov 15, 2017 11:19 am

help!

Here is a very quick amendment to what I am using (as I have static IP)

First create the address list to update to your WAN ip address (ros 6.37 onwards only I think) This should by something like .mynetname if you use IP>Cloud

/ip firewall address-list
add address=dynamic.ip.address.com list=WANip

This is your hairpin rule, this absolutely must be the 1st rule in your router (top) as it needs to catch your LAN traffic before your regular masquerade rule

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=LANRANGE/24 src-address=LANRANGE/24

Your "port forwards" need to be set up as follows, notice there is no "in-interface" as not all traffic will be coming from the WAN interface

/ip firewall nat
add action=dst-nat chain=dstnat comment=Plex dst-address-list=WANip dst-port=32400 protocol=tcp to-addresses=LANIP

I hope that helps, if not do an export and lets see if we can push it any further.

eduardoha · Thu Nov 16, 2017 11:00 pm

help!
Here is a very quick amendment to what I am using (as I have static IP)

First create the address list to update to your WAN ip address (ros 6.37 onwards only I think) This should by something like .mynetname if you use IP>Cloud
Code: Select all
/ip firewall address-list
add address=dynamic.ip.address.com list=WANip
This is your hairpin rule, this absolutely must be the 1st rule in your router (top) as it needs to catch your LAN traffic before your regular masquerade rule
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=LANRANGE/24 src-address=LANRANGE/24
Your "port forwards" need to be set up as follows, notice there is no "in-interface" as not all traffic will be coming from the WAN interface
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment=Plex dst-address-list=WANip dst-port=32400 protocol=tcp to-addresses=LANIP
I hope that helps, if not do an export and lets see if we can push it any further.

Hi, thanks a lot for this. I tried following your steps but something's not working. The counters are getting pegged though.
More details below. Please let me know if you spot something wrong in my config.
I configured my IP list through IP>Firewall>IP list and that's working fine. I called it NAS-IP
My LAN is on 192.168.1.0/24
My NAS has 192.168.1.2
My Service runs on port 1000
Here's my config:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Hairpin
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
1 ;;; Hairpin2
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address-list=NAS-IP dst-port=1000 log=no log-prefix=""
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

Steveocee · Fri Nov 17, 2017 12:02 pm

Couple of things to try;
Does the port forward work if you are off your local network? This will check to see if the port forward itself is working.
Secondly;
Your masquerade rule has out-interface-list=WAN
Do you have more than 1 WAN interface?
If so, can you add all of your WAN IP's to the address list you made that has the WAN IP's as the traffic *could* be coming up a different interface?

stoser · Wed Nov 22, 2017 2:46 am

Hi, thanks a lot for this. I tried following your steps but something's not working. The counters are getting pegged though.
More details below. Please let me know if you spot something wrong in my config.
I configured my IP list through IP>Firewall>IP list and that's working fine. I called it NAS-IP
My LAN is on 192.168.1.0/24
My NAS has 192.168.1.2
My Service runs on port 1000
Here's my config:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Hairpin
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
1 ;;; Hairpin2
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp dst-address-list=NAS-IP dst-port=1000 log=no log-prefix=""
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

a) Need to include out-interface in srcnat rule. This should be your LAN interface
b) I would put the exact internal address of the NAS server in the srcnat rule, just to be more precise.
c) Although I don't think it matters technically, I would logically put the dstnat rule before the srcnat rule.

Otherwise, I do not see why this is not working. Do you have any filter rules that may be causing issues with LAN to LAN communications?

Routing traffic to external url within LAN

Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Re: Routing traffic to external url within LAN

Who is online