Hello everyone, I recently encountered a problem, I have read a lot of posts, it should be the problem of hairpin nat, but my situation may be a bit special, I hope to get answers
My network configuration is roughly as shown in the figure. There are 2 Internet access lines, one is a static IP: 1.1.1.1, and the other is a dynamic adsl line 2.2.2.2.
The internal network is divided into multiple VLANs through Layer 2 switch ports. The default VLAN is 10.0.0.0/24. There is a web server for external services, http://1.1.1.1:8888.
vlan10 and 11 use the 2.2.2.2 line to access the Internet. The default vlan1 uses 1.1.1.1 static IP lines to access the Internet.
The current situation is that the default vlan1 can access the web service through the internal network http://10.0.0.2:8888 and the external network http://1.1.1.1:8888, and other vlan cannot access the web service (http: //10.0.0.2: 8888, http://1.1.1.1:8888 are not accessible)
Excuse me for using google translate in english
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
dualwan hairpin nat consultation
You do not have the required permissions to view the files attached to this post.
Last edited by fengyuclub on Sun Mar 15, 2020 8:28 am, edited 3 times in total.
Re: dualwan hairpin nat consultation
It's not hairpin NAT problem. Only devices in same subnet as server need hairpin NAT. In your case it's only vlan1. Both vlan10 and vlan11 have diffent subnet, so no hairpin NAT is needed there.
It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's possible that you "mask" other local networks. Blind guess, this could help:
If not, then do:
And post content of resulting myconfig.rsc here in code tags.
It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's possible that you "mask" other local networks. Blind guess, this could help:
Code: Select all
/ip route rule
add action=lookup-only-in-table dst-address=10.0.0.0/24 table=mainCode: Select all
/export hide-sensitive file=myconfig
Re: dualwan hairpin nat consultation
I gag when I see the use of VLAN1. I would change that to vlan100 or any other number but I doubt it has any thing to do with any of the issues at play.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
Followed your prompts, but if the host 10.0.0.253 in the subnet 10.0.0.0/23 is marked as not in the adsl line, you will not be able to access the services of 10.0.0.2. Seems invalid, please ignore the subnet 10.0.0.0/24 drawn in the figure.It's not hairpin NAT problem. Only devices in same subnet as server need hairpin NAT. In your case it's only vlan1. Both vlan10 and vlan11 have diffent subnet, so no hairpin NAT is needed there.
It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's possible that you "mask" other local networks. Blind guess, this could help:
If not, then do:Code: Select all/ip route rule add action=lookup-only-in-table dst-address=10.0.0.0/24 table=main
Code: Select all/export hide-sensitive file=myconfig
And post content of resulting myconfig.rsc here in code tags.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
re-upload
Last edited by fengyuclub on Fri Mar 20, 2020 4:47 am, edited 2 times in total.
Re: dualwan hairpin nat consultation
Try again and be more accurate.
There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23.
And I'm not sure what 10.0.0.253 has to do with it. It's in same subnet as 10.0.0.2, so direct connections must work. Normally the router would not interfere with it at all. You have for some reason enabled IP firewall for bridge, so router can interfere, but you have no filter rules, so it doesn't block anything. And even in case it marks routing, the rule would override that.
There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23.
And I'm not sure what 10.0.0.253 has to do with it. It's in same subnet as 10.0.0.2, so direct connections must work. Normally the router would not interfere with it at all. You have for some reason enabled IP firewall for bridge, so router can interfere, but you have no filter rules, so it doesn't block anything. And even in case it marks routing, the rule would override that.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
I tried again and still couldn't. Well, maybe I didn't make it clear. I deleted some sensitive information in myconfig. 10.0.0.2: 8888. I just replaced an external service and removed the in-interface = WAN-ether2. I still ca n’t access it. . The main services on this host are UBNT unifi control and unifi video. 10.0.0.253 If this host is set to access from 1.1.1.1, it can access the service of 10.0.0.2, and if it is set to 2.2.2.2 on the adsl line Will not be able to access these services. My question is here, how can I replace the intranet or other VLANs, or specify that I can access the 10.0.0.2. Service from the 2.2.2.2 line exit?Try again and be more accurate.
There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23.
And I'm not sure what 10.0.0.253 has to do with it. It's in same subnet as 10.0.0.2, so direct connections must work. Normally the router would not interfere with it at all. You have for some reason enabled IP firewall for bridge, so router can interfere, but you have no filter rules, so it doesn't block anything. And even in case it marks routing, the rule would override that.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
After reading your article about vlan and que, I was very inspired. Vlan1 is actually base vlan, or the default vlan and management vlan. Maybe my habit is not very professional, please do n’t mind this. My problem is mainly multi-line Multi-lan, internal LAN users access to internal services, I hope to get everyone's help, thank you.I gag when I see the use of VLAN1. I would change that to vlan100 or any other number but I doubt it has any thing to do with any of the issues at play.
Re: dualwan hairpin nat consultation
Removing sensitive stuff is ok, but it must not break ability to understand the config. If you ask about port 8888, I need to see dstnat rule for port 8888. Currently it's not there. If it contains a public address you want to hide, it's no problem, just replace it with your fake 2.2.2.2. I can look at your other dstnat rules, but I can't be sure that there isn't something wrong with the one I'm not seeing.
Re: dualwan hairpin nat consultation
/export hide-sensitive file=anyname
download and open in notepad++
Remove or put in fake numbers for WANIP or other sensitive stuff that didnt already get blocked
Without the config we are just guessing and thats no fun.
download and open in notepad++
Remove or put in fake numbers for WANIP or other sensitive stuff that didnt already get blocked
Without the config we are just guessing and thats no fun.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
myconfig
Last edited by fengyuclub on Tue Mar 24, 2020 12:37 pm, edited 1 time in total.
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
Please don't worry about 10.0.0.2:8888, I want to know these users: adsl-out-clientRemoving sensitive stuff is ok, but it must not break ability to understand the config. If you ask about port 8888, I need to see dstnat rule for port 8888. Currently it's not there. If it contains a public address you want to hide, it's no problem, just replace it with your fake 2.2.2.2. I can look at your other dstnat rules, but I can't be sure that there isn't something wrong with the one I'm not seeing.
Code: Select all
add address = 10.0.0.20 list = adsl-out-client
add address = 10.0.0.24 list = adsl-out-client
add address = 10.0.0.224 disabled = yes list = adsl-out-client
add address = 10.0.0.33 disabled = yes list = adsl-out-client
add address = 10.0.1.250 list = adsl-out-client
add address = 10.0.1.251 list = adsl-out-client
Code: Select all
add action = dst-nat chain = dstnat comment = "Unifi Controll Office 1.252" \
dst-address = 1.1.1.1 dst-port = 8180 protocol = tcp to-addresses = \
10.0.1.252 to-ports = 8080
add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 8081 \
protocol = tcp to-addresses = 10.0.1.252 to-ports = 8081
add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 8443 \
protocol = tcp to-addresses = 10.0.1.252 to-ports = 8443
add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 3478 \
protocol = udp to-addresses = 10.0.1.252 to-ports = 3478
add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 27117 \
protocol = tcp to-addresses = 10.0.1.252 to-ports = 27117
Re: dualwan hairpin nat consultation
So you want e.g. client 10.0.0.20 to connect to server 1.1.1.1:8180, which would redirect it to 10.0.1.252:8080, correct? It should work:
- Client 10.0.0.20 tries to connect to 1.1.1.1:8180.
- Mangle rule gives it routing mark "slave_adsl".
- Dstnat changes destination to 10.0.1.252:8080.
- Normally the destination would be looked up in routing table "slave_adsl", which doesn't contain local 10.0.1.252, so everything would go to internet (gateway=adsl-tx). But routing rule overrides that, so it will find connected route in main table.
- There's nothing in firewall filter that would block it.
- Both client and target server are in same subnet, which would be a problem, but you have hairpin NAT rule to fix it.
- Server will see connection from 10.0.0.1, so it will send response back to router and it will forward it to client.
In short, I don't see where could be the problem. But you can verify it step by step (add these at the top before everything else):
step1 - request from client came to router
step2 - request was forwarded to server (check for correct outgoing interface)
step3 - response from server came to router
step4 - response was forwarded to client
- Client 10.0.0.20 tries to connect to 1.1.1.1:8180.
- Mangle rule gives it routing mark "slave_adsl".
- Dstnat changes destination to 10.0.1.252:8080.
- Normally the destination would be looked up in routing table "slave_adsl", which doesn't contain local 10.0.1.252, so everything would go to internet (gateway=adsl-tx). But routing rule overrides that, so it will find connected route in main table.
- There's nothing in firewall filter that would block it.
- Both client and target server are in same subnet, which would be a problem, but you have hairpin NAT rule to fix it.
- Server will see connection from 10.0.0.1, so it will send response back to router and it will forward it to client.
In short, I don't see where could be the problem. But you can verify it step by step (add these at the top before everything else):
Code: Select all
/ip firewall mangle
add chain=prerouting dst-address=1.1.1.1 protocol=tcp dst-port=8180 action=log log-prefix=step1
add chain=postrouting dst-address=10.0.1.252 protocol=tcp dst-port=8080 action=log log-prefix=step2
add chain=prerouting src-address=10.0.1.252 protocol=tcp src-port=8080 action=log log-prefix=step3
add chain=postrouting src-address=1.1.1.1 protocol=tcp src-port=8180 action=log log-prefix=step4step2 - request was forwarded to server (check for correct outgoing interface)
step3 - response from server came to router
step4 - response was forwarded to client
-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
I added 4 mangles to the top as you said. You can see that the fourth one has no data packets passing through. What should I do?
Code: Select all
add chain=postrouting src-address=1.1.1.1 protocol=tcp src-port=8180 action=log log-prefix=step4You do not have the required permissions to view the files attached to this post.
Re: dualwan hairpin nat consultation
The last rule was my mistake, address is changed back only after postrouting, so it couldn't work. Sorry. But judging by the amount of packets, there's probably traffic also from other clients, so it's not very useful. And using action=accept is not exactly correct, because it stops processing in given chain. Unlike action=log, which logs packet, but then continues to following rules, so there's no change in behaviour.
You can try two things, either more specific rules:
But step3 will be logged also for traffic from other clients. And you definitely want action=log, because you want to see what exactly server sends back (could be ack or rst, which makes a difference).
Or more foolproof version:
It will log only the traffic you're interested in and nothing else. It should log step1-3 for both directions. It's again not ideal, because action=accept changes behaviour, as decribed before, but as a test it should be ok.
You can try two things, either more specific rules:
Code: Select all
/ip firewall mangle
add action=log chain=prerouting dst-address=1.1.1.1 dst-port=8180 log-prefix=step1 protocol=tcp src-address=10.0.0.20
add action=log chain=postrouting dst-address=10.0.1.252 dst-port=8080 log-prefix=step2 protocol=tcp src-address=10.0.0.20
add action=log chain=prerouting dst-address=10.0.0.1 log-prefix=step3 protocol=tcp src-address=10.0.1.252 src-port=8080
add action=log chain=postrouting dst-address=10.0.0.20 log-prefix=step4 protocol=tcp src-address=10.0.1.252 src-port=8080Or more foolproof version:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=1.1.1.1 dst-port=8180 \
new-connection-mark=test passthrough=yes protocol=tcp src-address=10.0.0.20
add action=accept chain=prerouting connection-mark=test log=yes log-prefix=step1
add action=accept chain=forward connection-mark=test log=yes log-prefix=step2
add action=accept chain=postrouting connection-mark=test log=yes log-prefix=step3-
-
fengyuclub
Member Candidate
- Posts: 109
- Joined:
Re: dualwan hairpin nat consultation
Somehow just fine, I carefully compared the configuration before and after, only
is added later, it may be because the router has not restarted. I set it to restart every Sunday, does this rule need to restart to take effect. Now any intranet can access the services of the intranet. It should be this rule, thank you.
Code: Select all
/ ip route rule
add action = lookup-only-in-table dst-address = 10.0.0.0 / 23 table = main
Re: dualwan hairpin nat consultation
RouterOS generally doesn't need restarts, almost everything works immediatelly when you change it.