MikroTik

Community discussions
https://forum.mikrotik.com/

Hairpin NAT

https://forum.mikrotik.com/viewtopic.php?t=102202

Page 1 of 1

Hairpin NAT

Posted: Sat Nov 14, 2015 10:40 pm
by umbro
Hello,
I am looking for help with setting harpin NAT.
This is my scenario:
I have www server behind NAT. I used nat port forwarding to forward 80 TCP port to inside lan address 192.168.1.250. (lan segment 192.168.1.0/24). On 192.168.1.250 I use nginx for domain managment.

Everythink works just fine but only from external networks like internet. So simply from net I can reach my websites normally.

My problem is:
I am unable to force my lan 192.168.1.0/24 to reach any www which I store on my server 192.168.1.250.
All my lan computers/devices use network 192.168.1.0/24.

I was looking for solution in net and I found that some guy suggest set "harpin NAT".
So I set somethink like below:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.250 protocol=tcp
dst-port=80 out-interface=bridge-lan action=masquerade


I guess I didn't get point of setting this fueature because in result any website which I try to open are not working, I mean I see my nginx which work on 192.168.1.250 instead website which I am trying to open.


Could someone help me understand how to set harpin NAT properly ?


Thanks in advance for any help.

Re: Hairpin NAT

Posted: Sun Nov 15, 2015 10:46 am
by umbro
Maybe I will add my settings:
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 
      dst-address=192.168.1.250 out-interface=bridge-local dst-port=80 log=no log-prefix="" 

29    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=80 log=no log-prefix=""

Re: Hairpin NAT

Posted: Sun Nov 15, 2015 11:14 pm
by KillerOPS
I suggest you to move your web server to a different IP space (192.168.2.x). Then no mater how you go to the server, it will pass through the router, and you won't have issues with gateways and so on.

On the other hand, I think is possible to solve the problem if you disable rp_filter on the webserver, but i'm not 100% about this.

Re: Hairpin NAT

Posted: Mon Nov 16, 2015 9:45 am
by umbro
Indeed, if noone is able to help me then I need to go with your solution. Thank you for reply !

Re: Hairpin NAT

Posted: Mon Nov 16, 2015 10:47 am
by skuykend
Remove in-interface filter from your dstnat and add dst-address-type=local in its place.

Your hairpin traffic does not come in thru the WAN interface. dst-address-type=local will forward any traffic with an ip address assigned to any of the router interfaces.

If you also use webfig on port 80 you'll need to either put in a filter for your specific WAN ip address or exclude your local LAN router ip from the dstnat.

Re: Hairpin NAT

Posted: Mon Nov 16, 2015 12:01 pm
by tslytsly
Maybe I will add my settings:
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 
      dst-address=192.168.1.250 out-interface=bridge-local dst-port=80 log=no log-prefix="" 

29    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=80 log=no log-prefix=""
Hi mate,

you just need to tweak some rules.

Change rule 1 to look like this:
Code: Select all
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 
      dst-address-type=local dst-port=80 log=no log-prefix=""
This means that any local LAN traffic heading to TCP port 80 on any local address of the router (the WAN address is local to the router) will have it's src IP NATted.
(If your WAN has a fixed IP then just use that IP as the dst-address instead of the dst-address-type command, just leave out the interface)

EDIT:
Just saw the post above mine from skuykend:
Your hairpin traffic does not come in thru the WAN interface. dst-address-type=local will forward any traffic with an ip address assigned to any of the router interfaces.
That's the point I was making, but you made it clearer skuykend.

So rule 29 will only apply to traffic coming in the public interface, but local traffic comes in your LAN bridge.

So I would add another rule just below 29 like this:
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp dst-address-type=local dst-port=80 src-address=192.168.1.0/24 log=no log-prefix=""
Again this makes sure that any traffic from the local address space destined for port 80 on any router IP will be NATted to the web-server.
(skuykend is correct about the dst-address-type command if you have a dynamic WAN address, if its fixed you can just use dst-address instead.)

EDIT:
This info comes from both my own experience with this and also this great post http://gregsowell.com/?p=4242 Greg knows his stuff.

Have a read so you understand the concept, it makes the rules above make more sense.

Also I have moved all of our production servers to a different subnet, for many reasons but one of the best side-effects is that I no longer need these rules :D

TslyTsly

Re: Hairpin NAT

Posted: Mon Nov 16, 2015 11:33 pm
by umbro
Hello,
I set new nat rules as you suggest,
Unfortunatelly it doesn't work.
Enabled rule number 1 is preventing even access from internet to my websites.So I had to disable.
I added rule 30 as you mentioned.

I think I still need some help :/

I don't know if it's important but : nginx which work on 192.168.1.250 is handling domain managment and usually pass traffic to network 10.0.3.0/24.

But anyway when I try from my lan reach my public IP address then I should see something(nginx welcome site should appear). It didn't happen.
Code: Select all



[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no 
      log-prefix="" 

 1    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 
      dst-address-type=local dst-port=80 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=10011 log=no 
      log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=tcp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=udp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8808 log=no 
      log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22218 log=no 
      log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=22228 
      protocol=tcp in-interface=ether1-gateway dst-port=22228 log=no 
      log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=10.0.3.56 to-ports=21 protocol=tc>
      in-interface=ether1-gateway dst-port=22211 log=no log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=27015 
      protocol=tcp in-interface=ether1-gateway dst-port=27015 log=no 
      log-prefix="" 

10    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=5432 
      protocol=tcp in-interface=ether1-gateway dst-port=5432 log=no 
      log-prefix="" 

11    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=79 
      protocol=tcp in-interface=ether1-gateway dst-port=79 log=no log-prefix="" 

12    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22230 log=no 
      log-prefix="" 

13    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22121 log=no 
      log-prefix="" 

14    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22231 log=no 
      log-prefix="" 

15    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=21 log=no log-prefix="" 

16    chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=3389 
      protocol=tcp in-interface=ether1-gateway dst-port=33891 log=no 
      log-prefix="" 

17    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8811 log=no 
      log-prefix="" 

18    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22232 log=no 
      log-prefix="" 

19    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=tcp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

20    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

21    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

22    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=udp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

23    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

24    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=udp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

25    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=500 
      protocol=tcp in-interface=ether1-gateway dst-port=1100 log=no 
      log-prefix="" 

26    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1701 
      protocol=tcp in-interface=ether1-gateway dst-port=1101 log=no 
      log-prefix="" 

27    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1723 
      protocol=tcp in-interface=ether1-gateway dst-port=1102 log=no 
      log-prefix="" 

28    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=4500 
      protocol=tcp in-interface=ether1-gateway dst-port=1103 log=no 
      log-prefix="" 

29    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=80 log=no log-prefix="" 

30    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.250 
      dst-address-type=local in-interface=ether1-gateway dst-port=80 log=no 
      log-prefix="" 

31    chain=dstnat action=dst-nat to-addresses=10.0.3.58 to-ports=21 protocol=tc>
      in-interface=ether1-gateway dst-port=22118 log=no log-prefix="" 

32    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22233 log=no 
      log-prefix="" 

33    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=5900 
      protocol=tcp in-interface=ether1-gateway dst-port=11300 log=no 
      log-prefix="" 

34    chain=dstnat action=dst-nat to-addresses=192.168.1.251 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=222 log=no 
      log-prefix="" 

35    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=tcp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

36    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=udp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

37    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=30033 log=no 
      log-prefix="" 

38    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22222 log=no 
      log-prefix="" 

39    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=9987 log=no 
      log-prefix="" 

40    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8801 log=no 
      log-prefix="" 

41    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=2221 log=no 
      log-prefix="" 

42    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=2222 log=no 
      log-prefix="" 

43    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=9091 
      protocol=tcp in-interface=ether1-gateway dst-port=9091 log=no 
      log-prefix="" 

44    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=22 protocol=tc>
      in-interface=ether1-gateway dst-port=22224 log=no log-prefix="" 

45    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=80 protocol=tc>
      in-interface=ether1-gateway dst-port=8804 log=no log-prefix="" 

46    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=21 protocol=tc>
      in-interface=ether1-gateway dst-port=22214 log=no log-prefix="" 

47    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=10090-1010>
      protocol=tcp in-interface=ether1-gateway dst-port=10090-10100 log=no 
      log-prefix="" 

[admin@MikroTik] /ip firewall nat>

Re: Hairpin NAT

Posted: Tue Nov 17, 2015 12:10 am
by skuykend
Switch rule 1 (hairpin rule) back to how you had it originally. It's the dstnat forwards that needs the removal of in-interface filter and add dst-address-type=local or dst-address in its place.

Re: Hairpin NAT

Posted: Tue Nov 17, 2015 10:05 am
by umbro
Well, I moved rule nr 1 as you suggest and set as you suggest..

Still no luck :/
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no 
      log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=10011 log=no 
      log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=tcp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=udp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8808 log=no 
      log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22218 log=no 
      log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=22228 
      protocol=tcp in-interface=ether1-gateway dst-port=22228 log=no 
      log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.3.56 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22211 log=no 
      log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=27015 
      protocol=tcp in-interface=ether1-gateway dst-port=27015 log=no 
      log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=5432 
      protocol=tcp in-interface=ether1-gateway dst-port=5432 log=no 
      log-prefix="" 

10    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=79 
      protocol=tcp in-interface=ether1-gateway dst-port=79 log=no 
      log-prefix="" 

11    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22230 log=no 
      log-prefix="" 

12    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22121 log=no 
      log-prefix="" 

13    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22231 log=no 
      log-prefix="" 

14    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=21 log=no 
      log-prefix="" 

15    chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=3389 
      protocol=tcp in-interface=ether1-gateway dst-port=33891 log=no 
      log-prefix="" 

16    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8811 log=no 
      log-prefix="" 

17    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22232 log=no 
      log-prefix="" 

18    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=tcp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

19    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

20    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

21    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=udp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

22    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

23    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=udp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

24    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=500 
      protocol=tcp in-interface=ether1-gateway dst-port=1100 log=no 
      log-prefix="" 

25    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1701 
      protocol=tcp in-interface=ether1-gateway dst-port=1101 log=no 
      log-prefix="" 

26    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1723 
      protocol=tcp in-interface=ether1-gateway dst-port=1102 log=no 
      log-prefix="" 

27    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=4500 
      protocol=tcp in-interface=ether1-gateway dst-port=1103 log=no 
      log-prefix="" 

28    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=80 log=no 
      log-prefix="" 

[b]29    chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 
      dst-address-type=local dst-port=80 log=no log-prefix="" [/b]

30    chain=dstnat action=dst-nat to-addresses=10.0.3.58 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22118 log=no 
      log-prefix="" 

31    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22233 log=no 
      log-prefix="" 

32    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=5900 
      protocol=tcp in-interface=ether1-gateway dst-port=11300 log=no 
      log-prefix="" 

33    chain=dstnat action=dst-nat to-addresses=192.168.1.251 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=222 log=no 
      log-prefix="" 

34    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=tcp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

35    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=udp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

36    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=30033 log=no 
      log-prefix="" 

37    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22222 log=no 
      log-prefix="" 

38    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=9987 log=no 
      log-prefix="" 

39    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8801 log=no 
      log-prefix="" 

40    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=2221 log=no 
      log-prefix="" 

41    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=2222 log=no 
      log-prefix="" 

42    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=9091 
      protocol=tcp in-interface=ether1-gateway dst-port=9091 log=no 
      log-prefix="" 

43    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22224 log=no 
      log-prefix="" 

44    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8804 log=no 
      log-prefix="" 

45    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22214 log=no 
      log-prefix="" 

46    chain=dstnat action=dst-nat to-addresses=192.168.1.250 
      to-ports=10090-10100 protocol=tcp in-interface=ether1-gateway 
      dst-port=10090-10100 log=no log-prefix="" 

[admin@MikroTik] /ip firewall nat>

Re: Hairpin NAT

Posted: Tue Nov 17, 2015 10:43 am
by tslytsly
Code: Select all
30    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.250 
      dst-address-type=local in-interface=ether1-gateway dst-port=80 log=no 
      log-prefix=""
This is wrong, you are still specifying that the traffic will come in ether1-gateway, but if it's local LAN traffic it will not enter that interface.
You're also saying that the router should NAT it to 192.168.1.250 if it's heading to 192.168.1.250, this wont work.

So the rule should be
Code: Select all
30    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp src-address=192.168.1.0/24 dst-address-type=local dst-port=80 log=no log-prefix=""
I don't know if it's important but : nginx which work on 192.168.1.250 is handling domain managment and usually pass traffic to network 10.0.3.0/24.
I'm not sure what this means exactly, does that server use a different subnet than the one your clients are on? If so you don;t need hairpin NAT.
I suspect you have a slightly more complex network than I first thought.

Can you create a diagram or drawing that shows all aspects of your network?
So, WAN, Gateway, routers, DNS servers, all subnets?

That will help us to help you.
:)

Re: Hairpin NAT

Posted: Sun Nov 29, 2015 3:55 pm
by umbro
HI,
Sorry for late answer:
My network diagram in attachment.

So maybe one more time:

My network looks like in attachment, I have behind router serwer with software for virtualization. I am using lxc to create containers with www serwers. Every domain has separate Virtual Machine which is placed in network 10.0.3.0/24.

My issue is related to situation where my komputer1 is trying to reach www by domain. I can not reach any domain from network 10.0.3.0/24

Everythink works fine from NET. Domains are visible.

I need to reach my domains from NET and from 192.168.1.0/24.


My current nat configuration on mikrotik:

Code: Select all

[admin@MikroTik] > ip firwall nat
bad command name firwall (line 1 column 4)
[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall 
[admin@MikroTik] /ip firewall> nat
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no 
      log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ppp-out1 log=no 
      log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=10011 log=no 
      log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=tcp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5002 
      protocol=udp in-interface=ether1-gateway dst-port=5002 log=no 
      log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8808 log=no 
      log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22218 log=no 
      log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.3.108 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22228 log=no 
      log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=10.0.3.56 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22211 log=no 
      log-prefix="" 

 9    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=27015 
      protocol=tcp in-interface=ether1-gateway dst-port=27015 log=no 
      log-prefix="" 

10    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=5432 
      protocol=tcp in-interface=ether1-gateway dst-port=1104 log=no 
      log-prefix="" 

11    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=5432 
      protocol=udp in-interface=ether1-gateway dst-port=1104 log=no 
      log-prefix="" 

12    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22230 log=no 
      log-prefix="" 

13    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22121 log=no 
      log-prefix="" 

14    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22231 log=no 
      log-prefix="" 

15    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=21 log=no 
      log-prefix="" 

16    chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=3389 
      protocol=tcp in-interface=ether1-gateway dst-port=33891 log=no 
      log-prefix="" 

17    chain=dstnat action=dst-nat to-addresses=192.168.1.201 to-ports=3389 
      protocol=tcp in-interface=ether1-gateway dst-port=33892 log=no 
      log-prefix="" 

18    chain=dstnat action=dst-nat to-addresses=10.0.3.111 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8811 log=no 
      log-prefix="" 

19    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22232 log=no 
      log-prefix="" 

20    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=tcp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

21    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=11200 log=no 
      log-prefix="" 

22    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=tcp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

23    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=10011 
      protocol=udp in-interface=ether1-gateway dst-port=11201 log=no 
      log-prefix="" 

24    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

25    chain=dstnat action=dst-nat to-addresses=10.0.3.112 to-ports=30033 
      protocol=udp in-interface=ether1-gateway dst-port=11202 log=no 
      log-prefix="" 

26    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=500 
      protocol=udp in-interface=ether1-gateway dst-port=1100 log=no 
      log-prefix="" 

27    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=500 
      protocol=udp in-interface=ether1-gateway dst-port=1100 log=no 
      log-prefix="" 

28    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1701 
      protocol=tcp in-interface=ether1-gateway dst-port=1101 log=no 
      log-prefix="" 

29 X  chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1701 
      protocol=udp in-interface=ether1-gateway dst-port=1101 log=no 
      log-prefix="" 

30    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1723 
      protocol=tcp in-interface=ether1-gateway dst-port=1102 log=no 
      log-prefix="" 

31    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=1723 
      protocol=udp in-interface=ether1-gateway dst-port=1102 log=no 
      log-prefix="" 

32    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=4500 
      protocol=udp in-interface=ether1-gateway dst-port=1103 log=no 
      log-prefix="" 

33    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=79 
      protocol=udp in-interface=ether1-gateway dst-port=1105 log=no 
      log-prefix="" 

34    chain=dstnat action=dst-nat to-addresses=10.0.3.58 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22118 log=no 
      log-prefix="" 

35    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22233 log=no 
      log-prefix="" 

36    chain=dstnat action=dst-nat to-addresses=10.0.3.107 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22207 log=no 
      log-prefix="" 

37    chain=dstnat action=dst-nat to-addresses=10.0.3.107 to-ports=30070-30080 
      protocol=tcp in-interface=ether1-gateway dst-port=30070-30080 log=no 
      log-prefix="" 

38    chain=dstnat action=dst-nat to-addresses=10.0.3.107 to-ports=30070-30080 
      protocol=udp in-interface=ether1-gateway dst-port=30070-30080 log=no 
      log-prefix="" 

39    chain=dstnat action=dst-nat to-addresses=10.0.3.113 to-ports=5900 
      protocol=tcp in-interface=ether1-gateway dst-port=11300 log=no 
      log-prefix="" 

40    chain=dstnat action=dst-nat to-addresses=192.168.1.251 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=222 log=no 
      log-prefix="" 

41    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=tcp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

42    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=5119 
      protocol=udp in-interface=ether1-gateway dst-port=5119 log=no 
      log-prefix="" 

43    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=30033 
      protocol=tcp in-interface=ether1-gateway dst-port=30033 log=no 
      log-prefix="" 

44    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22222 log=no 
      log-prefix="" 

45    chain=dstnat action=dst-nat to-addresses=10.0.3.101 to-ports=9987 
      protocol=udp in-interface=ether1-gateway dst-port=9987 log=no 
      log-prefix="" 

46    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8801 log=no 
      log-prefix="" 

47    chain=dstnat action=dst-nat to-addresses=10.0.3.103 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=2221 log=no 
      log-prefix="" 

48    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=2222 log=no 
      log-prefix="" 

49    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=9091 
      protocol=tcp in-interface=ether1-gateway dst-port=9091 log=no 
      log-prefix="" 

50    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=22 
      protocol=tcp in-interface=ether1-gateway dst-port=22224 log=no 
      log-prefix="" 

51    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=8804 log=no 
      log-prefix="" 

52    chain=dstnat action=dst-nat to-addresses=10.0.3.59 to-ports=21 
      protocol=tcp in-interface=ether1-gateway dst-port=22214 log=no 
      log-prefix="" 

53    chain=dstnat action=dst-nat to-addresses=192.168.1.250 
      to-ports=10090-10100 protocol=tcp in-interface=ether1-gateway 
      dst-port=10090-10100 log=no log-prefix="" 

54    chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 
      protocol=tcp in-interface=ether1-gateway dst-port=80 log=no 
      log-prefix="" 

55    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=41100-41110 
      protocol=tcp in-interface=ether1-gateway dst-port=41100-41110 log=no 
      log-prefix="" 

56    chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=41100-41110 
      protocol=udp in-interface=ether1-gateway dst-port=41100-41110 log=no 
      log-prefix="" 

57 X  chain=dstnat action=dst-nat to-addresses=10.0.3.110 to-ports=79 
      protocol=udp in-interface=ether1-gateway dst-port=79 log=no 
      log-prefix="" 

[admin@MikroTik] /ip firewall nat>
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/