Having trouble with Hairpin
Posted: Tue Oct 04, 2016 12:51 am
Hello there, I'm having an issue with Hairpin NAT. I'm unable to make one of my LAN's see a server on a different LAN, but connected to the same RB device. I have followed the directions in the wiki, but still can't get the computers to see the server on the other LAN. Any and all help is greatly appreciated.
Trying to get the 32.0/24 LAN to see the 224.0/24 LAN from the WAN port.
Trying to get the 32.0/24 LAN to see the 224.0/24 LAN from the WAN port.
Code: Select all
/ip firewall filter
add chain=forward dst-port=3389 in-interface=ETH1_Main_WAN protocol=tcp
add chain=input dst-address=xx.xx.xx.36 dst-port=8080 in-interface=ETH1_Main_WAN protocol=tcp
add chain=forward comment="VoIP SIP" port=5060-5070 protocol=udp
add chain=forward comment="VoIP RTP" port=10000-20000 protocol=udp
add chain=input dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ETH1_Main_WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface=ETH1_Main_WAN
add chain=forward port=3389 protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Hairpin to 172.20.224.19" disabled=yes dst-address=!172.20.224.0/24 dst-address-type=local \
dst-port=8080 protocol=tcp to-addresses=172.20.224.19 to-ports=8080
add action=masquerade chain=srcnat comment="Local to Local NAT" disabled=yes dst-port=8080 out-interface=ETH1_Main_WAN protocol=tcp \
src-address=172.20.224.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=172.20.224.19 dst-port=8080 protocol=tcp src-address=172.20.32.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=172.20.224.0/24 dst-port=8080 out-interface="ETH5 - Public LAN" protocol=tcp \
src-address=172.20.32.0/24 to-addresses=172.20.224.19 to-ports=0-65535
add action=dst-nat chain=dstnat dst-address=xx.xx.xxx.35 dst-port=3389 protocol=tcp to-addresses=172.20.224.55 to-ports=3389
add chain=dstnat dst-port=3389 protocol=tcp
add action=dst-nat chain=dstnat in-interface=ETH1_Main_WAN protocol=tcp to-addresses=172.20.224.19
add action=masquerade chain=srcnat disabled=yes dst-address=172.20.224.19 dst-port=80 out-interface=bridge protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ETH1_Main_WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.20.32.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat port=3389 protocol=udp to-addresses=172.20.224.55 to-ports=3389