Page 1 of 1

Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 3:00 pm
by dg3feh

I have the following configuration:

I want to reach with the normal clients the internet and the server from extranal and subnet under the external server address. Beside that I want to reach the modem on its internal address for configuration, etc. The addresses of PPPoE (internal/external) are dynamic.

My routes looks like this
[admin@Router-HH] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS                             0
 1 ADC    PPPoE-ALICE               0
 2 ADC     ether23-MODEM             0
 3 ADC   ether1                    0
The firewall rules like this:
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=input comment="von -> OK" dst-address= src-address=
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
If I don't have the next-to-last rule, I can't reach the mikrotik ( from the LAN That already is strange.

and the NAT like this:
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=
add action=masquerade chain=srcnat comment=Hairpin dst-address=! out-interface=ether1 out-interface-list=all protocol=\
    tcp src-address=
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
    protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses= to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses= to-ports=22
Everything works fine, except the connection from LAN Hosts to the server by its extrnal address. I already tried:
add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" dst-port=443 in-interface=ether1 \
    protocol=tcp to-addresses= to-ports=443
My setup seems very common to me, so there must a simple solution for that.

Thanx in advance


PS: the export of the Mikrotik:
# feb/04/2017 13:49:30 by RouterOS 6.38.1
# software id = D5X7-MT4X
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address= interface=ether1 network=
add address= interface=ether23-MODEM network=
/ip dhcp-server network
add address= dns-server= gateway=
/ip dns
set allow-remote-requests=yes servers=
/ip firewall address-list
add address= list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
    \n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=new disabled=yes in-interface=PPPoE-ALICE
add action=accept chain=forward comment="Forward auf Server" connection-state=established,related,new disabled=yes dst-address=\ dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" connection-state=established,related,new disabled=yes dst-address=\ dst-port=444 protocol=tcp
add action=accept chain=input comment="von -> OK" disabled=yes dst-address= src-address=\
add action=accept chain=input comment="von -> OK" disabled=yes dst-address= src-address=\
add action=accept chain=input comment="von -> OK" dst-address= src-address=
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=
add action=masquerade chain=srcnat comment=Hairpin dst-address=! out-interface=ether1 out-interface-list=all protocol=\
    tcp src-address=
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
    protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses= to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
    to-addresses= to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 in-interface=PPPoE-ALICE port="" protocol=tcp \
    to-addresses= to-ports=444
add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" disabled=yes dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" disabled=yes dst-port=443 in-interface=ether1 \
    protocol=tcp to-addresses= to-ports=443
/ip service
set telnet address=
set ftp disabled=yes
set www address= port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"lange-\\"\
    \n:global ddnspass \"masorfc1\"\
    \n:global theinterface \"PPPoE-ALICE\"\
    \n:global ddnshost\
    \n:global ddnsserver\
    \n:global protocol https\
    \n:global ipddns [:resolve \$ddnshost];\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\
    \n   :log info (\"DynDNS: No ip address on \$theinterface .\")\
    \n} else={\
    \n   :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
    \n      :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
    \n    :set ipfresh [:pick \$ipfresh 0 \$i];\
    \n      } \
    \n \
    \n:if (\$ipddns != \$ipfresh) do={\
    \n    :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
    \n    :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
    \n   :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
    \n   :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
    \n   /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$ddnsuser \\\
    \n         password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
    \n    :delay 1\
    \n    :global str [/file find name=\"DynDNS.\$ddnshost\"];\
    \n    /file remove \$str\
    \n    :global ipddns \$ipfresh\
    \n  :log info \"DynDNS: IP updated to \$ipfresh!\"\
    \n    } else={\
    \n#     :log info \"DynDNS: dont need changes\";\
    \n    }\
    \n} "
/tool graphing interface
add interface=PPPoE-ALICE

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 4:22 pm
by Rudios
I would put the dst-address of your hairpin nat rule being the server only
Also I don't know what the parameter out-interface-list=all does
Last but not least, leave out the protocol parameter

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 7:51 pm
by dg3feh
Ok, I tried that one:
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log=yes log-prefix=FW80 protocol=tcp \
    to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp to-addresses= \
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp to-addresses= \
add action=masquerade chain=srcnat comment=Hairpin dst-address= dst-address-type=local log=yes log-prefix="HP MSAK;" src-address=\

and with HAIRPIN-Rule as the second one in the list. It doesn't work....

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 8:12 pm
by pthunya
use code on conclusion page of this presentation , it's work both single wan and multi-wan

credit : ... 126599365/

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 8:23 pm
by dg3feh
use code on conclusion page of this presentation , it's work both single wan and multi-wan

credit : ... 126599365/
I can't see the difference to what I am doing....

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 8:36 pm
by pthunya
use code on conclusion page of this presentation , it's work both single wan and multi-wan

credit : ... 126599365/
I can't see the difference to what I am doing....
Yes it is, order of rules are matter. ;)

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 9:13 pm
by Sob
So how this thread differs from your previous one?

Is there any specific reason why you refuse to acknowledge that it can't work with dstnat rules that have in-interface=PPPoE-ALICE? :)

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 9:41 pm
by dg3feh
So how this thread differs from your previous one?
Because the first one is more general and now only the hairpin is the problem.
Is there any specific reason why you refuse to acknowledge that it can't work with dstnat rules that have in-interface=PPPoE-ALICE? :)
I have under stand that, but
/ip firewall nat
add chain=srcnat src-address= \
  dst-address= protocol=tcp dst-port=80 \
  out-interface=ether1 action=masquerade
does not work neither.....

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 9:46 pm
by Sob
I mean dstnat, you still have the interface there:
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log=yes log-prefix=FW80 protocol=tcp to-addresses= to-ports=80

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 9:52 pm
by dg3feh
Ok, that's the point.

I changed it now to
/ip firewall nat
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 log=yes log-prefix=FW80 protocol=tcp \
    src-address=! to-addresses= to-ports=80
So that rule only works, if the source is not the local network. But the still hairpin does not work

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 10:01 pm
by Sob
Good direction, but with "src-address=!" it can't work either.

Instead of that, use one of following:
a) "dst-address-type=local" - if you don't care about accessing given service on router itself
b) "dst-address-type=local dst-address=!" - if you want service on router accessible from LAN

Since you moved web administration to different ports, a) is enough for you.

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 10:23 pm
by dg3feh
Correct me, but I masqueraded the request with the external address, why shouldn't match that with !

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 11:11 pm
by dg3feh
But it works now, thanks for ur help.

Re: Hairpin won't work, but why?

Posted: Sat Feb 04, 2017 11:47 pm
by Sob
If you have src-address=!, it can't match connections coming from LAN, because they do have 192.168.1.x as source.