Hairpin won't work, but why?
Posted: Sat Feb 04, 2017 3:00 pm
I have the following configuration:
I want to reach with the normal clients the internet and the server from extranal and subnet under the external server address. Beside that I want to reach the modem on its internal address for configuration, etc. The addresses of PPPoE (internal/external) are dynamic.
My routes looks like this
The firewall rules like this:
If I don't have the next-to-last rule, I can't reach the mikrotik ( from the LAN That already is strange.
and the NAT like this:
Everything works fine, except the connection from LAN Hosts to the server by its extrnal address. I already tried:
My setup seems very common to me, so there must a simple solution for that.
Thanx in advance
PS: the export of the Mikrotik:
I have the following configuration:
I want to reach with the normal clients the internet and the server from extranal and subnet under the external server address. Beside that I want to reach the modem on its internal address for configuration, etc. The addresses of PPPoE (internal/external) are dynamic.
My routes looks like this
Code: Select all
[admin@Router-HH] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS 0
2 ADC ether23-MODEM 0
3 ADC ether1 0
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=input comment="von -> OK" dst-address= src-address=
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
and the NAT like this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=
add action=masquerade chain=srcnat comment=Hairpin dst-address=! out-interface=ether1 out-interface-list=all protocol=\
tcp src-address=
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
to-addresses= to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
to-addresses= to-ports=22
Code: Select all
add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" dst-port=443 in-interface=ether1 \
protocol=tcp to-addresses= to-ports=443
Thanx in advance
PS: the export of the Mikrotik:
Code: Select all
# feb/04/2017 13:49:30 by RouterOS 6.38.1
# software id = D5X7-MT4X
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether10 ] master-port=ether1
set [ find default-name=ether11 ] master-port=ether1
set [ find default-name=ether12 ] master-port=ether1
set [ find default-name=ether13 ] master-port=ether1
set [ find default-name=ether14 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] master-port=ether1
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] name=ether23-MODEM
set [ find default-name=ether24 ] master-port=ether1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether23-MODEM keepalive-timeout=disabled name=PPPoE-ALICE use-peer-dns=yes user=\
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=2h name=dhcp1
/ip settings
set accept-source-route=yes
/ip address
add address= interface=ether1 network=
add address= interface=ether23-MODEM network=
/ip dhcp-server network
add address= dns-server= gateway=
/ip dns
set allow-remote-requests=yes servers=
/ip firewall address-list
add address= list=LAN
/ip firewall filter
add action=drop chain=input comment="Kaputte Pakete DROP" connection-state=invalid
add action=drop chain=forward comment="Kaputte Pakete Drop\
\n" connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Bestehende und initierte Verbindungen OK" connection-state=established,related protocol=tcp
add action=accept chain=input comment="Bestehende und initierte Verbindungen OK" connection-state=established,related
add action=accept chain=forward connection-nat-state=dstnat connection-state=new disabled=yes in-interface=PPPoE-ALICE
add action=accept chain=forward comment="Forward auf Server" connection-state=established,related,new disabled=yes dst-address=\ dst-port=22,80,443 protocol=tcp
add action=accept chain=forward comment="Forward auf Router" connection-state=established,related,new disabled=yes dst-address=\ dst-port=444 protocol=tcp
add action=accept chain=input comment="von -> OK" disabled=yes dst-address= src-address=\
add action=accept chain=input comment="von -> OK" disabled=yes dst-address= src-address=\
add action=accept chain=input comment="von -> OK" dst-address= src-address=
add action=drop chain=input comment="Der Rest geht in den Orkus...." log-prefix=FW
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung LAN" out-interface=PPPoE-ALICE src-address=
add action=masquerade chain=srcnat comment=Hairpin dst-address=! out-interface=ether1 out-interface-list=all protocol=\
tcp src-address=
add action=src-nat chain=srcnat comment=NTP protocol=udp src-port=123 to-addresses=
add action=dst-nat chain=dstnat comment="Portforwarding HTTP zum Server" dst-port=80 in-interface=PPPoE-ALICE log-prefix=FW80 \
protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS zum Server" dst-port=443 in-interface=PPPoE-ALICE protocol=tcp \
to-addresses= to-ports=443
add action=dst-nat chain=dstnat comment="Port forwarding SSH auf Server" dst-port=22 in-interface=PPPoE-ALICE protocol=tcp \
to-addresses= to-ports=22
add action=dst-nat chain=dstnat comment="Forward HTTPS Router" dst-port=444 in-interface=PPPoE-ALICE port="" protocol=tcp \
to-addresses= to-ports=444
add action=dst-nat chain=dstnat comment="Portforwarding HTTP nach Server intern" disabled=yes dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses= to-ports=80
add action=dst-nat chain=dstnat comment="Portforwarding HTTPS nach Server intern" disabled=yes dst-port=443 in-interface=ether1 \
protocol=tcp to-addresses= to-ports=443
/ip service
set telnet address=
set ftp disabled=yes
set www address= port=81
set www-ssl certificate=mikrotik-https disabled=no port=444
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router-HH
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1m name=DynDNS-Strato on-event=dynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/30/2017 start-time=20:31:46
/system script
add name=dynDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"lange-\\"\
\n:global ddnspass \"masorfc1\"\
\n:global theinterface \"PPPoE-ALICE\"\
\n:global ddnshost\
\n:global ddnsserver\
\n:global protocol https\
\n:global ipddns [:resolve \$ddnshost];\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n } \
\n \
\n:if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\
\n /tool fetch address=\$ddnsserver src-path=\$str mode=\$protocol user=\$ddnsuser \\\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\
\n :delay 1\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\
\n /file remove \$str\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n# :log info \"DynDNS: dont need changes\";\
\n }\
\n} "
/tool graphing interface
add interface=PPPoE-ALICE