Community discussions

MikroTik App
  4. RouterOS
  5. General

Hairpin NAT on PPPOE WAN Connection with dynamic IP

Post Reply
 
Hussam
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2013 8:41 am

Hairpin NAT on PPPOE WAN Connection with dynamic IP

Wed Apr 04, 2018 12:11 am

Lets say that you have the local network 192.168.10.0/24
your mikrotik router 192.168.10.1 and your internet connection is PPPOE with dynamic IP address
you have DDNS name as (xyz.dyndns.org) or any other name.
you have NVR (192.168.10.100) on TCP port 9000

in normal configuration you will have the following entry on the NAT:
1- chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix=""
2- chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp in-interface=pppoe-out dst-port=9000 log=no log-prefix=""

with this configuration you can access your server from outside with the address ( xyz.dyndns.org:9000 )
but from inside you will need to use the address ( 192.168.10.100:9000 )
its too noisy to have two configuration on your devices for each service you have.

i find many Hairpin NAT configuration online but its all work with normal interface (dynamic or static address) or with PPPOE but with static address
but nothings working with PPPOE with dynamic address.

finally i find this code solving the problem:
1- chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix=""
2- chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
3- chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp dst-address-type=local dst-port=9000 log=no log-prefix=""
Top
 
User avatar
minhazulOO7
just joined
Posts: 2
Joined: Tue Jan 08, 2019 1:18 am

Re: Hairpin NAT on PPPOE WAN Connection with dynamic IP

Tue Jan 08, 2019 1:25 am

@Hussam THANKS MAN! I also got stuck on this Hairpin NATiing issue with Dynamic IP!

This line solved the issue!
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp dst-address-type=local dst-port=9000 log=no log-prefix=""
THANKS AGAIN! Now I am at peace! :-D
Top
 
larrybml
just joined
Posts: 13
Joined: Sun Dec 22, 2019 6:46 pm

Re: Hairpin NAT on PPPOE WAN Connection with dynamic IP

Tue Feb 25, 2020 1:37 pm

Lets say that you have the local network 192.168.10.0/24
your mikrotik router 192.168.10.1 and your internet connection is PPPOE with dynamic IP address
you have DDNS name as (xyz.dyndns.org) or any other name.
you have NVR (192.168.10.100) on TCP port 9000

in normal configuration you will have the following entry on the NAT:
1- chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix=""
2- chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp in-interface=pppoe-out dst-port=9000 log=no log-prefix=""

with this configuration you can access your server from outside with the address ( xyz.dyndns.org:9000 )
but from inside you will need to use the address ( 192.168.10.100:9000 )
its too noisy to have two configuration on your devices for each service you have.

i find many Hairpin NAT configuration online but its all work with normal interface (dynamic or static address) or with PPPOE but with static address
but nothings working with PPPOE with dynamic address.

finally i find this code solving the problem:
1- chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix=""
2- chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
3- chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp dst-address-type=local dst-port=9000 log=no log-prefix=""

Thank you, this was my problem also. With PPPOE dynamic for WAN, and an internal server for OVPN.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22373
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Hairpin NAT on PPPOE WAN Connection with dynamic IP

Tue Feb 25, 2020 4:27 pm

finally i find this code solving the problem:
1- chain=srcnat action=masquerade out-interface=pppoe-out log=no log-prefix=""
2- chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
3- chain=dstnat action=dst-nat to-addresses=192.168.10.100 to-ports=9000 protocol=tcp dst-address-type=local dst-port=9000 log=no log-prefix=""
Concur with 1 and 2 but not with 3................
You are missing one bit..... it should be
chain=dstnat action=dst-nat dst port=9000 protocol=tcp dst-address=!192.168.10.1 dst-address-type=local to-addresses=192.168.10.100

note1: if the too port is the same as dst port (no port translation required before hitting the firewall, the too port is not needed as an entry, as its implied).
note2: We include the part missing on purpose TO EXCLUDE the subnet from being the destination (as we are directing the request to a local interface and in this case to the pppoe interface).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Another way of doing hairpin nat courtesy of steveocee is as follows:
/ip firewall nat
add action=masquerade chain=srcnat comment="HairpinNAT" src-address=192.168.10.0/24 dst-address=192.168.10.0/24 (new rule)
add action=masquerade chain=srcnat comment="NAT" out-interface=pppoe (standard rule)
add action=dst-nat chain=dstnat comment="Server" dst-port=9000 protocol=tcp dst-address-list=MYWANIP to-addresses=192.168.10.100 (modified standard rule)

Where MYWANIP is a firewall address list entry from IP Cloud.
(1) a. enable ip cloud
b. put in current WANIP and
c. capture the DNS name given
(2) a. create a firewall address list called MYWANIP and use the name from c. above for the address entry.
Top
Post Reply
  4. RouterOS
  5. General