Community discussions

MikroTik App
 
rchovan
just joined
Topic Author
Posts: 16
Joined: Sun Dec 09, 2018 10:20 am

Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 9:03 pm

Hi,
I have strange problem, I'm not pro, so I think, it is problem in my configuration. I have enabled HNAT, because I want to access my services (owncloud, photo gallery, pihole, HomeAssitant, etc) from internet and local network. I have public static IP, and assigned my dns name to it.

When this rule is enabled, I can access my server from internet with public dns name, but not from my lan, because HNAT is not working if in-interface-list is specified.
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=80
When I change this rule to this example, I can acces my server from local network with public dns name, but all WEB request to other sites ends on this server:
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.2.5 to-ports=80


here is my config:
# oct/28/2019 19:48:39 by RouterOS 6.45.6
# software id = FM9E-58T1
#
# model = RBD52G-5HacD2HnD
# serial number = 9EF709C73784
/ip firewall filter
add action=reject chain=forward comment="XIAOMI GW zakazna komunikacia" disabled=yes in-interface=bridge-home log=yes log-prefix=MIGW: out-interface=ether1-wan reject-with=icmp-network-unreachable src-address=192.168.2.114
add action=accept chain=input log-prefix=OSPF-NBMA src-address=172.31.255.0/24
add action=accept chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=icmp-network-unreachable src-address=192.168.9.0/24
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop_fwd: "
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related src-address=192.168.9.0/24
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related dst-address=192.168.9.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="drop_invalid: "
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="drop_input: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=EE:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix="masq wan:" out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=l2tp-client-oriwin
add action=dst-nat chain=dstnat comment="NAT WWW" dst-port=80 in-interface-list=WAN log-prefix="NAT WWW:" protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat comment=HomeAssistant dst-port=8123 log-prefix=NAT_HA: protocol=tcp to-addresses=192.168.2.5 to-ports=8123
add action=dst-nat chain=dstnat dst-port=22005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=22
add action=dst-nat chain=dstnat comment="NginxProxy - ownCloud" dst-port=8001 protocol=tcp to-addresses=192.168.2.5 to-ports=8001
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=53
add action=dst-nat chain=dstnat dst-port=18005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=22007 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.7 to-ports=22
add action=masquerade chain=srcnat comment="NAT LOOPBACK, pre NAT pravidla neurcovat SRC interface" dst-address=192.168.2.0/24 log=yes log-prefix=NAT_LOOP: out-interface=bridge-home src-address=192.168.2.0/24
Thanks for any help.
 
dmitris
Member Candidate
Member Candidate
Posts: 130
Joined: Mon Oct 09, 2017 1:08 pm

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 9:17 pm

Hi, HNAT rule must be first under NAT facility. Try to change position of HNAT rule and it should work.
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LOOPBACK, pre NAT pravidla neurcovat SRC interface" dst-address=192.168.2.0/24 log=yes log-prefix=NAT_LOOP: out-interface=bridge-home src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix="masq wan:" out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=l2tp-client-oriwin
add action=dst-nat chain=dstnat comment="NAT WWW" dst-port=80 in-interface-list=WAN log-prefix="NAT WWW:" protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat comment=HomeAssistant dst-port=8123 log-prefix=NAT_HA: protocol=tcp to-addresses=192.168.2.5 to-ports=8123
add action=dst-nat chain=dstnat dst-port=22005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=22
add action=dst-nat chain=dstnat comment="NginxProxy - ownCloud" dst-port=8001 protocol=tcp to-addresses=192.168.2.5 to-ports=8001
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=30005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=30005
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=30005 in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=30005
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=51413 in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=51413
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=53
add action=dst-nat chain=dstnat dst-port=18005 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=22007 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.7 to-ports=22

Also i noticed that in firewall INPUT and FORWARD chain rules are mixed...The best practice is below..
/ip firewall filter

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=EE:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=icmp-network-unreachable src-address=192.168.9.0/24
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop_fwd: "
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related src-address=192.168.9.0/24
add action=accept chain=forward comment="Guest wifi IP excluded from fasttrack for simple queue processing" connection-state=established,related dst-address=192.168.9.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input log-prefix=OSPF-NBMA src-address=172.31.255.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="drop_invalid: "
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="drop_input: "
-
-
Do you know, that this rule is very harmful for your mikortik when allowed for entire world?
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 10:41 pm

Order of srcnat rules does not matter in this case, they don't overlap, so only the right one will be used anyway.

It's the dstnat rule. It's too restricted with in-interface-list=WAN, and too broad without it. You do need to limit destination, but not too much. The best case is when you have static public address, then simply use dst-address=<address>. If your address is dynamic, use dst-address-type=local, and it will match any address assigned to router. And because that would conflict with anything that may be running on router on port 80 (by default it's WebFig), you may need additional dst-address=!<LAN address of router where WebFig should be reachable> ("!" means "not").
 
rchovan
just joined
Topic Author
Posts: 16
Joined: Sun Dec 09, 2018 10:20 am

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 11:07 pm

Hi,
thank you for your help and time. I'm aware about enabling winbox from world, but it is only for testing purposes.

I have reordered firewall rules, and removed in-interface-list=WAN, then HNAT is working, but all web request end on my server. I'm not sure why.

actual config:
/interface bridge port
add bridge=bridge-home interface=ether3
add bridge=bridge-home interface=ether4
add bridge=bridge-home interface=ether5
add bridge=bridge-home interface=home_2g
add bridge=bridge-home interface=home_5g
add bridge=bridge-home interface=vlan2-home
add bridge=bridge-home interface=home_2g_only pvid=2

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="drop_invalid: "
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward dst-port=53 in-interface-list=WAN protocol=\
    udp
add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=\
    icmp-network-unreachable src-address=192.168.9.0/24
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "drop_fwd: "
add action=reject chain=forward comment="XIAOMI GW zakazna komunikacia" \
    disabled=yes in-interface=bridge-home log=yes log-prefix=MIGW: \
    out-interface=ether1-wan reject-with=icmp-network-unreachable \
    src-address=192.168.2.114
add action=accept chain=forward comment=\
    "Guest wifi IP excluded from fasttrack for simple queue processing" \
    connection-state=established,related src-address=192.168.9.0/24
add action=accept chain=forward comment=\
    "Guest wifi IP excluded from fasttrack for simple queue processing" \
    connection-state=established,related dst-address=192.168.9.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input log-prefix=OSPF-NBMA src-address=\
    172.31.255.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=EE:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix="drop_input: "
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT LOOPBACK, pre NAT pravidla neurcovat SRC interface" dst-address=\
    192.168.2.0/24 log=yes log-prefix=NAT_LOOP: out-interface=bridge-home \
    src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log-prefix="masq wan:" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT WWW" dst-port=80 \
    in-interface-list=WAN log-prefix="NAT WWW:" protocol=tcp to-addresses=\
    192.168.2.5 to-ports=80
add action=dst-nat chain=dstnat comment=HomeAssistant dst-port=8123 \
    log-prefix=NAT_HA: protocol=tcp to-addresses=192.168.2.5 to-ports=8123
add action=dst-nat chain=dstnat dst-port=22005 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.2.5 to-ports=22
add action=dst-nat chain=dstnat comment="NginxProxy - ownCloud" dst-port=8001 \
    protocol=tcp to-addresses=192.168.2.5 to-ports=8001
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=30005 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.2.5 to-ports=\
    30005
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=30005 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=\
    30005
add action=dst-nat chain=dstnat comment=NAS>Transmission dst-port=51413 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.2.5 to-ports=\
    51413
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=WAN protocol=\
    udp to-addresses=192.168.2.5 to-ports=53
add action=dst-nat chain=dstnat dst-port=22007 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.2.7 to-ports=22
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 11:16 pm

Because this rule does exactly that - it redirects all tcp/80 traffic to 192.168.2.5:
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.2.5 to-ports=80
Add dst-address=YOUR-EXTERNAL-IP condition to it.

And, by the way, that is not hairpin nat.
Hairpin nat is an additional src-nat rule, that makes the first rule work from the same subnet where your server is as well.
You are missing that one at all.
 
rchovan
just joined
Topic Author
Posts: 16
Joined: Sun Dec 09, 2018 10:20 am

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 11:22 pm

Adding my address to that rule, solved my first issue. Thank You, but now I see this in log, this shouldn't show in log, because I have masquarade NAT from LAN to WAN. right ?
22:15:16 firewall,info EE: forward: in:bridge-home out:ether1-wan, src-mac 00:05:cd:72:d5:64, proto TCP (ACK,RST), 192.168.2.12:38388->13.32.99.71:443, len 52 
22:15:16 firewall,info EE: forward: in:bridge-home out:ether1-wan, src-mac 00:05:cd:72:d5:64, proto TCP (ACK,RST), 192.168.2.12:38388->13.32.99.71:443, len 52 
22:15:19 firewall,info EE: forward: in:bridge-home out:ether1-wan, src-mac 74:23:44:9c:b7:29, proto TCP (ACK,FIN), 192.168.2.113:39778->216.58.201.68:443, len 52 
22:15:19 firewall,info EE: forward: in:bridge-home out:ether1-wan, src-mac 74:23:44:9c:b7:29, proto TCP (ACK,FIN), 192.168.2.113:39778->216.58.201.68:443, len 52 
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Hairpin NAT with DST NAT tcp/80

Mon Oct 28, 2019 11:30 pm

Src-nat is performed after forward, so it's ok, actually.
If you add logging for your masquerade rule, you can see the same packets being masqueraded afterwards.

Who is online

Users browsing this forum: No registered users and 20 guests