MikroTik

Posted: **Tue Mar 10, 2020 5:54 am**

Hello everyone, I recently encountered a problem, I have read a lot of posts, it should be the problem of hairpin nat, but my situation may be a bit special, I hope to get answers
My network configuration is roughly as shown in the figure. There are 2 Internet access lines, one is a static IP: 1.1.1.1, and the other is a dynamic adsl line 2.2.2.2.
The internal network is divided into multiple VLANs through Layer 2 switch ports. The default VLAN is 10.0.0.0/24. There is a web server for external services, http://1.1.1.1:8888.

vlan10 and 11 use the 2.2.2.2 line to access the Internet. The default vlan1 uses 1.1.1.1 static IP lines to access the Internet.
The current situation is that the default vlan1 can access the web service through the internal network http://10.0.0.2:8888 and the external network http://1.1.1.1:8888, and other vlan cannot access the web service (http: //10.0.0.2: 8888, http://1.1.1.1:8888 are not accessible)
Excuse me for using google translate in english

1111.png

Posted: **Tue Mar 10, 2020 2:28 pm**

It's not hairpin NAT problem. Only devices in same subnet as server need hairpin NAT. In your case it's only vlan1. Both vlan10 and vlan11 have diffent subnet, so no hairpin NAT is needed there.

It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's possible that you "mask" other local networks. Blind guess, this could help:

/ip route rule
add action=lookup-only-in-table dst-address=10.0.0.0/24 table=main

If not, then do:

/export hide-sensitive file=myconfig

And post content of resulting myconfig.rsc here in code tags.

Posted: **Tue Mar 10, 2020 5:15 pm**

I gag when I see the use of VLAN1. I would change that to vlan100 or any other number but I doubt it has any thing to do with any of the issues at play.

Posted: **Sun Mar 15, 2020 6:55 am**

It's not hairpin NAT problem. Only devices in same subnet as server need hairpin NAT. In your case it's only vlan1. Both vlan10 and vlan11 have diffent subnet, so no hairpin NAT is needed there.

It's probably your routing. If you mark routing from vlan10 and vlan11 in order to use WAN 2.2.2.2, it's possible that you "mask" other local networks. Blind guess, this could help:
Code: Select all
/ip route rule
add action=lookup-only-in-table dst-address=10.0.0.0/24 table=main
If not, then do:
Code: Select all
/export hide-sensitive file=myconfig
And post content of resulting myconfig.rsc here in code tags.

Followed your prompts, but if the host 10.0.0.253 in the subnet 10.0.0.0/23 is marked as not in the adsl line, you will not be able to access the services of 10.0.0.2. Seems invalid, please ignore the subnet 10.0.0.0/24 drawn in the figure.

Posted: **Sun Mar 15, 2020 6:56 am**

re-upload

Posted: **Sun Mar 15, 2020 7:23 pm**

Try again and be more accurate.

There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23.

And I'm not sure what 10.0.0.253 has to do with it. It's in same subnet as 10.0.0.2, so direct connections must work. Normally the router would not interfere with it at all. You have for some reason enabled IP firewall for bridge, so router can interfere, but you have no filter rules, so it doesn't block anything. And even in case it marks routing, the rule would override that.

Posted: **Mon Mar 16, 2020 3:05 am**

Try again and be more accurate.

There's no dstnat for port 8888 like you had in original post. Only dstnat going to 10.0.0.2 is port 1514, which can't work from LAN because it has in-interface=WAN-ether2. But that wouldn't work not only from vlans, but neither from main 10.0.0.0/23.

And I'm not sure what 10.0.0.253 has to do with it. It's in same subnet as 10.0.0.2, so direct connections must work. Normally the router would not interfere with it at all. You have for some reason enabled IP firewall for bridge, so router can interfere, but you have no filter rules, so it doesn't block anything. And even in case it marks routing, the rule would override that.

I tried again and still couldn't. Well, maybe I didn't make it clear. I deleted some sensitive information in myconfig. 10.0.0.2: 8888. I just replaced an external service and removed the in-interface = WAN-ether2. I still ca n’t access it. . The main services on this host are UBNT unifi control and unifi video. 10.0.0.253 If this host is set to access from 1.1.1.1, it can access the service of 10.0.0.2, and if it is set to 2.2.2.2 on the adsl line Will not be able to access these services. My question is here, how can I replace the intranet or other VLANs, or specify that I can access the 10.0.0.2. Service from the 2.2.2.2 line exit?

Posted: **Mon Mar 16, 2020 3:09 am**

I gag when I see the use of VLAN1. I would change that to vlan100 or any other number but I doubt it has any thing to do with any of the issues at play.

After reading your article about vlan and que, I was very inspired. Vlan1 is actually base vlan, or the default vlan and management vlan. Maybe my habit is not very professional, please do n’t mind this. My problem is mainly multi-line Multi-lan, internal LAN users access to internal services, I hope to get everyone's help, thank you.

Posted: **Thu Mar 19, 2020 4:17 am**

Removing sensitive stuff is ok, but it must not break ability to understand the config. If you ask about port 8888, I need to see dstnat rule for port 8888. Currently it's not there. If it contains a public address you want to hide, it's no problem, just replace it with your fake 2.2.2.2. I can look at your other dstnat rules, but I can't be sure that there isn't something wrong with the one I'm not seeing.

Posted: **Thu Mar 19, 2020 2:55 pm**

/export hide-sensitive file=anyname

download and open in notepad++
Remove or put in fake numbers for WANIP or other sensitive stuff that didnt already get blocked
Without the config we are just guessing and thats no fun.

Posted: **Fri Mar 20, 2020 4:47 am**

myconfig

Posted: **Fri Mar 20, 2020 4:57 am**

Removing sensitive stuff is ok, but it must not break ability to understand the config. If you ask about port 8888, I need to see dstnat rule for port 8888. Currently it's not there. If it contains a public address you want to hide, it's no problem, just replace it with your fake 2.2.2.2. I can look at your other dstnat rules, but I can't be sure that there isn't something wrong with the one I'm not seeing.

Please don't worry about 10.0.0.2:8888, I want to know these users: adsl-out-client

add address = 10.0.0.20 list = adsl-out-client
        add address = 10.0.0.24 list = adsl-out-client
        add address = 10.0.0.224 disabled = yes list = adsl-out-client
        add address = 10.0.0.33 disabled = yes list = adsl-out-client
        add address = 10.0.1.250 list = adsl-out-client
        add address = 10.0.1.251 list = adsl-out-client

How can I access the unifi control on 10.0.1.252 of the intranet:

add action = dst-nat chain = dstnat comment = "Unifi Controll Office 1.252" \
            dst-address = 1.1.1.1 dst-port = 8180 protocol = tcp to-addresses = \
            10.0.1.252 to-ports = 8080
        add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 8081 \
            protocol = tcp to-addresses = 10.0.1.252 to-ports = 8081
        add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 8443 \
            protocol = tcp to-addresses = 10.0.1.252 to-ports = 8443
        add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 3478 \
            protocol = udp to-addresses = 10.0.1.252 to-ports = 3478
        add action = dst-nat chain = dstnat dst-address = 1.1.1.1 dst-port = 27117 \
            protocol = tcp to-addresses = 10.0.1.252 to-ports = 27117

Where is my problem, I am about to crash

Posted: **Fri Mar 20, 2020 5:57 am**

So you want e.g. client 10.0.0.20 to connect to server 1.1.1.1:8180, which would redirect it to 10.0.1.252:8080, correct? It should work:

- Client 10.0.0.20 tries to connect to 1.1.1.1:8180.
- Mangle rule gives it routing mark "slave_adsl".
- Dstnat changes destination to 10.0.1.252:8080.
- Normally the destination would be looked up in routing table "slave_adsl", which doesn't contain local 10.0.1.252, so everything would go to internet (gateway=adsl-tx). But routing rule overrides that, so it will find connected route in main table.
- There's nothing in firewall filter that would block it.
- Both client and target server are in same subnet, which would be a problem, but you have hairpin NAT rule to fix it.
- Server will see connection from 10.0.0.1, so it will send response back to router and it will forward it to client.

In short, I don't see where could be the problem. But you can verify it step by step (add these at the top before everything else):

/ip firewall mangle
add chain=prerouting dst-address=1.1.1.1 protocol=tcp dst-port=8180 action=log log-prefix=step1
add chain=postrouting dst-address=10.0.1.252 protocol=tcp dst-port=8080 action=log log-prefix=step2
add chain=prerouting src-address=10.0.1.252 protocol=tcp src-port=8080 action=log log-prefix=step3
add chain=postrouting src-address=1.1.1.1 protocol=tcp src-port=8180 action=log log-prefix=step4

step1 - request from client came to router
step2 - request was forwarded to server (check for correct outgoing interface)
step3 - response from server came to router
step4 - response was forwarded to client

Posted: **Fri Mar 20, 2020 8:53 am**

I added 4 mangles to the top as you said. You can see that the fourth one has no data packets passing through. What should I do?

add chain=postrouting src-address=1.1.1.1 protocol=tcp src-port=8180 action=log log-prefix=step4

1.png

Posted: **Fri Mar 20, 2020 3:22 pm**

The last rule was my mistake, address is changed back only after postrouting, so it couldn't work. Sorry. But judging by the amount of packets, there's probably traffic also from other clients, so it's not very useful. And using action=accept is not exactly correct, because it stops processing in given chain. Unlike action=log, which logs packet, but then continues to following rules, so there's no change in behaviour.

You can try two things, either more specific rules:

/ip firewall mangle
add action=log chain=prerouting dst-address=1.1.1.1 dst-port=8180 log-prefix=step1 protocol=tcp src-address=10.0.0.20
add action=log chain=postrouting dst-address=10.0.1.252 dst-port=8080 log-prefix=step2 protocol=tcp src-address=10.0.0.20
add action=log chain=prerouting dst-address=10.0.0.1 log-prefix=step3 protocol=tcp src-address=10.0.1.252 src-port=8080
add action=log chain=postrouting dst-address=10.0.0.20 log-prefix=step4 protocol=tcp src-address=10.0.1.252 src-port=8080

But step3 will be logged also for traffic from other clients. And you definitely want action=log, because you want to see what exactly server sends back (could be ack or rst, which makes a difference).

Or more foolproof version:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=1.1.1.1 dst-port=8180 \
    new-connection-mark=test passthrough=yes protocol=tcp src-address=10.0.0.20
add action=accept chain=prerouting connection-mark=test log=yes log-prefix=step1
add action=accept chain=forward connection-mark=test log=yes log-prefix=step2
add action=accept chain=postrouting connection-mark=test log=yes log-prefix=step3

It will log only the traffic you're interested in and nothing else. It should log step1-3 for both directions. It's again not ideal, because action=accept changes behaviour, as decribed before, but as a test it should be ok.

Posted: **Tue Mar 24, 2020 12:41 pm**

Somehow just fine, I carefully compared the configuration before and after, only

 / ip route rule
add action = lookup-only-in-table dst-address = 10.0.0.0 / 23 table = main

is added later, it may be because the router has not restarted. I set it to restart every Sunday, does this rule need to restart to take effect. Now any intranet can access the services of the intranet. It should be this rule, thank you.

Posted: **Tue Mar 24, 2020 5:38 pm**

RouterOS generally doesn't need restarts, almost everything works immediatelly when you change it.

MikroTik

dualwan hairpin nat consultation

dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation

Re: dualwan hairpin nat consultation