Community discussions

MikroTik App
  4. RouterOS
  5. General

HairPin NAT not working  [SOLVED]

Post Reply
 
adispy
newbie
Topic Author
Posts: 31
Joined: Wed Dec 18, 2019 4:31 pm

HairPin NAT not working

Mon Mar 04, 2024 5:51 pm

Hello everyone,
I am trying to set up my hairpin NAT but no matter what I do can't seem to make it work. I have two PPPOE WAN IPs and I have tried using:
Code: Select all
0    chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
Code: Select all
0    chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=!192.168.10.254 log=no log-prefix=""
I also tried variants by putting the out interface or the in interface on the above rules, but nothing is working.

Any idea how can I configure this?

Thanks,
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22257
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: HairPin NAT not working

Mon Mar 04, 2024 10:39 pm

Yes, with proper config........
https://help.mikrotik.com/docs/display/ROS/NAT
https://help.mikrotik.com/docs/display/ ... HairpinNAT
Top
 
User avatar
TheCat12
Long time Member
Long time Member
Posts: 502
Joined: Fri Dec 31, 2021 9:13 pm

Re: HairPin NAT not working

Mon Mar 04, 2024 10:45 pm

The second rule is almost correct, provided that dst-address is the one to which you want to hairpin nat and you've made the rest of your configurarion properly as @anav already said:
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.254 out-interface=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22257
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: HairPin NAT not working

Mon Mar 04, 2024 10:57 pm

out-interface=LAN is not required.
Top
 
adispy
newbie
Topic Author
Posts: 31
Joined: Wed Dec 18, 2019 4:31 pm

Re: HairPin NAT not working

Tue Mar 05, 2024 12:21 pm

Thanks for the reply, but it's still not working.
Code: Select all
 0    ;;; HairPin NAT
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.254 log=no log-prefix=""
I have also tried putting 192.168.10.10 as the dst-address which is my internal proxy and where the traffic needs to go, but still no luck.
Like I have said, I tried all the ins-and-outs over the internet and can't seem to make it work. I think it has something to do with my policy based routing, just saying, I don't know.
Top
 
DeadStik
just joined
Posts: 20
Joined: Thu Jan 04, 2024 4:35 pm

Re: HairPin NAT not working  [SOLVED]

Tue Mar 05, 2024 5:38 pm

More likely your DST-NAT rule is not working as you intended. Using in-interface or in-interface-list limits the rules to those interfaces which local users do not reach.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22257
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: HairPin NAT not working

Wed Mar 06, 2024 12:50 am

Yes its your config, which we know nothing about and thus cannot comment on
Top
 
adispy
newbie
Topic Author
Posts: 31
Joined: Wed Dec 18, 2019 4:31 pm

Re: HairPin NAT not working

Wed Mar 06, 2024 8:22 am

Sorry about that. Here it is.
PUBLIC IP 1 - main IP for internet connection
PUBLIC IP 2 - second public IP for my email and web services
Code: Select all
 0    ;;; HairPin NAT
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=RDS_PPOE_01 log=no log-prefix="" ipsec-policy=out,none 

 2    ;;; Sophos UTM9 Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=443,80,8080,8443 log=no log-prefix="" 

 3    
      chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=50100 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=50100 log=no log-prefix="" 

 4    ;;; OPNSense
      chain=dstnat action=dst-nat to-addresses=192.168.10.61 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=8400,8600,8511 log=no log-prefix="" 

 5    ;;; SMTP on ROCLJVKRSMTP
      chain=dstnat action=dst-nat to-addresses=192.168.10.55 protocol=tcp dst-address=<PUBLIC IP 2> in-interface=RDS_PPOE_02 dst-port=25,465,587 log=no 
      log-prefix="" 

 6    chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.55 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix="" 

 7    ;;; VPS Blog
      chain=dstnat action=dst-nat to-addresses=192.168.10.7 protocol=tcp dst-address=<PUBLIC IP 2> connection-mark="" in-interface=RDS_PPOE_02 dst-port=80,443 
      log=no log-prefix="" 

 8    chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.7 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix=""

Here are the Mangle rules
Code: Select all
 0    ;;; Policy based routing for VPS Blog on RDS_PPPOE_02
      chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.7 in-interface=bridge_LAN log=no log-prefix="" 

 1    ;;; Policy based routing for ICMP on RDS_PPPOE_02
      chain=input action=mark-connection new-connection-mark=PPPOE_02_WAN-Connection passthrough=no connection-state=new protocol=icmp in-interface=RDS_PPOE_02 
      log=no log-prefix="" 

 2    chain=output action=mark-routing new-routing-mark=PPPOE_02 passthrough=no protocol=icmp connection-mark=PPPOE_02_WAN-Connection log=no log-prefix="" 

 3    ;;; Policy based routing for SMTP Server on RDS_PPPOE_02
      chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.55 in-interface=bridge_LAN log=no log-prefix=""
Top
 
User avatar
TheCat12
Long time Member
Long time Member
Posts: 502
Joined: Fri Dec 31, 2021 9:13 pm

Re: HairPin NAT not working

Wed Mar 06, 2024 4:12 pm

Firstly, when you have specified dst-ports in the dst-nat rule for the server it is good practice to add them to the to-ports section:
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443,80,8080,8443 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01 
      dst-port=443,80,8080,8443 log=no log-prefix=""
Secondly, I think the problem is that the Hairpin NAT rule is before the dst-nat rule whereas it should be the opposite because rules in Mikrotik are processed in ascending order (from top to bottom)
Top
 
adispy
newbie
Topic Author
Posts: 31
Joined: Wed Dec 18, 2019 4:31 pm

Re: HairPin NAT not working

Wed Mar 06, 2024 5:07 pm

Thank you very much for your help guys.
In the end I followed DeadStik advice and by removing the In. Interface from the DST-NAT rule, the HairPin NAT started working.

@TheCat12 just curious how you manage to put those ports in the to-ports section of the rule, because it does not let me. I can go with one port or a range but not ports separated by a comma.
Top
 
User avatar
TheCat12
Long time Member
Long time Member
Posts: 502
Joined: Fri Dec 31, 2021 9:13 pm

Re: HairPin NAT not working

Wed Mar 06, 2024 5:13 pm

@adispy My bad, it's not possible to list out separate ports in the to-ports section. You can leave it blank and the rule will work as intended.
Top
Post Reply
  4. RouterOS
  5. General