Page 1 of 1
HairPin NAT not working
Posted: Mon Mar 04, 2024 5:51 pm
by adispy
Hello everyone,
I am trying to set up my hairpin NAT but no matter what I do can't seem to make it work. I have two PPPOE WAN IPs and I have tried using:
0 chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
0 chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=!192.168.10.254 log=no log-prefix=""
I also tried variants by putting the out interface or the in interface on the above rules, but nothing is working.
Any idea how can I configure this?
Thanks,
Re: HairPin NAT not working
Posted: Mon Mar 04, 2024 10:39 pm
by anav
Re: HairPin NAT not working
Posted: Mon Mar 04, 2024 10:45 pm
by TheCat12
The second rule is almost correct, provided that dst-address is the one to which you want to hairpin nat and you've made the rest of your configurarion properly as @anav already said:
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.254 out-interface=LAN
Re: HairPin NAT not working
Posted: Mon Mar 04, 2024 10:57 pm
by anav
out-interface=LAN is not required.
Re: HairPin NAT not working
Posted: Tue Mar 05, 2024 12:21 pm
by adispy
Thanks for the reply, but it's still not working.
0 ;;; HairPin NAT
chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.254 log=no log-prefix=""
I have also tried putting 192.168.10.10 as the
dst-address which is my internal proxy and where the traffic needs to go, but still no luck.
Like I have said, I tried all the ins-and-outs over the internet and can't seem to make it work. I think it has something to do with my policy based routing, just saying, I don't know.
Re: HairPin NAT not working [SOLVED]
Posted: Tue Mar 05, 2024 5:38 pm
by DeadStik
More likely your DST-NAT rule is not working as you intended. Using in-interface or in-interface-list limits the rules to those interfaces which local users do not reach.
Re: HairPin NAT not working
Posted: Wed Mar 06, 2024 12:50 am
by anav
Yes its your config, which we know nothing about and thus cannot comment on
Re: HairPin NAT not working
Posted: Wed Mar 06, 2024 8:22 am
by adispy
Sorry about that. Here it is.
PUBLIC IP 1 - main IP for internet connection
PUBLIC IP 2 - second public IP for my email and web services
0 ;;; HairPin NAT
chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.10 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=RDS_PPOE_01 log=no log-prefix="" ipsec-policy=out,none
2 ;;; Sophos UTM9 Proxy
chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01
dst-port=443,80,8080,8443 log=no log-prefix=""
3
chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=50100 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01
dst-port=50100 log=no log-prefix=""
4 ;;; OPNSense
chain=dstnat action=dst-nat to-addresses=192.168.10.61 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01
dst-port=8400,8600,8511 log=no log-prefix=""
5 ;;; SMTP on ROCLJVKRSMTP
chain=dstnat action=dst-nat to-addresses=192.168.10.55 protocol=tcp dst-address=<PUBLIC IP 2> in-interface=RDS_PPOE_02 dst-port=25,465,587 log=no
log-prefix=""
6 chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.55 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix=""
7 ;;; VPS Blog
chain=dstnat action=dst-nat to-addresses=192.168.10.7 protocol=tcp dst-address=<PUBLIC IP 2> connection-mark="" in-interface=RDS_PPOE_02 dst-port=80,443
log=no log-prefix=""
8 chain=srcnat action=src-nat to-addresses=<PUBLIC IP 2> src-address=192.168.10.7 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix=""
Here are the Mangle rules
0 ;;; Policy based routing for VPS Blog on RDS_PPPOE_02
chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.7 in-interface=bridge_LAN log=no log-prefix=""
1 ;;; Policy based routing for ICMP on RDS_PPPOE_02
chain=input action=mark-connection new-connection-mark=PPPOE_02_WAN-Connection passthrough=no connection-state=new protocol=icmp in-interface=RDS_PPOE_02
log=no log-prefix=""
2 chain=output action=mark-routing new-routing-mark=PPPOE_02 passthrough=no protocol=icmp connection-mark=PPPOE_02_WAN-Connection log=no log-prefix=""
3 ;;; Policy based routing for SMTP Server on RDS_PPPOE_02
chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=no src-address=192.168.10.55 in-interface=bridge_LAN log=no log-prefix=""
Re: HairPin NAT not working
Posted: Wed Mar 06, 2024 4:12 pm
by TheCat12
Firstly, when you have specified dst-ports in the dst-nat rule for the server it is good practice to add them to the to-ports section:
chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443,80,8080,8443 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS_PPOE_01
dst-port=443,80,8080,8443 log=no log-prefix=""
Secondly, I think the problem is that the Hairpin NAT rule is before the dst-nat rule whereas it should be the opposite because rules in Mikrotik are processed in ascending order (from top to bottom)
Re: HairPin NAT not working
Posted: Wed Mar 06, 2024 5:07 pm
by adispy
Thank you very much for your help guys.
In the end I followed DeadStik advice and by removing the In. Interface from the DST-NAT rule, the HairPin NAT started working.
@TheCat12 just curious how you manage to put those ports in the to-ports section of the rule, because it does not let me. I can go with one port or a range but not ports separated by a comma.
Re: HairPin NAT not working
Posted: Wed Mar 06, 2024 5:13 pm
by TheCat12
@adispy My bad, it's not possible to list out separate ports in the to-ports section. You can leave it blank and the rule will work as intended.