Hi. I have problem with my RB751u-2hnd and rb951g-2hnd.
I'm trying to configure hairpin nat on ROS v6.x according to http://wiki.mikrotik.com/wiki/Hairpin_NAT
Before upgrade to 6.x it was working perfectly, but now srcnat doesn't see this packages so it doesn't work.

Is there any another way to configure this? Or maybe it's a bug?

Thanks for your help!

please post your configuration for others to see.

Example:



config: No firewall filter rules.

Forwarding works well between client and server1 (no need to configure hairpin nat), but not between client and server2. Hairpin nat rule doesn't see this packages - counter is 0:


This config works well on v5.x but not on v6.x.

Is there any another way to configure this?

Add a static DNS entry for your web server.

It won't work. As you can see I'm changing ports in dstnat.

Both servers run on port 80, so I do not see the problem.

so tell me how to add static DNS entry that redirects me from port 81 to port 80?

I want to put address http://<my_domain>:81 in my web browser and get connection to server2 on port 80 (10.1.1.196:80)
Another time I want to put address http://<my_domain>:80 and get connection to server1 on port 80 (10.1.1.197:80)

@pablo191f i have question to the example.

You said "This config works well on v5.x but not on v6.x."

OK, let's assume we use 5.x where it works.
Will it work, with serwer connected to the SWITCH? In this configuration everything is on one Mikrotik port. Is it possible to work?

by everything I mean "LAN" side.

so tell me how to add static DNS entry that redirects me from port 81 to port 80?

I want to put address http://<my_domain>:81 in my web browser and get connection to server2 on port 80 (10.1.1.196:80)

Where are you browsing from, the client computer in your drawing?

@mxmxmxmxmx
Yes, it is possible because it IS working on 5.25. Client and server connected to the switch and switch connected to one port of MT

@THG
yes, client computer connected to the switch

yes, client computer connected to the switch

Okey, I'm trying to understand your scenario.

I want to put address http://<my_domain>:81 in my web browser and get connection to server2 on port 80 (10.1.1.196:80)
Another time I want to put address http://<my_domain>:80 and get connection to server1 on port 80 (10.1.1.197:80)

Can you please answer if you browse to the same domain with different port numbers, or if you have two different domains?

One domain, differend port numbers

One domain, differend port numbers

Do you think that this little detail was quite irrelevant and barely worth mentioning in the first place? This little piece of information changes everything, right now I do not have any solution for you.

But that's why i used only IP addresses in my example without any info about domain. In this case one domain = no domain (I think)

Same problem - rule working ok on v.5.25, not ok on 6.0 and obove

Example
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=local.ip.address to-ports=80 protocol=tcp dst-address=public.ip.address dst-port=80
Now on v.6.3
dstnat is ok on the public network, but not in local
The problem is not in DNS.

Any ideas?

Same issue.

I have a public ip subnet lets say 8.8.8.1-8.8.8.20 these are assigned to a mikrotik. The mikrotik then has a private ip range of 192.168.1.xx. The publics are dstnat to the privates with the same ending number.

So. 8.8.8.1 is nated to 192.168.1.1 and so forth
we also have a srcnat for 192.168.1.1 to netmap to 8.8.8.1

from the server 192.168.1.1 that is netmap out 8.8.8.1 they can not access anything by using the public ip of a different server on the network like 8.8.8.8, however they can if they use 192.168.1.8 which is netpmaed to the 8.8.8.8 because its just local addresses.

These rules were working with 5.14 but are not working with 6.3 firmware.

I know 8.8.8.8 is a subnet held by google. I changed the subnet for privacy.


Then, I did a srcnat with src address 192.168.1.0/24 to dst address 192.168.1.0/24 and masquerade and it still does not seem to be working. I tried putting it at the top of the list and it still doesn't work.

Hi,

I have 6 Cloud Core Routers in offices around the world. In each office I have with ROS6.x (all versions so far) been able to successfully implement hair pin with the following:

/ip firewall nat
add action=masquerade chain=srcnat comment=HairPin dst-address=172.16.10.0/24 src-address=172.16.10.0/24

This rule will do Hairpin for everything and you don't have to do it by port.
Add a similar rule for every subnet that you have masqueraded.

For your case I would use:

/ip firewall nat add action=masquerade chain=srcnat comment=HairPin dst-address=192.168.1.0/24 src-address=192.168.1.0/24


Hope that can help!
Dan

I have that rule in the router and it is set at as rule 0, i have also tried setting it as the last src nat in the list and rebooted each time.

I turned on logging of traffic and I dont see the servers even hitting the router. I rolled back to 5.26 and everything started working again. Not sure what i did wrong.

I just bought a RouterOS license and have the same problem (ver. 6.4)
darbeau's version of the hairpin NAT rule doesnt work for me, too..

Has anybody fixed this problem yet?

Did you put the hairpin rule in before the router was live and programmed? It is my guess that it has to be done at the very begging before having the router live. I fixed the issue by going back to 5.25. So I dont know what is going on with it.

mh, I installed RouterOS 6.4, setup the basic things like interfaces, LAN-Wifi-Bridge, DHCP, DNS.. then very basic firewall rules, DSTNAT (port forwarding) for each service and then the hairpin rule. Just updated to ver. 6.5.. but still the same.

I'm having the same problem. It seems to only occur when using a bridge interface with switched ports, otherwise it will work.

On v6 setup, have you tried disabling Fast Path under /ip settings?

• What's new in 6.7rc1 (2013-Nov-08 15:54):
  *) fixed hairpin nat on bridge with use-ip-firewall=yes;

Awesome, I was just about to update my post about how I can only get the wireless interface to hairpin nat if ethernet ports are switched in a bridge.

Now I'm on 6.7rc1 and the Hairpin NAT is still not working. I tested it with a Webserver..

My LAN: 192.168.10.0/24
Webserver: 192.168.10.4

chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.4 out-interface=LAN-WLAN-Bridge dst-port=80

or darbeaus version:

chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.0/24

The webserver is not reachable from the LAN via the public IP, even if I diable all firewall rules for testing.

On v6 setup, have you tried disabling Fast Path under /ip settings?

yes, doesn't help.

IT WORKS!

I deleted all my dst-nat rules and set them up from scratch. After that it works and I realised that the "in-interface=ether1" (WAN) was set on all my rules.
I don't know why I set the in-interface, I checked all wikis and it's always unset ..so it was my fault. :/

//EDIT:

After I was back home, I noticed that without the "in-interface=ether1" the hairpin NAT seemed to work.. but not only for my dynDNS-address.

myserver.dyndns.org, google.com, ebay.com.. that all makes no difference now. Every request via port 80 goes to my internal webserver. So I don't know if the hairpin NAT works now, because I have a new problem. I opened a new thread, because I think its not related to the hairpin NAT problem..

http://forum.mikrotik.com/viewtopic.php?f=13&t=78883

I tried http://wiki.mikrotik.com/wiki/Hairpin_NAT on my old mikrotik HAP lite and it worked flawlessly. It had out-interface set to "bridge-local".

I bought now a more powerfull 24 port CRS125 from mikrotik and cannot replicate the same rule. It seems this router cannot bridge ports if in router mode. The old one had this bridge-local by default, even if in router mode.

I tried all the above examples and none of them work. The browser is stuck at loading.

Any other ideeas?

I finally made it work.

1 ;;; hairpin nat
chain=srcnat action=masquerade protocol=tcp src-address=192.168.2.0/24
dst-address=192.168.2.0/24 out-interface=ether1-master-local log=no
log-prefix=""

This is the rule that does it for me. I have two server and both are accesible from within the lan.

You don't need HAIRPIN rule on 6.x version.

I have RB2011 with 6.34.2 Version

Assume that you have 3 WEB hosts with following IP's 192.168.1.100, 192.168.1.101 and 192.168.1.102 and WEB services listening on port 80 on each one of them.

Just try:

add chain=forward action=accept protocol=tcp dst-port=80 \
comment="Filter exception to allow NAT rule to work"

*** CAUTION *** If you want to reset all NAT rules, uncomment following line
#/ip firewall nat remove [/ip firewall nat find]
/ip firewall nat
add chain=srcnat action=masquerade out-interface=pppoe-out1 comment="default configuration"
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp \
to-addresses=192.168.1.100 to-ports=80
add chain=dstnat action=dst-nat dst-port=81 protocol=tcp \
to-addresses=192.168.1.101 to-ports=80
add chain=dstnat action=dst-nat dst-port=82 protocol=tcp \
to-addresses=192.168.1.101 to-ports=80

In FORWARD chain as dst-port only to-ports (80) must be specified, regardless on dstnat dst-port (80, 81, 82).


If this does not work try to add following rules at the top of the FORWARD chain:

add chain=forward action=drop connection-state=invalid comment="Drop false packets"
add chain=forward action=accept connection-state=new in-interface=bridge-local comment="Enable LAN traffic"
add chain=forward action=accept connection-state=established,related comment="Enable originated LAN traffic"
add chain=forward action=accept

Hope this helps!