Hairpin conflicts with VPN vice versa

Norman29 · Sat Feb 08, 2014 9:40 pm

I managed to get hairpin nat working and i managed to get VPN working.
Only thing is i can't use them together...

I checked all my NAT rules and this rule which i need for my hairpin nat is causing the problem:

/ip firewall nat
chain=dstnat add action=dst-nat dst-addresses=1.1.1.1 to-addresses=192.168.0.4

where 1.1.1.1 is my public-ip-adress and 192.168.0.4 is the ip-adress i want to connect to.

If i enable this rule i can't get a vpn connection, but hairpin nat works.
If i disable this rule vpn works but hairpin not.

I think i need some additional rules, but i have no clue which ones?

rickfrey · Sun Feb 16, 2014 8:03 am

We will need to know what the rest of the settings are to be able to help with this.

Norman29 · Sun Feb 16, 2014 12:54 pm

here are my firewall rules:
/ip firewall filter

add action=drop chain=input comment="Drop invalid connections" \connection-state=invalid
add chain=input comment="VPN TEST" dst-port=1723 protocol=tcp
add chain=input comment="VPN TEST" protocol=gre
add chain=input comment=\"Allow access to the router from the LAN using adress list" \src-address-list=OurLocalLan
add chain=input comment="Allow established connections to the router" \connection-state=established
add chain=input comment="Allow related connections to the router" \connection-state=related
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input comment="Drop ftp brute forcers" dst-port=21 \protocol=tcp src-address-list=ftp_blacklist tcp-flags=""
add action=drop chain=input comment="drop ssh brute forcers" \connection-state=new dst-port=22 protocol=tcp src-address-list=\ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \address-list-timeout=1m chain=input connection-state=new dst-port=22 \protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \address-list-timeout=1m chain=input connection-state=new dst-port=22 \protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \address-list-timeout=1m chain=input connection-state=new dst-port=22 \protocol=tcp
add action=drop chain=input comment="Drop all other traffic to the router"
add action=drop chain=forward comment="Drop invalid connections" \connection-state=invalid
add action=drop chain=forward comment="default configuration" \connection-state=invalid disabled=yes
add chain=forward comment="Allow connections from the LAN" connection-state=\new in-interface=bridge-local
add chain=forward comment="Allow established connections" connection-state=\established
add chain=forward comment="Allow related connections" connection-state=\related
add action=drop chain=forward comment=\"Drop invalid connections for tcp connection" connection-state=invalid \protocol=tcp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \src-address=0.0.0.0/8
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \st-address=0.0.0.0/8
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \src-address=127.0.0.0/8
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \dst-address=127.0.0.0/8
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \src-address=224.0.0.0/3
add action=drop chain=forward comment="Block \"bogon\" IP addresses" \dst-address=224.0.0.0/3
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \protocol=tcp src-address-list=ssh_blacklist
add chain=icmp comment="\"echo reply\"" icmp-options=0:0 protocol=icmp
add chain=icmp comment="\"net unreachable\"" icmp-options=3:0 protocol=icmp
add chain=icmp comment="\"host unreachable\"" icmp-options=3:1 protocol=icmp
add chain=icmp comment="\"host unreachable fragmentation required\"" \icmp-options=3:4 protocol=icmp
add chain=icmp comment="\"allow echo request\"" icmp-options=8:0 protocol=\icmp
add chain=icmp comment="\"allow time exceed\"" icmp-options=11:0 protocol=\icmp
add chain=icmp comment="\"allow parameter bad\"" icmp-options=12:0 protocol=\icmp
add chain=icmp comment="\"allow source quench\"" icmp-options=4:0 protocol=\icmp
add action=drop chain=icmp comment="\"deny all other types\"" icmp-options=0 \protocol=icmp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111 \protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=135 \protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 \protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=tcp comment="Deny BackOffice" dst-port=3133 protocol=\tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny CIFS" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add chain=output content="\"530 Login incorrect\"" dst-limit=\1/1m,9,dst-address/1m protocol=tcp src-address-list=ftp_blacklist \tcp-flags=""
add action=add-dst-to-address-list address-list=ftp_blacklist \address-list-timeout=3h chain=output content="\"530 Login incorrect\""\protocol=tcp

/ip firewall nat

add action=dst-nat chain=dstnat comment="Hairpin test 1" dst-address=\80.80.47.135 to-addresses=192.168.0.4 (this line is the troubling one)
add action=src-nat chain=srcnat comment="Hairpin test 2" dst-address=\192.168.0.4 to-addresses=80.80.47.135
add action=masquerade chain=srcnat comment="Hairpin test 3" dst-address=\192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" \out-interface=bridge-local
add action=masquerade chain=srcnat out-interface=pppoe-out1

rickfrey · Tue Feb 18, 2014 11:18 pm

The problem looks like you are trying to accept the VPN connection on that router, but then you are NAT'ing all of the ports (including the ones for the VPN) to another address. Here's how you can fix it. Determine what ports you need for the VPN and then add a port range to that rule with those missing. For example:

dst-port=1-100,110-200

You may have to do this for multiple ports/ protocols. Alternatively, you can add an accept rule for those ports above the NAT rule. Then those specific ports will terminate at the router.

Norman29 · Tue Feb 18, 2014 11:32 pm

... Alternatively, you can add an accept rule for those ports above the NAT rule. Then those specific ports will terminate at the router.

Great! Thanx man, that solution worked!
I'm happy now

rickfrey · Tue Feb 18, 2014 11:35 pm

No problem, glad I could help

Hairpin conflicts with VPN vice versa

Hairpin conflicts with VPN vice versa

Re: Hairpin conflicts with VPN vice versa

Re: Hairpin conflicts with VPN vice versa

Re: Hairpin conflicts with VPN vice versa

Re: Hairpin conflicts with VPN vice versa

Re: Hairpin conflicts with VPN vice versa

Who is online