I am kind of a fresh Mikrotik user but with some grasp on networking things.
Google came up with "a lot" of solutions that seem not to work at all, so I am finally, after the 2-day fight, before moving my local client machine (192.168.88.50) to a separate subnet, turning to you guys.
Not sure what am I missing, but the network looks as follows:
Local router(7.14.2, 192.168.88.0/24) connected with WireGuard to a CHR (7.14.2), that is being used as an internet gateway for some of the machines that sit on 192.168.88.0/24.
Everything seems to be working as expected apart from hairpin-nat, when trying to reach locally hosted resources over public IP (Tried only via the CHR).
Code: Select all
The way the connection is set up for those machines that chould have CHR address is via the routing tables and routing rules on local router:
/routing> rule print
Flags: X - disabled, I - inactive
0 X src-address=192.168.88.123/32 action=lookup-only-in-table table=chr1
1 src-address=192.168.88.200/32 action=lookup-only-in-table table=chr1
2 src-address=192.168.88.202/32 action=lookup-only-in-table table=chr1
3 src-address=192.168.88.105/32 action=lookup-only-in-table table=chr1
/routing> table/ print
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
1 name="chr1" fib
Local Network NAT:
> ip/firewall/nat print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=ether1 log=no log-prefix=""
ipsec-policy=out,none
2 X chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 out-interface=bridge
log=no log-prefix=""
3 X ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WG-majas log=no log-prefix="" ipsec-policy=out,none
4 X chain=srcnat action=passthrough connection-mark=use-chr-1 routing-mark=chr1 out-interface=WG-majas log=no
log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.88.103 protocol=tcp src-address-list=somelist
in-interface=ether1 dst-port=111 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.88.103 protocol=tcp src-address-list=somelist
in-interface=ether1 dst-port=222 log=no log-prefix=""
7 chain=dstnat action=dst-nat to-addresses=192.168.88.105 protocol=udp in-interface=ether1 dst-port=1234 log=no
CHR NAT:
/ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.88.105 protocol=udp dst-port=1234 log=yes log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.88.202 protocol=udp dst-port=12345 log=no log-prefix=""
What could I be missing?