Hairpin NAT noob question

svenvg93 · Mon Mar 25, 2024 2:51 pm

Hi All,

Im trying to setup Hairpin NAT. So my lan clients can reach the server via the public domain name.
I created a DNAT rules that works from the outside.
But the hairpin nat rule that i made based on: https://help.mikrotik.com/docs/display/ ... HairpinNAT does not. Also removed the src address list of the Dnat without result.

What im a missing here:

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.16.10.3 out-interface=bridge1 protocol=tcp src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="Enable NAT on WAN interface" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Destination NAT to forward traffic on port 8086 to 172.16.10.3" dst-port=8086 in-interface-list=WAN protocol=tcp src-address-list=Remote_Probes to-addresses=172.16.10.3

anav · Mon Mar 25, 2024 2:55 pm

Sorry your missing the complete config so unable to comment with certainty/
/export file=anynameyouwish ( minus router serial number, any public WANIP info, )

svenvg93 · Mon Mar 25, 2024 3:04 pm

Sorry,

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="1G PtP Draytek SFP" l2mtu=1596 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface wireguard
add comment="Remote VPN" listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp-sfpplus1 name=internet vlan-id=300
/interface ethernet switch port-isolation
set 8 !forwarding-override
set 9 !forwarding-override
set 10 !forwarding-override
set 11 !forwarding-override
set 12 !forwarding-override
set 13 !forwarding-override
set 14 !forwarding-override
set 15 !forwarding-override
set 17 !forwarding-override
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.10.100-172.16.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-ipv6=no
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set protocol=lldp
/interface l2tp-server server
set use-ipsec=required
/interface list member
add interface=internet list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
add interface=*24 list=LAN
/interface wireguard peers
add allowed-address=172.16.20.2/32 comment=Sven interface=wireguard1 public-key="xxxx"
add allowed-address=172.16.20.3/32 comment=Havan interface=wireguard1 public-key="xxxx"
/ip address
add address=172.16.10.1/24 interface=bridge1 network=172.16.10.0
add address=172.16.20.1/24 interface=wireguard1 network=172.16.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=internet use-peer-ntp=no
/ip dhcp-server lease
add address=172.16.10.22 mac-address=24:A4:2C:39:34:16 server=dhcp1
add address=172.16.10.20 mac-address=24:A4:2C:39:33:66 server=dhcp1
add address=172.16.10.21 mac-address=24:A4:2C:39:33:78 server=dhcp1
add address=172.16.10.10 mac-address=00:03:2D:52:89:90 server=dhcp1
add address=172.16.10.4 mac-address=6C:3C:8C:14:33:57 server=dhcp1
add address=172.16.10.5 mac-address=00:A5:54:CA:48:83 server=dhcp1
add address=172.16.10.2 mac-address=4C:C5:3E:4B:95:D8 server=dhcp1
add address=172.16.10.3 mac-address=6C:3C:8C:14:36:48 server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 domain=cpelab.lan gateway=172.16.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.10.10 name=cdrouter.cpelab.lan
add address=172.16.10.3 name=hf1090s67e0.sn.mynetname.net
/ip firewall address-list
add address=85.146.118.0/24 comment="Probes @ Lab" list=Remote_Probes
add address=82.173.82.17 comment="B2B Probes @ Lab" list=Remote_Probes
/ip firewall filter
add action=accept chain=forward comment="Allow established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid traffic" connection-state=invalid
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WireGuard to LAN" in-interface=wireguard1 out-interface=bridge1
add action=drop chain=forward comment="drop all else"
add action=accept chain=input comment="Allow established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS traffic udp" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Allow LAN DNS traffic tcp" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13300 protocol=udp
add action=accept chain=input comment="Allow traffic from LAN interface list to the router" in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=172.16.10.3 out-interface-list=WAN protocol=tcp src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="Enable NAT on WAN interface" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Destination NAT to forward traffic on port 8086 to 172.16.10.3" dst-port=8086 in-interface-list=WAN protocol=tcp \
    src-address-list=Remote_Probes to-addresses=172.16.10.3
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f12:ed3::1 scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=CCR2004
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=nl.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no

anav · Mon Mar 25, 2024 3:22 pm

1. This indicates an issue
add interface=*24 list=LAN

2. Input chain rules are a bit funny.
add action=accept chain=input comment="Allow established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS traffic udp" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Allow LAN DNS traffic tcp" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13300 protocol=udp
add action=accept chain=input comment="Allow traffic from LAN interface list to the router" in-interface-list=LAN
add action=drop chain=input comment="Drop all else"

You should note that you actually dont need the DNS rules if you keep the other green rule because the second green rule allows DNS as well..........
The reason for the DNS rules is that all users SHOULD NOT have full access on the input chain and thus why we provide only needed services to LAN list on input chain.
What you should do on input chain is allow create an "AUTHORIZED" source address-list and allow to access the input chain
..... admin IP on local bridge ( pc ) *static DHCP lease*
... admin IP on local bridge ( laptop ) *static DHCP lease*
... admin IP on local bridge ( smartphone/ipad )
.. remote admin IP wireguard ( whatever devices admin connects to from, could be laptop and smartphone )

Then once thats done remove the full access of the LAN to the input chain, keeping the good DNS rules.

(5) No need for two wireguard input chain handshake rules ???
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(4) Now onto the port forwarding
firewall rule is fine
Format for hairpin is not quite correct.
Typically its ( and no out interface nor protocol )
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.16.10.0/24 src-address=172.16.10.0/24

However, you can I suppose truncate it a bit but I dont recommend it especially if you add servers as the above covers all but if you look at what you did,
So it could be
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.16.10.3/32 src-address=172.16.10.0/24

FORMAT of the destination nat rule..... should be
/ip firewall address-list
add address=name=hf1090s67e0.sn.mynetname.net list=MYWANIP
add address=85.146.118.0/24 comment="Probes @ Lab" list=Remote_Probes
add address=82.173.82.17 comment="B2B Probes @ Lab" list=Remote_Probes
--------------------------------------------------------------------------------------------
add action=dst-nat chain=dstnat comment="server X dst-port=8086 dst-address-list=MYWANIP \
protocol=tcp src-address-list=Remote_Probes to-addresses=172.16.10.3

Hairpin NAT noob question

Hairpin NAT noob question

Re: Hairpin NAT noob question

Re: Hairpin NAT noob question

Re: Hairpin NAT noob question

Who is online