Re: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Rory McCann]

Thanks for the thoughts guys. I've wasted enough time on it I decided 
just to fix it in DNS and be done with it.


For anyone that is curious - I created static entries in my MT DNS 
server (which was not handling DNS for anything). I then created 
conditional forwarders in Active Directory and pointed them to the MT 
for resolution.


Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

On 10/22/2012 10:00 AM, Josh Luthman wrote:

You want the /24 for sec address
On Oct 22, 2012 6:21 AM, "Rory McCann"  wrote:


I haven't been able to get it to work. I can't get it to match traffic -
where I thought I was matching the traffic correctly it was just
masquerading traffic destined to the router itself via winbox.

All I should need is a rule like this:
/ip firewall nat
add action=src-nat chain=srcnat comment="Hairpin NAT" dst-address=\
 192.168.1.14 out-interface=LAN src-address=192.168.1.0/24to-addresses=\
 192.168.1.254

Where 192.168.1.0/24 is the LAN subnet, 1.14 is the WWW server and 1.254
is the router IP. Using masquerade doesn't make any difference and
transposing the src and dest addresses makes no difference. If I use
192.168.1.0/24 as src and dest, I see packets being matched, but when
digging deeper it's just from my winbox session.

My dst-nat rules are what you would expect - nothing non-standard about
them and I have no issues from the outside of the network.

Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

On 10/21/2012 11:40 AM, Josh Luthman wrote:


Are you srcnat'ing the traffic that stays in your LAN?
On Oct 21, 2012 9:44 AM, "Mike Hammett" 
wrote:

  I've heard others say that Greg's setup works, so I'm not sure. I haven't

done anything like that so I don't know how to advise you.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

- Original Message -
From: "Rory McCann" 
To: "Mikrotik discussions" 
Sent: Tuesday, October 16, 2012 2:53:37 PM
Subject: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on
routerOS 6.x? Since moving to rc1 I have not been able to get the rules
to work any longer. I've finally been able to get them to at least catch
traffic, but the connections never seem to make it through. I'm using it
for accessing an internal webserver.

I've used examples found on the official wiki, gregsowell.com and
others. None produce the desired result.

Thanks.

--
Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS

  -- next part --

An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/**pipermail/mikrotik/**
attachments/20121021/2d095d37/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20121021/2d095d37/attachment.html>
__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121022/9a6eee31/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Josh Luthman]

You want the /24 for sec address
On Oct 22, 2012 6:21 AM, "Rory McCann"  wrote:

> I haven't been able to get it to work. I can't get it to match traffic -
> where I thought I was matching the traffic correctly it was just
> masquerading traffic destined to the router itself via winbox.
>
> All I should need is a rule like this:
> /ip firewall nat
> add action=src-nat chain=srcnat comment="Hairpin NAT" dst-address=\
> 192.168.1.14 out-interface=LAN src-address=192.168.1.0/24to-addresses=\
> 192.168.1.254
>
> Where 192.168.1.0/24 is the LAN subnet, 1.14 is the WWW server and 1.254
> is the router IP. Using masquerade doesn't make any difference and
> transposing the src and dest addresses makes no difference. If I use
> 192.168.1.0/24 as src and dest, I see packets being matched, but when
> digging deeper it's just from my winbox session.
>
> My dst-nat rules are what you would expect - nothing non-standard about
> them and I have no issues from the outside of the network.
>
> Rory McCann
> Minn-Kota Ag Products
> P: 701-403-4877 | E: r...@mkap.com
>
> On 10/21/2012 11:40 AM, Josh Luthman wrote:
>
>> Are you srcnat'ing the traffic that stays in your LAN?
>> On Oct 21, 2012 9:44 AM, "Mike Hammett" 
>> wrote:
>>
>>  I've heard others say that Greg's setup works, so I'm not sure. I haven't
>>> done anything like that so I don't know how to advise you.
>>>
>>>
>>>
>>> -
>>> Mike Hammett
>>> Intelligent Computing Solutions
>>> http://www.ics-il.com
>>>
>>> - Original Message -
>>> From: "Rory McCann" 
>>> To: "Mikrotik discussions" 
>>> Sent: Tuesday, October 16, 2012 2:53:37 PM
>>> Subject: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6
>>>
>>> Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on
>>> routerOS 6.x? Since moving to rc1 I have not been able to get the rules
>>> to work any longer. I've finally been able to get them to at least catch
>>> traffic, but the connections never seem to make it through. I'm using it
>>> for accessing an internal webserver.
>>>
>>> I've used examples found on the official wiki, gregsowell.com and
>>> others. None produce the desired result.
>>>
>>> Thanks.
>>>
>>> --
>>> Rory McCann
>>> Minn-Kota Ag Products
>>> P: 701-403-4877 | E: r...@mkap.com
>>>
>>> __**_
>>> Mikrotik mailing list
>>> Mikrotik@mail.butchevans.com
>>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>> __**_
>>> Mikrotik mailing list
>>> Mikrotik@mail.butchevans.com
>>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>>>  -- next part --
>> An HTML attachment was scrubbed...
>> URL: <http://www.butchevans.com/**pipermail/mikrotik/**
>> attachments/20121021/2d095d37/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20121021/2d095d37/attachment.html>
>> >
>> __**_
>> Mikrotik mailing list
>> Mikrotik@mail.butchevans.com
>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
>
> __**_
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121022/9a6eee31/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Rory McCann]

I haven't been able to get it to work. I can't get it to match traffic - 
where I thought I was matching the traffic correctly it was just 
masquerading traffic destined to the router itself via winbox.


All I should need is a rule like this:
/ip firewall nat
add action=src-nat chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.1.14 out-interface=LAN src-address=192.168.1.0/24 
to-addresses=\

192.168.1.254

Where 192.168.1.0/24 is the LAN subnet, 1.14 is the WWW server and 1.254 
is the router IP. Using masquerade doesn't make any difference and 
transposing the src and dest addresses makes no difference. If I use 
192.168.1.0/24 as src and dest, I see packets being matched, but when 
digging deeper it's just from my winbox session.


My dst-nat rules are what you would expect - nothing non-standard about 
them and I have no issues from the outside of the network.


Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

On 10/21/2012 11:40 AM, Josh Luthman wrote:

Are you srcnat'ing the traffic that stays in your LAN?
On Oct 21, 2012 9:44 AM, "Mike Hammett"  wrote:


I've heard others say that Greg's setup works, so I'm not sure. I haven't
done anything like that so I don't know how to advise you.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

- Original Message -
From: "Rory McCann" 
To: "Mikrotik discussions" 
Sent: Tuesday, October 16, 2012 2:53:37 PM
Subject: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on
routerOS 6.x? Since moving to rc1 I have not been able to get the rules
to work any longer. I've finally been able to get them to at least catch
traffic, but the connections never seem to make it through. I'm using it
for accessing an internal webserver.

I've used examples found on the official wiki, gregsowell.com and
others. None produce the desired result.

Thanks.

--
Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121021/2d095d37/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Josh Luthman]

Are you srcnat'ing the traffic that stays in your LAN?
On Oct 21, 2012 9:44 AM, "Mike Hammett"  wrote:

> I've heard others say that Greg's setup works, so I'm not sure. I haven't
> done anything like that so I don't know how to advise you.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> - Original Message -
> From: "Rory McCann" 
> To: "Mikrotik discussions" 
> Sent: Tuesday, October 16, 2012 2:53:37 PM
> Subject: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6
>
> Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on
> routerOS 6.x? Since moving to rc1 I have not been able to get the rules
> to work any longer. I've finally been able to get them to at least catch
> traffic, but the connections never seem to make it through. I'm using it
> for accessing an internal webserver.
>
> I've used examples found on the official wiki, gregsowell.com and
> others. None produce the desired result.
>
> Thanks.
>
> --
> Rory McCann
> Minn-Kota Ag Products
> P: 701-403-4877 | E: r...@mkap.com
>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121021/2d095d37/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Mike Hammett]

I've heard others say that Greg's setup works, so I'm not sure. I haven't done 
anything like that so I don't know how to advise you.



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

- Original Message -
From: "Rory McCann" 
To: "Mikrotik discussions" 
Sent: Tuesday, October 16, 2012 2:53:37 PM
Subject: [Mikrotik] Hairpin NAT/WAN Reflection on ROS6

Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on 
routerOS 6.x? Since moving to rc1 I have not been able to get the rules 
to work any longer. I've finally been able to get them to at least catch 
traffic, but the connections never seem to make it through. I'm using it 
for accessing an internal webserver.

I've used examples found on the official wiki, gregsowell.com and 
others. None produce the desired result.

Thanks.

-- 
Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Hairpin NAT/WAN Reflection on ROS6

[Rory McCann]

Anyone have any working examples of Hairpin NAT (aka WAN Reflection) on 
routerOS 6.x? Since moving to rc1 I have not been able to get the rules 
to work any longer. I've finally been able to get them to at least catch 
traffic, but the connections never seem to make it through. I'm using it 
for accessing an internal webserver.


I've used examples found on the official wiki, gregsowell.com and 
others. None produce the desired result.


Thanks.

--
Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: r...@mkap.com

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Butch Evans]

On Mon, 2010-07-05 at 09:15 -0500, Stuart Pierce wrote: 
> Is there a way to execute a script based on access to a 
> certain port ? 

Yes and no.  There is no way to directly tie a script in MT to a port.
However, you can write a scheduler script that watches a firewall rule
counters and then does something based on those counters.  If you can be
a bit more specific as to what you need done, perhaps we can come up
with other/better ideas.

-- 

* Butch Evans   * Professional Network Consultation*
* http://www.butchevans.com/* Network Engineering  *
* http://store.wispgear.net/* Wired or Wireless Networks   *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Stuart Pierce]

Is there a way to execute a script based on access to a certain port ? Like 
http://10.5.50.1:9501 and then the Tik box senses that and runs a script. 





Sent via the WebMail system at avolve.net


 
   
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Rory McCann]

Thanks for the tip!

I probably should've done that from the get go being as I spent a good 
amount of time trying to find a working ASP telnet script. Oh well, it 
does what it's supposed to so I'll leave it alone unless it needs 
modification.


On 6/28/2010 4:02 PM, Andrew Cox wrote:
Just looking at this now, I gather you already have the server and all 
the scripts setup.
However.. if the telnet script/system becomes too much or doesn't work 
properly you could also try something like this:


1. on your block page have a link to a specific unused port on the 
same server (say http://192.168.1.250:)
2. add a rule to the Mikrotik that adds any user who hits that ip/port 
combination to an address list: "delist-user"
3. setup a script to run every 5-10 minutes that runs through and 
deletes each "delist-user" entry and if the ip is also in the 
"Blacklist" remove that entry too.


Saves having to do any real work on the server at all ;-)

Regards,
Andrew

On 29/06/2010 5:24 AM, Rory McCann wrote:
I created a bit of a work around. The rule provided by Butch was 
necessary for proper IP detection by the webserver for clients coming 
from other subnets on the same router. I simply pointed the delisting 
link on the blacklist page to the direct delist script (ie: I made a 
hyperlink to http://192.168.1.250/delist.asp). Since the clients were 
now directly connecting to the webserver and not being masqueraded 
through the router, the IP detection worked correctly and removed the 
IP from the address list on the MT.


Thanks for the help guys!


-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Andrew Cox]

Just looking at this now, I gather you already have the server and all 
the scripts setup.
However.. if the telnet script/system becomes too much or doesn't work 
properly you could also try something like this:


1. on your block page have a link to a specific unused port on the same 
server (say http://192.168.1.250:)
2. add a rule to the Mikrotik that adds any user who hits that ip/port 
combination to an address list: "delist-user"
3. setup a script to run every 5-10 minutes that runs through and 
deletes each "delist-user" entry and if the ip is also in the 
"Blacklist" remove that entry too.


Saves having to do any real work on the server at all ;-)

Regards,
Andrew

On 29/06/2010 5:24 AM, Rory McCann wrote:
I created a bit of a work around. The rule provided by Butch was 
necessary for proper IP detection by the webserver for clients coming 
from other subnets on the same router. I simply pointed the delisting 
link on the blacklist page to the direct delist script (ie: I made a 
hyperlink to http://192.168.1.250/delist.asp). Since the clients were 
now directly connecting to the webserver and not being masqueraded 
through the router, the IP detection worked correctly and removed the 
IP from the address list on the MT.


Thanks for the help guys!

On 6/28/2010 1:06 PM, Butch Evans wrote:

On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote:

add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250
to-ports=80

Ok, so the dstnat rule looks right.


add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80
protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \
  to-ports=80

This one looks ok, too.  I suspected that you may have had a srcnat rule
that was causing a problem.  It does not look that way in your export,
though.  I'd double check the srcnat rules to ensure that they are NOT
natting traffic leaving on the interface that has the 192.168.1.x IP
assigned to it.  You could add a rule like:
/ip firewall nat
add chain=srcnat out-interface=LAN action=accept

Substitute the "LAN" interface for whatever interface has the
192.168.1.x address assigned.  Put that rule above all other srcnat
chain rules and see if it changes things.


-- next part --
An HTML attachment was scrubbed...
URL: 
 


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS



--
Kind Regards,
Andrew Cox
AccessPlus
Head Network Administrator
Ph: 1300 739 822 (7am - 12 midnight AEST)

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Rory McCann]

I created a bit of a work around. The rule provided by Butch was 
necessary for proper IP detection by the webserver for clients coming 
from other subnets on the same router. I simply pointed the delisting 
link on the blacklist page to the direct delist script (ie: I made a 
hyperlink to http://192.168.1.250/delist.asp). Since the clients were 
now directly connecting to the webserver and not being masqueraded 
through the router, the IP detection worked correctly and removed the IP 
from the address list on the MT.


Thanks for the help guys!

On 6/28/2010 1:06 PM, Butch Evans wrote:

On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote:
   

add action=dst-nat chain=dstnat comment="" disabled=no
dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250
to-ports=80
 

Ok, so the dstnat rule looks right.

   

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80
protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \
  to-ports=80
 

This one looks ok, too.  I suspected that you may have had a srcnat rule
that was causing a problem.  It does not look that way in your export,
though.  I'd double check the srcnat rules to ensure that they are NOT
natting traffic leaving on the interface that has the 192.168.1.x IP
assigned to it.  You could add a rule like:
/ip firewall nat
add chain=srcnat out-interface=LAN action=accept

Substitute the "LAN" interface for whatever interface has the
192.168.1.x address assigned.  Put that rule above all other srcnat
chain rules and see if it changes things.

   

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Rory McCann]

This fixed half the problem. Users on my 192.168.25.0/27 subnet now show 
the correct IP address on the webserver, however it breaks hairpin NAT 
for the 192.168.1.0/24 subnet (which the webserver resides on).


On 6/28/2010 1:06 PM, Butch Evans wrote:

I'd double check the srcnat rules to ensure that they are NOT
natting traffic leaving on the interface that has the 192.168.1.x IP
assigned to it.  You could add a rule like:
/ip firewall nat
add chain=srcnat out-interface=LAN action=accept

Substitute the "LAN" interface for whatever interface has the
192.168.1.x address assigned.  Put that rule above all other srcnat
chain rules and see if it changes things.

   

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Butch Evans]

On Mon, 2010-06-28 at 12:21 -0500, Rory McCann wrote: 
> add action=dst-nat chain=dstnat comment="" disabled=no 
> dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 
> to-ports=80

Ok, so the dstnat rule looks right.

> add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 
> protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \
>  to-ports=80

This one looks ok, too.  I suspected that you may have had a srcnat rule
that was causing a problem.  It does not look that way in your export,
though.  I'd double check the srcnat rules to ensure that they are NOT
natting traffic leaving on the interface that has the 192.168.1.x IP
assigned to it.  You could add a rule like:
/ip firewall nat
add chain=srcnat out-interface=LAN action=accept

Substitute the "LAN" interface for whatever interface has the
192.168.1.x address assigned.  Put that rule above all other srcnat
chain rules and see if it changes things.

-- 

* Butch Evans   * Professional Network Consultation*
* http://www.butchevans.com/* Network Engineering  *
* http://store.wispgear.net/* Wired or Wireless Networks   *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Rory McCann]

I have a few subnets on this unit (RB1000) running on several public 
IPs. Right now ether4 is my WAN. Ether2 (192.168.1.0/24) is the subnet I 
am trying to get my blacklisting scripts working on. The webserver is 
192.168.1.250. The MT is 192.168.1.254.


/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.1.4 to-addresses=\

x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.1.250 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.25.15 to-addresses=x.x.x.x
add action=dst-nat chain=dstnat comment="" disabled=no 
dst-address=x.x.x.x dst-port=80 protocol=tcp to-addresses=192.168.1.250 
to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no 
dst-address=x.x.x.x dst-port=6500 protocol=tcp to-addresses=192.168.1.4 
to-ports=6500
add action=dst-nat chain=dstnat comment="" disabled=no 
dst-address=x.x.x.x dst-port=6510 protocol=tcp 
to-addresses=192.168.25.15 to-ports=6510
add action=dst-nat chain=dstnat comment="" disabled=no 
dst-address=x.x.x.x dst-port=6520 protocol=tcp to-addresses=192.168.2.10 
to-ports=6520
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.1.0/24 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.25.0/27 to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="" disabled=no 
out-interface=ether4 src-address=192.168.2.0/28 to-addresses=x.x.x.x
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 
protocol=tcp src-address-list=Blacklist to-addresses=192.168.1.250 \

to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 
protocol=udp src-address=192.168.25.15 to-addresses=192.168.1.2 to-ports=53
add action=src-nat chain=srcnat comment="" disabled=no 
dst-address=192.168.1.250 dst-address-type="" dst-port=80 protocol=tcp 
src-address-type="" \

to-addresses=192.168.1.254

On 6/28/2010 12:15 PM, Butch Evans wrote:

On Mon, 2010-06-28 at 11:15 -0500, Rory McCann wrote:
   

I don't think it's an issue of the traffic being blocked, but rather
when the traffic is modified to redirect the user to my block page
instead of Google.com, it utilized the hairpin NAT rule to find the
webserver, but replaces the source address with that of the MT router
instead of the source address of the client.
 

Post a copy of the output of: "/ip firewall nat export"

   

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Butch Evans]

On Mon, 2010-06-28 at 11:15 -0500, Rory McCann wrote: 
> I don't think it's an issue of the traffic being blocked, but rather 
> when the traffic is modified to redirect the user to my block page 
> instead of Google.com, it utilized the hairpin NAT rule to find the 
> webserver, but replaces the source address with that of the MT router 
> instead of the source address of the client.

Post a copy of the output of: "/ip firewall nat export"

-- 

* Butch Evans   * Professional Network Consultation*
* http://www.butchevans.com/* Network Engineering  *
* http://store.wispgear.net/* Wired or Wireless Networks   *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Rory McCann]

I don't think it's an issue of the traffic being blocked, but rather 
when the traffic is modified to redirect the user to my block page 
instead of Google.com, it utilized the hairpin NAT rule to find the 
webserver, but replaces the source address with that of the MT router 
instead of the source address of the client.


On 6/28/2010 11:12 AM, Josh Luthman wrote:

Can you just allow all 192.168.0.0/24?

On 6/28/10, Rory McCann  wrote:
   

I've been utilizing hairpin NAT to help with displaying webpages to
computers on the same subnet as the webserver using the public IP - it
has been working flawlessly, however now I am trying to utilize some new
functionality.

My webserver has a default host on it that clients are redirected to if
they get blacklisted for high connection counts (flagged using Butch's
QoS script). I have put together some ASP pages that allow them to
manually remove themselves from the blacklist via telnet, however my
problem comes in when the webserver tries to detect the client's IP address.

Let's say client A is blacklisted. His IP is 192.168.0.9. The MT is
192.168.0.254. The webserver always sees the request as coming from
192.168.0.254 instead of 192.168.0.9, so I cannot get the script to
automatically remove the correct IP from the address list.

Is there any workaround to this, or is this just one of the pitfalls of
hairpin NAT?

Thanks in advance!
Rory McCann
Minn-Kota Ag Products
-- next part --
An HTML attachment was scrubbed...
URL:

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

 


   

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT revisted

[Josh Luthman]

Can you just allow all 192.168.0.0/24?

On 6/28/10, Rory McCann  wrote:
> I've been utilizing hairpin NAT to help with displaying webpages to
> computers on the same subnet as the webserver using the public IP - it
> has been working flawlessly, however now I am trying to utilize some new
> functionality.
>
> My webserver has a default host on it that clients are redirected to if
> they get blacklisted for high connection counts (flagged using Butch's
> QoS script). I have put together some ASP pages that allow them to
> manually remove themselves from the blacklist via telnet, however my
> problem comes in when the webserver tries to detect the client's IP address.
>
> Let's say client A is blacklisted. His IP is 192.168.0.9. The MT is
> 192.168.0.254. The webserver always sees the request as coming from
> 192.168.0.254 instead of 192.168.0.9, so I cannot get the script to
> automatically remove the correct IP from the address list.
>
> Is there any workaround to this, or is this just one of the pitfalls of
> hairpin NAT?
>
> Thanks in advance!
> Rory McCann
> Minn-Kota Ag Products
> -- next part --
> An HTML attachment was scrubbed...
> URL:
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>


-- 
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

“Success is not final, failure is not fatal: it is the courage to
continue that counts.”
--- Winston Churchill
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Hairpin NAT revisted

[Rory McCann]

I've been utilizing hairpin NAT to help with displaying webpages to 
computers on the same subnet as the webserver using the public IP - it 
has been working flawlessly, however now I am trying to utilize some new 
functionality.


My webserver has a default host on it that clients are redirected to if 
they get blacklisted for high connection counts (flagged using Butch's 
QoS script). I have put together some ASP pages that allow them to 
manually remove themselves from the blacklist via telnet, however my 
problem comes in when the webserver tries to detect the client's IP address.


Let's say client A is blacklisted. His IP is 192.168.0.9. The MT is 
192.168.0.254. The webserver always sees the request as coming from 
192.168.0.254 instead of 192.168.0.9, so I cannot get the script to 
automatically remove the correct IP from the address list.


Is there any workaround to this, or is this just one of the pitfalls of 
hairpin NAT?


Thanks in advance!
Rory McCann
Minn-Kota Ag Products
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Ing. Mario Clep]

what about 4.7?


Mario Clep

Ing. en Telecomunicaciones
MikroTik Certified Network Associate
CTO / MKE Solutions
http://MikrotikExpert.com
i...@mikrotikexpert.com
Tel: (54)358 4210029  - 0358 154192733



On Wed, Apr 21, 2010 at 12:44 PM, David Sovereen
 wrote:
> Hairpin NAT doesn't work for us on 4.6.
>
> Dave
>
> -Original Message-
> From: mikrotik-boun...@mail.butchevans.com
> [mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Rory McCann
> Sent: Wednesday, April 21, 2010 10:13 AM
> To: mikrotik@mail.butchevans.com
> Subject: Re: [Mikrotik] Hairpin NAT
>
> Josh, I tried this rule and it did not seem to work. Any ideas if it's
> supposed to work on OS 4.2?
>
> My other thought was to try to masquerade the specific traffic from the
> LAN destined to the webserver IP as an IP from another subnet, however
> that doesn't seem to be working either.
>
> Kind of at a loss here. The websites in question are just personal
> websites and it's really just a workaround for my convenience. I don't
> want to put this server on another subnet and I don't want to have to
> mess around with the DNS on my AD server, however if I can't find
> another workaround I'm probably going to have to.
>
> On 4/19/2010 8:28 PM, mikrotik-requ...@mail.butchevans.com wrote:
>> Message: 1
>> Date: Mon, 19 Apr 2010 15:59:21 -0400
>> From: Josh Luthman
>> Subject: Re: [Mikrotik] Hairpin NAT
>> To: Mikrotik discussions
>> Message-ID:
>>       
>> Content-Type: text/plain; charset="windows-1252"
>>
>>   >There may be other ways to accomplish your goal, but I don't think
>>
>>> spending time with trying to make hairpin nat work is a good idea.
>>>
>> Why not?
>>
>> /ip firew nat
>> add action=dst-nat chain=dstnat comment="bender - http" disabled=no \
>>      dst-address=!10.0.0.0/24 dst-address-type=local dst-port=80
> protocol=\
>>      tcp to-addresses=10.0.0.9 to-ports=80
>>
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> ?Success is not final, failure is not fatal: it is the courage to
> continue
>> that counts.?
>> --- Winston Churchill
>>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[David Sovereen]

Hairpin NAT doesn't work for us on 4.6.

Dave

-Original Message-
From: mikrotik-boun...@mail.butchevans.com
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Rory McCann
Sent: Wednesday, April 21, 2010 10:13 AM
To: mikrotik@mail.butchevans.com
Subject: Re: [Mikrotik] Hairpin NAT

Josh, I tried this rule and it did not seem to work. Any ideas if it's 
supposed to work on OS 4.2?

My other thought was to try to masquerade the specific traffic from the 
LAN destined to the webserver IP as an IP from another subnet, however 
that doesn't seem to be working either.

Kind of at a loss here. The websites in question are just personal 
websites and it's really just a workaround for my convenience. I don't 
want to put this server on another subnet and I don't want to have to 
mess around with the DNS on my AD server, however if I can't find 
another workaround I'm probably going to have to.

On 4/19/2010 8:28 PM, mikrotik-requ...@mail.butchevans.com wrote:
> Message: 1
> Date: Mon, 19 Apr 2010 15:59:21 -0400
> From: Josh Luthman
> Subject: Re: [Mikrotik] Hairpin NAT
> To: Mikrotik discussions
> Message-ID:
>   
> Content-Type: text/plain; charset="windows-1252"
>
>   >There may be other ways to accomplish your goal, but I don't think
>
>> spending time with trying to make hairpin nat work is a good idea.
>>  
> Why not?
>
> /ip firew nat
> add action=dst-nat chain=dstnat comment="bender - http" disabled=no \
>  dst-address=!10.0.0.0/24 dst-address-type=local dst-port=80
protocol=\
>  tcp to-addresses=10.0.0.9 to-ports=80
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> ?Success is not final, failure is not fatal: it is the courage to
continue
> that counts.?
> --- Winston Churchill
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Rory McCann]

That worked! Thanks for the help!

Essentially all I needed was the src-nat rule with the internal IP of my 
webserver (192.168.1.250) as the DST address, and src-nat it to the IP 
of the MT (192.168.1.254) on that specific interface.


On 4/21/2010 10:21 AM, David Smith wrote:

found this article using 'loopback nat' -
http://forum.mikrotik.com/viewtopic.php?f=9&t=16851
also, try searching for 'Nat Loopback, Nat Reflection, or Nat Bouncing'
as suggested in article too

   

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[David Smith]

found this article using 'loopback nat' -
http://forum.mikrotik.com/viewtopic.php?f=9&t=16851
also, try searching for 'Nat Loopback, Nat Reflection, or Nat Bouncing'
as suggested in article too
ds

David Smith
Senior Engineer

Preferred Technology Solutions
212 West Spring Valley Road
Richardson, TX 75081

Direct: 972-331-5610
Service: 972-331-5650
Fax: 972-644-4911

Telephony * Infrastructure * Wireless * Network Storage * Virtualization
* Video Surveillance * Managed Services 

Axis Communications Certified
Milestone Advanced Certified
Stirx Systems Certified
3Com LAN Stackable V5 Solutions Architect
Sonicwall CNA
Microsoft MCSE
Citrix CCA



-Original Message-
From: mikrotik-boun...@mail.butchevans.com
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Rory McCann
Sent: Wednesday, April 21, 2010 9:56 AM
To: Mikrotik discussions
Subject: Re: [Mikrotik] Hairpin NAT

I'd actually have to create separate zones in AD for it to work. The 
website domain names of mine and the AD domain name are totally
different.

On 4/21/2010 9:55 AM, David Smith wrote:
> Just create a new host named www on the AD DNS server and give it the
> internal address of the web server.
> Have to do this most of the time anyway if you name your DOMAIN the
same
> as your .com domain.
> ds
>
> David Smith
> Senior Engineer
>
> Preferred Technology Solutions
> 212 West Spring Valley Road
> Richardson, TX 75081
>
> Direct: 972-331-5610
> Service: 972-331-5650
> Fax: 972-644-4911
>
> Telephony * Infrastructure * Wireless * Network Storage *
Virtualization
> * Video Surveillance * Managed Services
>
> Axis Communications Certified
> Milestone Advanced Certified
> Stirx Systems Certified
> 3Com LAN Stackable V5 Solutions Architect
> Sonicwall CNA
> Microsoft MCSE
> Citrix CCA
>
>
>
> -Original Message-
> From: mikrotik-boun...@mail.butchevans.com
> [mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Hilton J
> Ralphs
> Sent: Wednesday, April 21, 2010 9:26 AM
> To: Mikrotik discussions
> Subject: Re: [Mikrotik] Hairpin NAT
>
> I'm sure there's supposed to me another rule. Something like
masquerade
> your local IPs to that destination port (80).
>
>
-- next part --
An HTML attachment was scrubbed...
URL:
<http://www.butchevans.com/pipermail/mikrotik/attachments/20100421/6de55
f23/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Rory McCann]

I'd actually have to create separate zones in AD for it to work. The 
website domain names of mine and the AD domain name are totally different.


On 4/21/2010 9:55 AM, David Smith wrote:

Just create a new host named www on the AD DNS server and give it the
internal address of the web server.
Have to do this most of the time anyway if you name your DOMAIN the same
as your .com domain.
ds

David Smith
Senior Engineer

Preferred Technology Solutions
212 West Spring Valley Road
Richardson, TX 75081

Direct: 972-331-5610
Service: 972-331-5650
Fax: 972-644-4911

Telephony * Infrastructure * Wireless * Network Storage * Virtualization
* Video Surveillance * Managed Services

Axis Communications Certified
Milestone Advanced Certified
Stirx Systems Certified
3Com LAN Stackable V5 Solutions Architect
Sonicwall CNA
Microsoft MCSE
Citrix CCA



-Original Message-
From: mikrotik-boun...@mail.butchevans.com
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Hilton J
Ralphs
Sent: Wednesday, April 21, 2010 9:26 AM
To: Mikrotik discussions
Subject: Re: [Mikrotik] Hairpin NAT

I'm sure there's supposed to me another rule. Something like masquerade
your local IPs to that destination port (80).

   

-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20100421/6de55f23/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[David Smith]

Just create a new host named www on the AD DNS server and give it the
internal address of the web server.
Have to do this most of the time anyway if you name your DOMAIN the same
as your .com domain.
ds

David Smith
Senior Engineer

Preferred Technology Solutions
212 West Spring Valley Road
Richardson, TX 75081

Direct: 972-331-5610
Service: 972-331-5650
Fax: 972-644-4911

Telephony * Infrastructure * Wireless * Network Storage * Virtualization
* Video Surveillance * Managed Services 

Axis Communications Certified
Milestone Advanced Certified
Stirx Systems Certified
3Com LAN Stackable V5 Solutions Architect
Sonicwall CNA
Microsoft MCSE
Citrix CCA



-Original Message-
From: mikrotik-boun...@mail.butchevans.com
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Hilton J
Ralphs
Sent: Wednesday, April 21, 2010 9:26 AM
To: Mikrotik discussions
Subject: Re: [Mikrotik] Hairpin NAT

I'm sure there's supposed to me another rule. Something like masquerade
your local IPs to that destination port (80).

-- 
Regards
Hilton
082.572.9619


-Original Message-
From: mikrotik-boun...@mail.butchevans.com
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Rory McCann

Josh, I tried this rule and it did not seem to work. Any ideas if it's 
supposed to work on OS 4.2?

My other thought was to try to masquerade the specific traffic from the 
LAN destined to the webserver IP as an IP from another subnet, however 
that doesn't seem to be working either.

Kind of at a loss here. The websites in question are just personal 
websites and it's really just a workaround for my convenience. I don't 
want to put this server on another subnet and I don't want to have to 
mess around with the DNS on my AD server, however if I can't find 
another workaround I'm probably going to have to.


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Hilton J Ralphs]

I'm sure there's supposed to me another rule. Something like masquerade your 
local IPs to that destination port (80).

-- 
Regards
Hilton
082.572.9619


-Original Message-
From: mikrotik-boun...@mail.butchevans.com 
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Rory McCann

Josh, I tried this rule and it did not seem to work. Any ideas if it's 
supposed to work on OS 4.2?

My other thought was to try to masquerade the specific traffic from the 
LAN destined to the webserver IP as an IP from another subnet, however 
that doesn't seem to be working either.

Kind of at a loss here. The websites in question are just personal 
websites and it's really just a workaround for my convenience. I don't 
want to put this server on another subnet and I don't want to have to 
mess around with the DNS on my AD server, however if I can't find 
another workaround I'm probably going to have to.


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Rory McCann]

Woops, sorry for the double reply on this. I was having list trouble 
yesterday. Switching away from digest mode so I can actually keep up a 
little bit.


On 4/21/2010 9:13 AM, Rory McCann wrote:
Josh, I tried this rule and it did not seem to work. Any ideas if it's 
supposed to work on OS 4.2?


My other thought was to try to masquerade the specific traffic from 
the LAN destined to the webserver IP as an IP from another subnet, 
however that doesn't seem to be working either.


Kind of at a loss here. The websites in question are just personal 
websites and it's really just a workaround for my convenience. I don't 
want to put this server on another subnet and I don't want to have to 
mess around with the DNS on my AD server, however if I can't find 
another workaround I'm probably going to have to.




___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Rory McCann]

Josh, I tried this rule and it did not seem to work. Any ideas if it's 
supposed to work on OS 4.2?


My other thought was to try to masquerade the specific traffic from the 
LAN destined to the webserver IP as an IP from another subnet, however 
that doesn't seem to be working either.


Kind of at a loss here. The websites in question are just personal 
websites and it's really just a workaround for my convenience. I don't 
want to put this server on another subnet and I don't want to have to 
mess around with the DNS on my AD server, however if I can't find 
another workaround I'm probably going to have to.


On 4/19/2010 8:28 PM, mikrotik-requ...@mail.butchevans.com wrote:

Message: 1
Date: Mon, 19 Apr 2010 15:59:21 -0400
From: Josh Luthman
Subject: Re: [Mikrotik] Hairpin NAT
To: Mikrotik discussions
Message-ID:

Content-Type: text/plain; charset="windows-1252"

  >There may be other ways to accomplish your goal, but I don't think
   

spending time with trying to make hairpin nat work is a good idea.
 

Why not?

/ip firew nat
add action=dst-nat chain=dstnat comment="bender - http" disabled=no \
 dst-address=!10.0.0.0/24 dst-address-type=local dst-port=80 protocol=\
 tcp to-addresses=10.0.0.9 to-ports=80


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

?Success is not final, failure is not fatal: it is the courage to continue
that counts.?
--- Winston Churchill
   

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Josh Luthman]

No idea when it was enabled but that command was added to this list a
month or two ago.

On 4/19/10, Butch Evans  wrote:
> On Mon, 2010-04-19 at 15:59 -0400, Josh Luthman wrote:
>> Why not?
>
> As I said, the last time I looked (it's been a while) hairpin NAT was
> not a feature that MT supported.  If they now support it, then that's
> great.
>
> --
> 
> * Butch Evans   * Professional Network Consultation*
> * http://www.butchevans.com/* Network Engineering  *
> * http://store.wispgear.net/* Wired or Wireless Networks   *
> * http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
> 
>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>


-- 
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

“Success is not final, failure is not fatal: it is the courage to
continue that counts.”
--- Winston Churchill
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Butch Evans]

On Mon, 2010-04-19 at 15:59 -0400, Josh Luthman wrote: 
> Why not?

As I said, the last time I looked (it's been a while) hairpin NAT was
not a feature that MT supported.  If they now support it, then that's
great.

-- 

* Butch Evans   * Professional Network Consultation*
* http://www.butchevans.com/* Network Engineering  *
* http://store.wispgear.net/* Wired or Wireless Networks   *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Josh Luthman]

 >There may be other ways to accomplish your goal, but I don't think
>spending time with trying to make hairpin nat work is a good idea.

Why not?

/ip firew nat
add action=dst-nat chain=dstnat comment="bender - http" disabled=no \
dst-address=!10.0.0.0/24 dst-address-type=local dst-port=80 protocol=\
tcp to-addresses=10.0.0.9 to-ports=80


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

“Success is not final, failure is not fatal: it is the courage to continue
that counts.”
--- Winston Churchill


On Sat, Apr 17, 2010 at 2:04 AM, Butch Evans  wrote:

> On Wed, 2010-04-14 at 12:03 -0500, Rory McCann wrote:
> > I need to set up a hairpin NAT rule on my RB1000. A little background on
> > the configuration:
>
> There are a few approaches to this, depending on some variables.
>
> 1. IF the clients use the MT as a DNS server, then you can simply supply
> the clients with the private address of the webserver.  This would
> assume, of course, that the rest of the world does not use the MT as a
> DNS server (which would resolve to a private addressnot good).
>
> 2. You can move the webserver to it's own IP range on another interface,
> which would remove the need for hairpin NAT.  Last time I checked, MT
> still does not support that function.
>
> 3. You may be able to do something with the web proxy (traffic destined
> for a.b.c.d on port 80, redirect to proxy, which will get the page from
> the private address).  I have not thought that option out completely,
> but there may be a way to do it this way.
>
> There may be other ways to accomplish your goal, but I don't think
> spending time with trying to make hairpin nat work is a good idea.
>
> --
> 
> * Butch Evans   * Professional Network Consultation*
> * http://www.butchevans.com/* Network Engineering  *
> * http://store.wispgear.net/* Wired or Wireless Networks   *
> * http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *
> 
>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Hairpin NAT

[Butch Evans]

On Wed, 2010-04-14 at 12:03 -0500, Rory McCann wrote: 
> I need to set up a hairpin NAT rule on my RB1000. A little background on 
> the configuration:

There are a few approaches to this, depending on some variables.

1. IF the clients use the MT as a DNS server, then you can simply supply
the clients with the private address of the webserver.  This would
assume, of course, that the rest of the world does not use the MT as a
DNS server (which would resolve to a private addressnot good).

2. You can move the webserver to it's own IP range on another interface,
which would remove the need for hairpin NAT.  Last time I checked, MT
still does not support that function.

3. You may be able to do something with the web proxy (traffic destined
for a.b.c.d on port 80, redirect to proxy, which will get the page from
the private address).  I have not thought that option out completely,
but there may be a way to do it this way.

There may be other ways to accomplish your goal, but I don't think
spending time with trying to make hairpin nat work is a good idea.  

-- 

* Butch Evans   * Professional Network Consultation*
* http://www.butchevans.com/* Network Engineering  *
* http://store.wispgear.net/* Wired or Wireless Networks   *
* http://blog.butchevans.com/   * ImageStream, Mikrotik and MORE!  *


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Hairpin NAT

[Rory McCann]

I need to set up a hairpin NAT rule on my RB1000. A little background on 
the configuration:


Ether 1 is my WAN - it has 5 addresses assigned to it. Address a.b.c.d 
is the public IP of a web server which is then translated to a 
192.168.1.250 address on ether 2. I need to set it up so that requests 
from the 192.168.1.0/24 subnet on ether 2 that are going to the public 
IP a.b.c.d (web server) get dst-nat'd properly to 192.168.1.250.


I saw another example of this on this list regarding hairpin NAT for an 
FTP server but it doesn't seem to fully apply to my configuration.


Anyone have any ideas?

Thanks!
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS