The Book

User Tools

Site Tools

Trace:
networking:mikrotik:hairpin_nat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:mikrotik:hairpin_nat [2016/03/08 12:32] rpleckonetworking:mikrotik:hairpin_nat [2021/05/19 17:30] (current) rplecko
Line 3: Line 3:
 [[http://wiki.mikrotik.com/wiki/Hairpin_NAT|http://wiki.mikrotik.com/wiki/Hairpin_NAT]] [[http://wiki.mikrotik.com/wiki/Hairpin_NAT|http://wiki.mikrotik.com/wiki/Hairpin_NAT]]
  
-In the below network topology a web server behind a router is on private IP address space, and the router performs NAT to forward traffic to its public IP address to the web server behind it.+Interfaces from //ether1// to //ether5// are in the bridge with IP address 192.168.0.254. //Ether10// is a WAN port
  
-[[http://wiki.pcsinfo.hr/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{ :networking:mikrotik:hairpin.png?700 }}]]+In the below network topology a web server behind a router is on private IP address space, and the router performs NAT (dst-nat) to forward traffic which was destined to its public IP address, to the web server behind it (on local network). 
 + 
 +[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{  :networking:mikrotik:hairpin.png?700  }}]]
  
 **The NAT configuration would look like below:** **The NAT configuration would look like below:**
  
 +First the masquerade which will allow private network to access Internet:
 <code> <code>
 /ip firewall nat /ip firewall nat
-add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.100 
 add chain=srcnat out-interface=WAN action=masquerade add chain=srcnat out-interface=WAN action=masquerade
 </code> </code>
 +Then the dst-nat which will allow clients from Interent to access our web server behind NAT on private ip 192.168.1.100 
 +<code> 
 +/ip firewall nat 
 +add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.100 
 +</code>
 When a client out on the Internet with IP address <fc #ff0000>2.2.2.2</fc> establishes a connection to the web server, the router performs NAT as configured. When a client out on the Internet with IP address <fc #ff0000>2.2.2.2</fc> establishes a connection to the web server, the router performs NAT as configured.
  
-^  ^ Source IP address ^ Destination IP address | +|Step^Source IP address^Destination IP address^ Description 
-^Step - 01 | 2.2.2.2 | 1.1.1.1 | +^01|2.2.2.2|1.1.1.1|the client sends a packet with a source IP address of <fc #ff0000>2.2.2.2</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.| 
-^Step - 02 | 2.2.2.2 | 192.168.0.100 | +^02|2.2.2.2|192.168.0.100|the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>2.2.2.2</fc>.| 
-^Step - 03 | 192.168.0.100 | 2.2.2.2 | +^03|192.168.0.100|2.2.2.2|the server replies to the client's request and the reply packet has a source IP address of <fc #ff0000>192.168.0.100</fc> and a destination IP address of <fc #ff0000>2.2.2.2</fc>.| 
-^Step - 04 | 1.1.1.1 | 2.2.2.2 | +^04|1.1.1.1|2.2.2.2|the router determines that the packet is part of a previous connection and undoes the destination NAT, and puts the original destination IP address into the source IP address field. The destination IP address is <fc #ff0000>2.2.2.2</fc>, and the source IP address is <fc #ff0000>1.1.1.1</fc>.|
- +
-  -     the client sends a packet with a source IP address of <fc #ff0000>2.2.2.2</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource. +
-      the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>2.2.2.2</fc>+
-      the server replies to the client's request and the reply packet has a source IP address of <fc #ff0000>192.168.0.100</fc> and a destination IP address of <fc #ff0000>2.2.2.2</fc>+
-      the router determines that the packet is part of a previous connection and undoes the destination NAT, and puts the original destination IP address into the source IP address field. The destination IP address is <fc #ff0000>2.2.2.2</fc>, and the source IP address is <fc #ff0000>1.1.1.1</fc>.+
  
 The client receives the reply packet it expects, and the connection is established. The client receives the reply packet it expects, and the connection is established.
  
-**When a client on the same internal network as the web server requests a connection to the web server's public IP address, the connection breaks**. +**When a client on the same internal network as the web server requests a connection to the web server's public IP address, the connection breaks**.
  
-^  ^ Source IP address ^ Destination IP address | +|Step^Source IP address^Destination IP address^Description
-^Step - 01 | 192.168.0.1 | 1.1.1.1 | +^01|192.168.0.1|1.1.1.1|the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.| 
-^Step - 02 | 192.168.0.1 | 192.168.0.100 | +^02|192.168.0.1|192.168.0.100|the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>192.168.0.1</fc>.| 
-^Step - 03 | 192.168.0.100 | 192.168.0.1 | +^03|192.168.0.100|192.168.0.1|the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to <fc #ff0000>192.168.0.1</fc> with a source IP address in the reply of <fc #ff0000>192.168.0.100</fc>.|
- +
-  -      the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource. +
-      the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. The source IP address stays the same: <fc #ff0000>192.168.0.1</fc>+
-      the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to <fc #ff0000>192.168.0.1</fc> with a source IP address in the reply of <fc #ff0000>192.168.0.100</fc>.+
  
 The client receives the reply packet, but it discards it because it expects a packet back from <fc #ff0000>1.1.1.1</fc>, and not from <fc #ff0000>192.168.0.100</fc>. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish. The client receives the reply packet, but it discards it because it expects a packet back from <fc #ff0000>1.1.1.1</fc>, and not from <fc #ff0000>192.168.0.100</fc>. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.
  
-To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service. +To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.
 <code> <code>
 +
 /ip firewall nat /ip firewall nat
-add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.protocol=tcp dst-port=80 \+add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.100 protocol=tcp dst-port=80 \
   out-interface=LAN action=masquerade   out-interface=LAN action=masquerade
 +
 </code> </code>
- 
-^  ^ Source IP address ^ Destination IP address | 
-^Step - 01 | 192.168.0.1 | 1.1.1.1 | 
-^Step - 02 | 192.168.0.254 | 192.168.0.100 | 
-^Step - 03 | 192.168.0.100 | 192.168.0.254 | 
-^Step - 04 | 1.1.1.1 | 192.168.0.1 | 
  
 With that additional rule, the flow now changes: With that additional rule, the flow now changes:
  
-  -     the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource. +|Step^Source IP address^Destination IP address^Description| 
-      the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is <fc #ff0000>192.168.0.100</fc>, and the source IP address is <fc #ff0000>192.168.0.254</fc>+^01|192.168.0.1|1.1.1.1|the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource.| 
-      the web server replies to the request and sends the reply with a source IP address of 192.168.0.100 back to the router's LAN interface IP address of <fc #ff0000>192.168.0.254</fc>+^02|192.168.0.254|192.168.0.100|the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is <fc #ff0000>192.168.0.100</fc>, and the source IP address is <fc #ff0000>192.168.0.254</fc>.| 
-      the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.+^03|192.168.0.100|192.168.0.254|the web server replies to the request and sends the reply with a source IP address of <fc #ff0000>192.168.0.100</fc> back to the router's LAN interface IP address of <fc #ff0000>192.168.0.254</fc>.| 
 +^04|1.1.1.1|192.168.0.1|the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.
  
 The client receives the reply packet it expects, and the connection is established. The client receives the reply packet it expects, and the connection is established.
Line 67: Line 62:
 However, the web server only ever sees a source IP address of <fc #ff0000>192.168.0.254</fc> for all requests from internal clients regardless of the internal client's real IP address. There is no way to avoid this without either using a router that can do application level DNS inspection and can rewrite A records accordingly, or a split DNS server that serves the internal clients the internal server IP address and external clients the external server IP address. However, the web server only ever sees a source IP address of <fc #ff0000>192.168.0.254</fc> for all requests from internal clients regardless of the internal client's real IP address. There is no way to avoid this without either using a router that can do application level DNS inspection and can rewrite A records accordingly, or a split DNS server that serves the internal clients the internal server IP address and external clients the external server IP address.
  
-This is called - among other terms - **hair pin NAT** because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin. +This is called - among other terms - **hair pin NAT**  because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin. 
 + 
networking/mikrotik/hairpin_nat.1457440347.txt.gz · Last modified: 2016/03/08 12:32 (external edit)