The Book

User Tools

Site Tools

Trace:
networking:mikrotik:hairpin_nat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:mikrotik:hairpin_nat [2021/05/13 13:01] rpleckonetworking:mikrotik:hairpin_nat [2021/05/19 17:30] (current) rplecko
Line 7: Line 7:
 In the below network topology a web server behind a router is on private IP address space, and the router performs NAT (dst-nat) to forward traffic which was destined to its public IP address, to the web server behind it (on local network). In the below network topology a web server behind a router is on private IP address space, and the router performs NAT (dst-nat) to forward traffic which was destined to its public IP address, to the web server behind it (on local network).
  
-[[http://wiki.pcsinfo.hr/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{  :networking:mikrotik:hairpin.png?700  }}]]+[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:hairpin_nat&media=networking:mikrotik:hairpin.png|{{  :networking:mikrotik:hairpin.png?700  }}]]
  
 **The NAT configuration would look like below:** **The NAT configuration would look like below:**
Line 48: Line 48:
  
 </code> </code>
 +
 +With that additional rule, the flow now changes:
  
 |Step^Source IP address^Destination IP address^Description| |Step^Source IP address^Destination IP address^Description|
Line 55: Line 57:
 ^04|1.1.1.1|192.168.0.1|the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.| ^04|1.1.1.1|192.168.0.1|the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field.|
  
-With that additional rule, the flow now changes: 
- 
-  - the client sends a packet with a source IP address of <fc #ff0000>192.168.0.1</fc> to a destination IP address of <fc #ff0000>1.1.1.1</fc> on port tcp/80 to request some web resource. 
-  - the router destination NATs the packet to <fc #ff0000>192.168.0.100</fc> and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is <fc #ff0000>192.168.0.100</fc>, and the source IP address is <fc #ff0000>192.168.0.254</fc>. 
-  - the web server replies to the request and sends the reply with a source IP address of <fc #ff0000>192.168.0.100</fc> back to the router's LAN interface IP address of <fc #ff0000>192.168.0.254</fc>. 
-  - the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of <fc #ff0000>1.1.1.1</fc> into the source IP address field, and the original source IP address of <fc #ff0000>192.168.0.1</fc> into the destination IP address field. 
  
 The client receives the reply packet it expects, and the connection is established. The client receives the reply packet it expects, and the connection is established.
networking/mikrotik/hairpin_nat.1620910889.txt.gz · Last modified: 2021/05/13 13:01 by rplecko