Syed Jahanzaib Personal Blog to Share Knowledge !

November 13, 2013

Mikrotik with Multiple WAN IP’s and Port Forwarding / HAIRPIN NAT

Filed under: Mikrotik Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 12:09 PM

CISCO-asa-replacement-diagram

Mark my words !

MIKROTIK is the Future & Cisco’s Domination will go down day by day.  For sure CISCO still holds the majority of shares in the router/switching world, but it will going to change very soon  . . .
CISCO is the best, but at a higher price. Cisco have edge dueto its reliable OS and Hardware.
On the other hand Mikrotik is good for multi purpose requirements in a very cheap price as compared to CISCO.  So very cost effective solution.

Its all about personnel preference, choice, budget. But even if i have high budgeting, I will prefer Mikrotik 🙂 , buts that’s my personnel choice. and you are not bound to agree with it 😀
Jz

Recently I did some testing at my office for a possible replacement of Cisco ASA 5510 Firewall/Router with Mikrotik Router-board. Following are some short reference on how I did it. I had a /29 public ip pool.  Configuration was was pretty straight forward but i was confused on howto route specific LAN server (or ip) traffic with Specific WAN ip. Using src-address I managed to solve it. Following are short reference for future usage.

Scenario is as follows

We will configure all useable WAN ip addresses in mikrotik wan interface, and we will forward required ports from specific wan ip’s to specific lan servers. we will also configure firewall so that only required ports are open from WAN side for security purposes, all other traffic will be denied on WAN interface. We will also bind local servers with specific WAN ip addresses.

Mikrotik have two interfaces.

ether1 = LAN users
ether2 = WAN Link

Now we want to forward traffic as follows. (all ip scheme used here is fictional and for example purposes only)

mail server = 10.0.0.2 → 1.2.3.1    WAN IP
dude server = 10.0.0.3 → 1.2.3.2   WAN IP
cctv1 server = 10.0.0.4 → 1.2.3.3   WAN IP
cctv2 server = 10.0.0.5 → 1.2.3.4   WAN IP

IP Configuration at Mikrotik Interfaces . . .

/ip address
add address=10.0.0.1/8 comment=LAN disabled=no interface="LAN - ether1"
add address=1.2.3.1/29 interface="WAN - ether2"
add address=1.2.3.2/29 interface="WAN - ether2"
add address=1.2.3.3/29 interface="WAN - ether2"
add address=1.2.3.4/29 interface="WAN - ether2"

Filter Rules Section to allow only required Incoming traffic on WAN interface, and DENY all other for security purposes 🙂

Now we will first add required ports in firewall filter BEFORE DENY rule which is in last.


/ip firewall filter
add action=accept chain=input comment="SMTP" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="POP3" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="WINBOX 8192" disabled=no dst-port=8192 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Allow PING ICMP " disabled=no protocol=icmp
add action=drop chain=input comment="DROP ALL INCOMING TRAFFIC ON WAN INTERFACE" disabled=no in-interface="WAN - ether2"

NAT Section To Do Port Forwarding From WAN ip’s  To  Local Server’s and use src-nat to bind local server to route traffic via specific WAN IP

### First dst-nat section to forward port


/ip firewall nat
add action=dst-nat chain=dstnat comment="SMTP 25 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=25
add action=dst-nat chain=dstnat comment="POP3 110 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=110
add action=dst-nat chain=dstnat comment="Web 80 Forward to MAIL-Server Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="Web 80 Forward to DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.3 to-ports=80
add action=dst-nat chain=dstnat comment="CCTV1 - 81 Forward to cctv1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.4 to-ports=81
add action=dst-nat chain=dstnat comment="CCTV2 - 82 Forward to cctv2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.5 to-ports=82

### Now route specific local servers traffic from specific WAN IP address

add action=src-nat chain=srcnat comment="Rotue mail traffic via 1.2.3.1" disabled=no src-address=10.0.0.2 to-addresses=1.2.3.1
add action=src-nat chain=srcnat comment="Rotue DUDE traffic via 1.2.3.2" disabled=no src-address=10.0.0.3 to-addresses=1.2.3.2
add action=src-nat chain=srcnat comment="Rotue CCTV1  traffic via 1.2.3.3" disabled=no src-address=10.0.0.4 to-addresses=1.2.3.3
add action=src-nat chain=srcnat comment="Rotue CCTV2  traffic via 1.2.3.4" disabled=no src-address=10.0.0.5 to-addresses=1.2.3.4

add action=masquerade chain=srcnat comment="Default Masquerade Rule for LAN" disabled=no out-interface="WAN - ether2" src-address=10.0.0.2-10.0.0.255

Now test it from WAN side. You can check port status from http://www.yougetsignal.com/tools/open-ports/

♣ ♣ ♣

<<    HAIRPIN NAT   >>

Using above method, I was ablet o successfully setup a port forwarding on a Mikrotik router that do port forwarding from mikrotik wan ip to local lan servers (Example: 1.2.3.4:3389 to 192.168.1.10:3389)
BUT there is a BUT, when I tried to open Mikrotik WAN ip from local LAN user, for example

192.168.1.20    –>    1.2.3.4:3389    –>   192.168.1.10:3389

it didn’t opened and the connection goes in SINK hole, means lost.

The solution was to rewrite the port forwarding rule to NOT to use in-interface=WAN-GATEWAY, but dst-address-type=local
This is called – among other terms – hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin.
As showed in the example below . . .

# DST-NAT rule to redirect port 3389 from
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.2.3.4 dst-address-type=local dst-port=3389 protocol=tcp to-addresses=192.168.1.10 to-ports=3389 comment="Redirect RDP PORT  TCP 3389 to local server"

# Masquerade local traffic going to mikrotik WAN IP - [To access that service from LAN using mikrtoik wan ip]
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 protocol=tcp dst-port=3389 out-interface=LAN-Interface action=masquerade comment="Masquerade Traffic going to WAN IP of mikrotik from local LAN users"

Regard’s
Syed Jahanzaib

55 Comments »

  1. WoW Gr8

    Comment by Patel Deep — November 13, 2013 @ 12:19 PM

  2. Nice post … Im dont have multiple public IP but … Im always think that asign public ip to servers and turn off masquerade to this servers … isn this be beter ? only it will be need for aditional public IP which be asigned to lan interface … and used for default gateway for this servers … something like this … what you think ?

    Comment by Damir — November 13, 2013 @ 9:10 PM

  3. Nice Sir
    🙂

    Comment by FZN — November 14, 2013 @ 11:43 PM

  4. I like you quote.

    ” … it is going to change very soon.”

    And now i use this config with my modification-config for my email server “Exchange 2013”. I have replaced the old CISCO ASA 5500 with migration to the CCR1036-12G-4S. It is working very well.

    Thank you & Regards
    /Wichets.

    Comment by wichets — November 15, 2013 @ 7:16 AM

    • Yes Mikrotik is good in very cheap price as compared to CISCO devices. and mikrotik is a multi purpose device , and we can use it to perform various tasks. not just routing

      Comment by Syed Jahanzaib / Pinochio~:) — November 20, 2013 @ 1:25 PM

  5. Nice

    could you explain how to do this solution with 4 wan connection

    Mikrotik have 5 interfaces.

    ether1 = LAN users
    ether2 = WAN1 Link
    ether3 = WAN2 Link
    ether4 = WAN3 Link
    ether5 = WAN4 Link ( public ip range )

    regards.

    Comment by saeed alimi — November 15, 2013 @ 5:55 PM

  6. Salam alykom ,
    Thanks for all of your usefull posts , I need to setup MT on virtualbox but got a problem that i can’t configure the router gate way cause i ‘m under another mt . how to fix it . what kind of ip should i put .

    Comment by amadiuos — November 15, 2013 @ 11:25 PM

    • you have to post complete network layout how currently things are configured. and preferably with network diagram.

      Comment by Syed Jahanzaib / Pinochio~:) — November 20, 2013 @ 1:19 PM

    • I ‘m sorry , here is how it looks like . Internet->Mikrotik 5.21 -> w7 client (virtual box with Mikrotik as a server and xp as a client ) Can’ configure ip -> route , means no internet is going to the xp client . How to do it ?

      Comment by amadiuos — November 20, 2013 @ 11:47 PM

  7. Dear Jehanzaib,
    Thank you for your very informative and practical posts. I requested you in one of your earlier post for providing a little information about the environment you used for that post. The post were “howto-stream-live-tv-channel-local-file-over-the-network-using-vlc-gui-n-cli-and-view-it-via-browserplayer”.

    I use VLC with Dany TV tuner usb device for multicasting the TV stream , but VLC does not produce audio from the tuner. The TV device successfully produce the audio when used with its own software i.e TV HomeMedia.

    Please let me know the TV tuner device, the OS and the version of VLC which were successful when you implement live TV channel streaming using VLC for AA Cable Network Service at mentioned in the post.

    Thanks a lot

    Abdul Hameed

    Comment by Abdul Hameed — November 18, 2013 @ 9:25 PM

    • I used Dany TV Tunner card, I dont remember the model as I used it few years back. But cost was around 1500 Rupees.
      Windows OS was XP and VLC version was VLC-MEDIA-PLAYER-0.9.8A

      Comment by Syed Jahanzaib / Pinochio~:) — November 20, 2013 @ 1:14 PM

  8. Nice. Thanks man

    Comment by Mikrotik — November 25, 2013 @ 7:12 PM

  9. Dear Jehanzaib Ji,

    I’m facing a severe issue in my network. We are a small ISP having 4000 customers, we are using 2 no’s of mikrotik ROS installed on Dell Poweredge R 210 servers for serving those customers. Also We are providing p2p caching(extreme peering) to the users. Now the problem is when most of the users come online during peak hours, all the customers are complaining regarding slow browsing. Even though we have enough bandwidth on our upstream we are facing this slow browsing issue. Please help in resolving the issue.

    Comment by pradeep — December 13, 2013 @ 10:03 PM

    • It really depends on how network is configured.
      – Do you have any proxy server(s) installed ? If yes, have you tried disabling it and monitored the traffic?
      – Have you monitored the RESOURCE usage in peak time for both Mikrotik?
      – Have you any monitoring system like MRTG to keep track of bandwidth and resource usage record to compare difference for idle and peak timings difference?

      Comment by Syed Jahanzaib / Pinochio~:) — December 16, 2013 @ 10:44 AM

    • It really depends on how network is configured.
      – Do you have any proxy server(s) installed ? If yes, have you tried disabling it and monitored the traffic?
      – Have you monitored the RESOURCE usage in peak time for both Mikrotik?
      – Have you any monitoring system like MRTG to keep track of bandwidth and resource usage record to compare difference for idle and peak timings difference ?

      Comment by Syed Jahanzaib / Pinochio~:) — December 16, 2013 @ 10:45 AM

  10. dear sir .. can you help me
    I recieve two Internet package (WAN) from different companies. Each package (WAN) put in the hub switch and then broadcast on the devices to reach customers … Can I shortcut by one broadcast devices run on the packages together using mikrotik device

    Comment by Osama Fadil — January 6, 2014 @ 11:35 PM

  11. please I need help ,explain how conect 3 WAN to eathernet 1 2 and 3 and 3 LAN

    Comment by hasanein — January 28, 2014 @ 6:03 PM

  12. hello Syed Jahanzaib, please i come from cameroon, i’m in india now i want to know if you know a training center of mikrotik here, thanks. mu email: willyarmel7@yahoo.fr

    Comment by nkandjeu — March 10, 2014 @ 9:42 PM

  13. hello jahanzaib may i use that router as an public ip to use remote server access plz help

    Comment by syedsaqibhussain — March 31, 2014 @ 11:56 AM

  14. hello jahanzaib may i use that router as an public ip to access remote server

    Comment by syedsaqibhussain — March 31, 2014 @ 11:57 AM

  15. Thanks for such a great post

    Comment by kirkita — April 8, 2014 @ 1:35 AM

    • hello jahanzaib, how to to port forwarding in mikrotik for multiple DVRs using only one public ip with different ports? Is it possible through DDNS… please help

      Comment by pradeep — April 12, 2014 @ 3:29 PM

  16. 3 Adsl mean 3Wan Connections merged/loadbalancing with RB750GL and use RB450G for Hotspot/PPPoE
    now one of my PPPoE client want to Port Forward their CCTV Cameras.

    Modem > RB750GL > RB450G… > Client Router

    Can you please Help me

    Comment by hammad hassand — April 17, 2014 @ 8:03 PM

  17. Reblogged this on weera00.

    Comment by weera00 — May 12, 2014 @ 12:22 AM

  18. Hello Syed Jahanzaib

    based on your config, if i want to monitor how many traffic per each WAN IP using single interface and showing in graph, can you help me how to do that ?

    Comment by Ray — June 5, 2014 @ 8:56 AM

    • I guess not possible, as MRTG will see interface traffic, not IP.
      may be possible with Linux base MRTG tool. but not sure as I have never tested it.

      Comment by Syed Jahanzaib / Pinochio~:) — June 5, 2014 @ 12:03 PM

      • alright then, i should think another way. tq

        Comment by Ray — June 5, 2014 @ 2:18 PM

  19. Dear sir i have some blockage issue in my interfaces, i have pool of PUBLIC IP and every time pta block these ip during internet working, is there any option i want to use uses all public ip into different departments, i have 5 lan ports in my server, and i want to give different ip to everyone.
    ok give me idea, plz i m suffering for this problem mine email id is …..

    muhammadali_Daudpoto991@hotmail.com

    thanks

    Comment by muhammadali_daudpoto@hotmail.com — June 10, 2014 @ 1:33 PM

  20. sorry 991 is wrong email

    Comment by muhammadali_daudpoto@hotmail.com — June 10, 2014 @ 1:34 PM

  21. Assalam Alaikum Dear Bhai.. Router Board 750 Main Fariya Net Or Connect Net Ek Sath kis tarha ho ga Auto par Fariya ki I.P – Manuel Par Connet ki I.P

    Comment by Naeem Muavia — September 2, 2014 @ 2:39 AM

  22. its not hairpin NAT its just a simple port forwading method… that i am thinking about NAT HAIRPIN is about to merge nd control the client netwoetwork through VLAN to give the client a one network out of the multiple networks such as we suppose we have leonet and fariya and also connect services. and leonet is on pppoe and fariya and connect have pptp….so i need to do is just want to make a one local network of my own dhcp server and the client can buy his favourite internet services from me….how can i give some choices on single network for my customers.for example making routes or nieghbours??? bgp routing???? i just using a simple method right now…i have connect and leonet on one network and its working fine because my leonet dhcp is putting off by the request of mine…but now i need to put the fariya also in single network….is that any idea to do that with mikrotrik??? mpls ???

    Comment by waqas hussain — September 15, 2014 @ 6:38 AM

  23. I’ve got a network is very simple, but I suffer from scammers and stolen online and needed a wall strong protection and I need someone to help me in so I’m Mbtdae I do not have experience enough if here someone can help me I should be grateful to him and ready payment to him if he wants the amount vs
    my phone 00967770323466
    my emil alakwaa_mohammed@yahoo.com

    Comment by hamzh alhnde — October 30, 2014 @ 1:54 AM

  24. Salam,

    I tried your configuration but nothing worked because may be because of I can’t move my Firewall Rule to top my list and /ip firewall filter > print showing me the new rule at the bottom.

    Any idea how can I move my rules?

    Comment by atifziaq — January 20, 2015 @ 7:04 PM

    • Sort the rule Number wise and see if its helping. usually by picking the rule via mouse and move it to top or any place works. you can use CLI command as well to move the rule any where. example
      /ip fir nat move numbers=50 destination=0
      change the number 50 to your rule number

      Comment by Syed Jahanzaib / Pinochio~:) — January 21, 2015 @ 9:47 AM

      • It is working now and thank you for your efforts. Can you please write a helping blog on L2TP MikroTik Site-to-Site and Desktop to Site VPN. I am using PPTP but VPN connection is not that secure. I am struggling with L2TP and I wonder if you can help the community.

        Comment by atifziaq — January 27, 2015 @ 11:04 AM

  25. Do you know how to create a WAN Switch? Basically WAN1 has 10 IP’s. I want to be able to use a Public IP that comes in on WAN1 on WAN2 on a laptop to test something.

    Comment by cactuscraig — January 22, 2015 @ 10:14 PM

  26. Plese send me the codes

    WAN1 – Lised line connection 10mbps
    ip address 51.21.22.150
    subnet mask 255.255.255.252
    defult gateway 51.21.82.149
    dns primary 103.8.55.4
    dns secondary 103.8.55.4

    WAN2 – broad band connection
    User name “karth”
    Password “Karth@123”

    WAN3 – broad band connection
    User name “youg”
    Password “youg@123”

    LAN1
    Ip address 192.168.1.250
    subnet mask 255.255.255.0
    defult gateway 192.168.1.1
    dns primary X.X.X.X
    dns secondary X.X.X.X

    LAN1
    Ip address 192.168.0.250
    subnet mask 255.255.255.0
    defult gateway 192.168.0.1
    dns primary X.X.X.X
    dns secondary X.X.X.X

    >>I Need to combine three connection in such a way wan1 splited into two and then combine it to wan2 and wan3 Respectively
    >>The splited wan1.a and wan2 should make lan1
    >>The splited wan1.b and wan3 should make lan2
    >>If wan 3 failed wan2 should take over

    Comment by Karthik — August 19, 2015 @ 1:31 PM

  27. If i need to access mail server from all WAN address??

    1.2.3.1:25 –> 192.168.1.10:25
    1.2.3.2:25 –> 192.168.1.10:25
    1.2.3.3:25 –> 192.168.1.10:25
    1.2.3.4:25 –> 192.168.1.10:25

    How modify the nat for do this?

    Thanks in advance,
    Pablo.-

    Comment by Pablo — February 12, 2016 @ 2:27 AM

  28. […] Blog post I found on the topic – gave me what I needed to make it work […]

    Pingback by Hairpin NAT on Mikrotik v6.19 – yaleman.org — March 14, 2016 @ 6:27 PM

  29. salam to all friends
    kya mikrotik say user jo web site open kary un ka log ban sakta ha.
    main chata hoon k user jo b site open kary mujy us ka pata chal jay….
    please help me….
    mary pass 3 wan han.2 ptcl ki aor aik nexlinx ki ha..kya main aik wan ko only uploading k lay use kar sakta hoon………
    please help me….

    Comment by Hafiz.M.Kashif — May 14, 2016 @ 11:40 AM

  30. I have static IP and running pppoe using mikrotik. I want to forward port 81 to my client who want to use IP camera at Port 81 at his side please help

    Comment by nauman rasheed — May 22, 2016 @ 1:37 PM

  31. I have static IP and running pppoe using mikrotik. I want to forward port 81 to my client who want to use IP camera at Port 81 at his side please help me

    Comment by nauman rasheed — May 22, 2016 @ 1:44 PM

  32. hi I have \29 block and I want to nat the public iP to the internal IP and do port forwarding. e.g 192.168.100.1 account server, 192.168.100.2 IP camera, 192.168.100.3 mail server. my public is 105.234.155.152\29 and also for internet.
    so do I add in the Addresses like 105.234.155.153\29 then in firewall dst-nat to 192.168.100.1
    105.234.155.154\29 in firewall dst-nat 192.168.100.2 and so on?

    Comment by matembo Chiramco — June 20, 2016 @ 3:36 PM

    • all you need is a dst-nat rule,
      make sure your internal devices are using mikrotik as their default gateway and there internet access is allowed.

      Comment by Syed Jahanzaib / Pinochio~:) — June 21, 2016 @ 10:06 AM

  33. Combine a VPN and Internet connection in a single router.
    Hello ! I have a Mikrotik Router Board RB2011 and I subscribe for a VPN account and an internet account the whole connects via pppeo client and I would like to configure these two accounts in my router to have access via the local thanks (urgent).

    Comment by willy — December 12, 2016 @ 4:58 PM

  34. I am able to access webserver in local network (LAN) using https://192.168.100.250:444
    But can’t access from internet

    /ip firewall filter add action=accept chain=input comment=”Firewall:Filter-WAN to myServer” disabled=no dst-address=127.243.217.185 dst-port=444 in-interface=”ether1-master-WAN” protocol=tcp

    /ip firewall nat add action=dst-nat chain=dstnat comment=”Firewall:NAT-Internet to myServer Port Forwarding” disabled=no dst-address=127.243.217.185 dst-port=444 in-interface=”ether1-master-WAN” protocol=tcp to-addresses=192.168.100.254 to-ports=444

    /ip firewall nat add action=src-nat chain=srcnat comment=”Firewall:NAT-myServer to WAN IP” disabled=no src-address=192.168.100.254 to-addresses=127.243.217.185

    /ip firewall nat add action=masquerade chain=srcnat comment=”Firewall:NAT-Masquerade Rule for LAN” disabled=no out-interface=”ether1-master-WAN” src-address=127.243.217.185

    Comment by IPMEEL — December 28, 2016 @ 8:39 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: