Hi
i have just installed 7.14.2 onto my mikrotik router and i want to use it for internet access.
As i have my mailserver at home i have some NAT what i also want to hairpin.
i used the quickset on the WEB IF to make the initial config including the NAT i needed.
And then i wanted to add HAIRPIN. I watched this video from mikrotik: https://www.youtube.com/watch?v=1I5FywY6opQ
I also tried several other proposals found via google. But nothing worked.
Is it possible that the one or other action from the default config plays games with me ?
Below you find the config and the part in question in bold.
Ideas are highly appreciated.
P.S.: I didnt test any other version till now. The mikrotik is replacing another router so i cannot comment if other versions work.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=submission dst-port=587 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=587
add action=dst-nat chain=dstnat comment=smtp dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=25
add action=dst-nat chain=dstnat comment=imaps dst-port=993 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=993
add action=masquerade chain=srcnat comment="hairpin : mikrotik youtube" dst-address=10.21.21.244 log=yes log-prefix=HAIRPIN: out-interface=bridge protocol=tcp src-address=10.21.21.0/24
i have just installed 7.14.2 onto my mikrotik router and i want to use it for internet access.
As i have my mailserver at home i have some NAT what i also want to hairpin.
i used the quickset on the WEB IF to make the initial config including the NAT i needed.
And then i wanted to add HAIRPIN. I watched this video from mikrotik: https://www.youtube.com/watch?v=1I5FywY6opQ
I also tried several other proposals found via google. But nothing worked.
Is it possible that the one or other action from the default config plays games with me ?
Below you find the config and the part in question in bold.
Ideas are highly appreciated.
P.S.: I didnt test any other version till now. The mikrotik is replacing another router so i cannot comment if other versions work.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=submission dst-port=587 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=587
add action=dst-nat chain=dstnat comment=smtp dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=25
add action=dst-nat chain=dstnat comment=imaps dst-port=993 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=993
add action=masquerade chain=srcnat comment="hairpin : mikrotik youtube" dst-address=10.21.21.244 log=yes log-prefix=HAIRPIN: out-interface=bridge protocol=tcp src-address=10.21.21.0/24
Code:
# 2024-03-28 17:10:04 by RouterOS 7.14.2# software id = 0P78-XXXX## model = RB3011UiAS# serial number = xxx/interface bridgeadd admin-mac=E4:8D:8C:0A:41:B0 auto-mac=no comment=defconf name=bridge/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxxxx@t-online.de/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp ranges=10.21.21.90-10.21.21.199/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=10m name=defconf/portset 0 name=serial0/zerotierset zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993/interface bridge portadd bridge=bridge comment=defconf interface=ether2add bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge comment=defconf interface=ether6add bridge=bridge comment=defconf interface=ether7add bridge=bridge comment=defconf interface=ether8add bridge=bridge comment=defconf interface=ether9add bridge=bridge comment=defconf interface=ether10add bridge=bridge comment=defconf interface=sfp1/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WANadd interface=pppoe-out1 list=WAN/ip addressadd address=10.21.21.254/24 comment=defconf interface=bridge network=10.21.21.0/ip dhcp-clientadd comment=defconf disabled=yes interface=ether1/ip dhcp-server networkadd address=10.21.21.0/24 comment=defconf dns-server=10.21.21.254 gateway=10.21.21.254 netmask=24/ip dnsset allow-remote-requests=yes/ip dns staticadd address=10.21.21.254 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=dst-nat chain=dstnat comment=submission dst-port=587 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=587add action=dst-nat chain=dstnat comment=smtp dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=25add action=dst-nat chain=dstnat comment=imaps dst-port=993 in-interface-list=WAN protocol=tcp to-addresses=10.21.21.244 to-ports=993add action=masquerade chain=srcnat comment="hairpin : mikrotik youtube" dst-address=10.21.21.244 log=yes log-prefix=HAIRPIN: out-interface=bridge protocol=tcp src-address=10.21.21.0/24/ipv6 firewall address-listadd address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN/system clockset time-zone-name=Europe/Berlin/system identityset name=RB3011/system noteset show-at-login=no/system package updateset channel=testing/system routerboard settingsset auto-upgrade=yes silent-boot=yes/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by tesme33 — Thu Mar 28, 2024 6:21 pm