General • Simple hairpin not working

I've read this thread: viewtopic.php?t=179343 which is most useful in explaining the hairpin issue. Whilst I won't say my knowledge of NAT is deep, I understand the basic principals. I originally solved via the DNS approach as that, well, worked. My home dev setup is a Windows domain with DNS server so I simply added a zone for my external domain and added the handful of DNS entries.

However, I sometimes have a client laptop visiting that uses NextDNS and therefore effectively DoH. As pointed out in the above head-numbing (but welcome) post, DNS method fails with DoH clients.

So I tried the simple hairpin option described in option #1. Except it doesn't work. Config below. When I read the post and it talked about dst-net kicking in, I guessed it wouldn't work because my dst-nat rules specify in-interface-list=WAN. When this hairpin situation occurs, do these rules apply? If remove this parameter, I can access the resource EXCEPT it triggers for every (say) port 80 access, i.e. external web pages stop.

/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="outgoing nat" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="simplehelp tcp" dst-port=8008 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.7 to-ports=8008
add action=dst-nat chain=dstnat comment="simplehelp udp" dst-port=8008 in-interface-list=WAN protocol=udp to-addresses=192.168.0.7 to-ports=8008
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443

Statistics: Posted by robmaltsystems — Wed Jan 03, 2024 11:59 pm

---