Categories
DuxTel Systems (6)
Interface Cards and Adapters (26)
Mikrotik Systems-> (191)
Mimosa Wireless (14)
RouterBOARD (9)
Router Enclosures (11)
Power Supplies & PoE-> (42)
Antennas and Accessories-> (105)
Mikrotik RouterOS (6)
Assembled Kits (3)
Carrier Wireless (1)
Cable and Misc (14)
Hardware and Mounting (29)
Configuration Library (FREE!) (8)
Quick Find
  
search products
search articles
Articles
New Articles
Case Studies
Product Guides (2)
Mikrotik Configuration (17)
Technical (5)
Community News (9)
Q&A (28)
Product Advisory (8)
Policy and Information (8)
Information
Shipping & Returns
Privacy Notice
Conditions of Use
Contact Us
WAN Reflection and RouterOS by Mike Everest

Q: I have tried the router in production tonight, and it mostly worked OK, but I could not get it to do WAN reflection at all. The current (old) FVS338 router does WAN reflection perfectly.

To explain the problem, have a look at the NEXT diagram in the attached document.

If I make a HTTP request to my WebServer from the Internet using the address a.b.c.d then it works just fine. The NAT in the 450G gives me port 80 on the WebServer on 192.168.0.11.

If I make a HTTP request from my PC on 192.168.0.20 to the Internet to say google.com, the masquerade in the 450G gives me the site just fine.

If I make a HTTP request from my PC on 192.168.0.20 to my WebServer on 192.168.0.11, again I get the pages just fine.

But if I make a HTTP request from my PC on 192.168.0.20 to my WebServer using a.b.c.d nothing happens.

How can I get WAN reflection to work?

 


 

A: 'WAN reflection' is a marketing name for what is essentially a source nat on the 'reflected' packets, translating the source address to the address of the router.

Another common name for this concept is "Hairpin NAT" - there is another interesting article related to Hairpin NAT on the MikroTik wiki here.

To understand the effect, consider a data packet with destination of 'a.b.c.d' and source of '192.168.0.20'

All routers will correctly translate this packet, and replace the destination address with '192.168.0.11' and forward to the web server.

What most routers do NOT do, however, is translate the SOURCE ip address of that packet.  The result is that the web server sees the source IP address (correctly) as '192.168.0.20' and so sends the response packets DIRECTLY to the PC.

But the PC sent the request to 'a.cb.c.d', and NOT to '192.168.0.11'.  The PC has no way of knowing that the reply packets are actually replies to the request sent to the internet address, and so simply ignores the replies

What you need to do in order to make it work, is to munge the source address on the requests as well.  You probably won’t be surprised that routerOS is capable of doing just that quite effectively! ;-)

  1. Connect to the router using winbox, and click 'IP->Firewall' and choose the NAT tab.
  2. Click '+' and choose 'src-nat' as the chain.
  3. Enter the LAN subnet (to match ALL traffic coming from LAN clients) as src-address: 192.168.0.0/24 (<--- don’t forget the '/24'!) Enter the LAN web server address as dst-address.
  4. Optionally, enter '80' for dst-port.
  5. Now select the 'action' tab, and simply choose 'masquerade' as the action.

This will cause all traffic headed to the web server from internal clients to arrive at the web server with source address translated to the LAN address of the router.

You can set the source address as detected by the web server to be any arbitrary IP address that you want.  For example, we can modify step 5 above to set the source address as '1.2.3.4':

 

  1. Connect to the router using winbox, and click 'IP->Firewall' and choose the NAT tab.
  2. Click '+' and choose 'src-nat' as the chain.
  3. Enter the LAN subnet (to match ALL traffic coming from LAN clients) as src-address: 192.168.0.0/24 (<--- don’t forget the '/24'!) Enter the LAN web server address as dst-address.
  4. Optionally, enter '80' for dst-port.
  5. Now select the 'action' tab, and choose 'src-nat' as the action.
  6. For 'to-addresses', enter '1.2.3.4' and click OK

Note that although you can technically choose any IP address for step 6 that you wish, it must be an address such that replies from the web server will come back through this same router.  If this router is the only gateway for your network, then any address that is not on the LAN will do.

If you have further questions or need additional assistance of any kind, please feel free to contact us!

 

Date Added:
Current Comments: 0
Write Review
Tell a friend
Tell a friend about this article:  
Shopping Cart
more
0 items
Latest News
Follow our tweets for all the latest news and updates!
twitter.com/duxtel
Specials
more
MimosaB5-Lite: Link Pair of 5GHz 750mbps backhaul radio with 20 dBi antenna
MimosaB5-Lite: Link Pair of 5GHz 750mbps backhaul radio with 20 dBi antenna
$525.00
$299.00
Reviews
more
RB953GS-5HnT: 5 wired, 3 wireless with 3x3 MIMO 11n & 2 miniPC-e
Only MikroTik routerBOARD device at the moment which support ..
5 of 5 Stars!

Copyright © 2019 DuxTel Online Store