WAN Reflection and RouterOS

Q: I have tried the router in production tonight, and it mostly worked OK, but I could not get it to do WAN reflection at all. The current (old) FVS338 router does WAN reflection perfectly.

To explain the problem, have a look at the NEXT diagram in the attached document.

If I make a HTTP request to my WebServer from the Internet using the address a.b.c.d then it works just fine. The NAT in the 450G gives me port 80 on the WebServer on 192.168.0.11.

If I make a HTTP request from my PC on 192.168.0.20 to the Internet to say google.com, the masquerade in the 450G gives me the site just fine.

If I make a HTTP request from my PC on 192.168.0.20 to my WebServer on 192.168.0.11, again I get the pages just fine.

But if I make a HTTP request from my PC on 192.168.0.20 to my WebServer using a.b.c.d nothing happens.

How can I get WAN reflection to work?

 


 

A: 'WAN reflection' is a marketing name for what is essentially a source nat on the 'reflected' packets, translating the source address to the address of the router.

Another common name for this concept is "Hairpin NAT" - there is another interesting article related to Hairpin NAT on the MikroTik wiki here.

To understand the effect, consider a data packet with destination of 'a.b.c.d' and source of '192.168.0.20'

All routers will correctly translate this packet, and replace the destination address with '192.168.0.11' and forward to the web server.

What most routers do NOT do, however, is translate the SOURCE ip address of that packet.  The result is that the web server sees the source IP address (correctly) as '192.168.0.20' and so sends the response packets DIRECTLY to the PC.

But the PC sent the request to 'a.cb.c.d', and NOT to '192.168.0.11'.  The PC has no way of knowing that the reply packets are actually replies to the request sent to the internet address, and so simply ignores the replies

What you need to do in order to make it work, is to munge the source address on the requests as well.  You probably won’t be surprised that routerOS is capable of doing just that quite effectively! ;-)

  1. Connect to the router using winbox, and click 'IP->Firewall' and choose the NAT tab.
  2. Click '+' and choose 'src-nat' as the chain.
  3. Enter the LAN subnet (to match ALL traffic coming from LAN clients) as src-address: 192.168.0.0/24 (<--- don’t forget the '/24'!) Enter the LAN web server address as dst-address.
  4. Optionally, enter '80' for dst-port.
  5. Now select the 'action' tab, and simply choose 'masquerade' as the action.

This will cause all traffic headed to the web server from internal clients to arrive at the web server with source address translated to the LAN address of the router.

You can set the source address as detected by the web server to be any arbitrary IP address that you want.  For example, we can modify step 5 above to set the source address as '1.2.3.4':

 

  1. Connect to the router using winbox, and click 'IP->Firewall' and choose the NAT tab.
  2. Click '+' and choose 'src-nat' as the chain.
  3. Enter the LAN subnet (to match ALL traffic coming from LAN clients) as src-address: 192.168.0.0/24 (<--- don’t forget the '/24'!) Enter the LAN web server address as dst-address.
  4. Optionally, enter '80' for dst-port.
  5. Now select the 'action' tab, and choose 'src-nat' as the action.
  6. For 'to-addresses', enter '1.2.3.4' and click OK

Note that although you can technically choose any IP address for step 6 that you wish, it must be an address such that replies from the web server will come back through this same router.  If this router is the only gateway for your network, then any address that is not on the LAN will do.

If you have further questions or need additional assistance of any kind, please feel free to contact us!