Hello,
I’m a newbie with Mikrotik and I’d like to know how can I access to WAN IP from the LAN to the services configured with NAT.
I can access fine from outside to all of NATed services but I can’t do it from LAN using WAN IP.
Anybody could help me?
Thanks
This is a hairpin nat issue.
What happens: your LAN client sends a request to your WAN ip w/ port forward.
The packet arrives at the server w/ your LAN address as src-address. Your server replies to your src-address - which is in the same network as the server, so it sends it out directly without going back through the router.
Your LAN client discards trhat packet because it iis expecting a reply from yooour WAN IP.
Try this:
/ip firewall nat
add chain=src-nat action=src-nat to-address=<your LAN IP, for example 192.168.88.1> src-address=<your lan network, for example 192.168.88.0/24> dst-address=<your WAN IP> out-interface=<your LAN interface, most likely bridge-local>
and put in on top of your set of NAT rules.
If you have more than one WAN address, it’s a good practice to add those to an address list and use dst-address-list instead of dst-address in the nat rule.
-Chris
Thanks for your help cdiedrich,
my WAN address is dynamic, there’s any way to solve this in this scenario?
Best regards
It could probably suffice with a rule like this:
/ip firewall nat add chain=src-nat action=masquerade out-interface=<your LAN interface> src-address=<your LAN IP range like 192.168.88.0/24> dst-address=<your LAN IP range like 192.168.88.0/24>
This is not tested, but I don’t see a reason why it shouldn’t work.
Good luck,
-Chris
I’m sorry but it doesn’t work.
This is my NAT table if it can help.
Best regards
I am having the same problem.
I would have expected a dst-nat, not src-nat, though. Something to change my destination public address to my private LAN server address when accessing the LAN server through its public IP!
There’s no simple solution for this? I think that this has to be easier than it looks.
Thanks
You’ll need both the port forward (dstnat) rule and hairpin rule(srcnat, masquerade) to work together.
dstnat:
Make sure your port forward/dstnat does NOT use an in-interface filter from WAN otherwise hairpin will not work as you are comming from bridge-local (or whatever your LAN is).
Instead use the filter dst-address-type=local on your dstnat which will match any IP directly bound to router. You can also filter by WAN ip if you need to access a service on the router that uses the same port# (webfig port 80 for example).
srcnat, masquerade:
/ip firewall nat add chain=src-nat action=masquerade out-interface=<your LAN interface> src-address=<your LAN IP range like 192.168.88.0/24>
You may also want to fiter this by protocol and port#.
Sorry but this didn’t work too 
There’s anybody that could help me to config this?
I’ll pay for the job.
Thanks
Well, a simple port forward should work…
I can use this port forward using my public ip from the inside of my network.
I’m sorry but that didn’t work. I think the problem has to be some mistake in the NAT configuration.
Ciao Roberto,
Did you solve?
I think have similar problem.
I can’t access to internet from LAN by Mikrotik in DMZ with dynamic public IP.
(sorry for hand sketch!)
Can anyone help me (us)?
What NAT rule need?
IMG_20151222_214812_edit_edit.jpg
In the DST NAT RULE you need to specify your public IP address in the dst-address
But my public IP is dynamic and could change…
What can I do?
Select your external interface or in. Interface
I have it configured like this but it doesn’t work to connect to my public IP from LAN.
Why not use Google and put in: ddns hairpin mikrotik
Thanks dear!
So, I need to set eth1 on in (or out) interface and leave blank dst add.
Can you give me setting detail of “action” window, please?
Note that in NAT rules I have only this default config: chain=srcnat, action=masq, out-int=eth1
Thanks for the link msatter I’ve followed the instructions on that link and it works fine!