Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

alex3025 · January 28, 2025, 4:03pm

Hello, after following the https://help.mikrotik.com/docs/spaces/RKB/pages/154042388/Port+forwarding guide, I’m able to access my HTTP server from the Internet using my domain. Now, when trying to access the HTTP server using the domain from the local network (same subnet of the HTTP server) I reach my MikroTik router web ui instead.

I heard of the hairpin nat or split dns (and I already have a PiHole DNS server) technique but was wondering what suits best my case.
Also I would like to have the most dynamic thing possible (like allowing me to add port forwarding rules without changing a lot of settings).

What do you suggest?

erlinden · January 28, 2025, 4:09pm

It does make sense (in my opinion) to have this handled by DNS. All traffic doesn’t have to pass the router that way.

alex3025 · January 28, 2025, 4:12pm

And what about Wireguard traffic, having a domain like: wireguard.mydomain.com? It can be handled still from DNS?

anav · January 28, 2025, 5:38pm

add chain=dstnat action=dstnat src-address=serverSUBNET dst-address=serverSUBNET

alex3025 · January 28, 2025, 5:49pm

What’s should that do?

anav · January 28, 2025, 6:33pm

TheCat12 · January 28, 2025, 8:30pm

A.k.a the hairpin NAT rule

alex3025 · January 28, 2025, 8:39pm

And what if I have multiple vlans? Do I need to use address lists?

TheCat12 · January 28, 2025, 8:40pm

It’ll make your life easier, so yes

alex3025 · January 28, 2025, 8:43pm

Scripting is the only way to define the address lists automatically based on my existing vlans?

OrionWatson · February 11, 2025, 1:33pm

Using Hairpin NAT is the best option for this purpose.

anav · February 11, 2025, 3:15pm

Hairpin nat is only required if the users are in the same subnet as the server.
So I would make a hairpin nat rule specific to each subnet.
The format provided allows for any number of servers within a subnet.