All the examples of Hairpin NAT seen by me involve working on specific TCP port and mentioning specific internal IP (not having to say that they didn’t work for me).

I would like to make a fully transparent one.
It means:

When I request an IP address currently assigned to ether1 (should not matter - static or dynamic) using any TCP port, the result should be exactly as if I requested the router from WAN side, without having to make a special rule for each port and each internal IP (In short: all the existing firewall rules should be applied to packet so that I see exactly the same result from inside and from outside, ideally - without mentioning an external IP in a rule).

How to achieve this assuming that I have only one WAN port (ether1)?

P.S. D-Link DIR-320 could do this task out of the box.

Don’t overthink it - you only need a single NAT rule, but it needs to be the first. Here is what I use:

add action=masquerade chain=srcnat dst-address=192.168.88.0/24 out-interface=lan0 src-address=192.168.88.0/24

So, very simply.. src-address and dst-address are both your LAN subnet. out-interface is your LAN ethernet interface, or your LAN bridge interface. Give it a try, it should do what you are looking for.

Thank you for the effort. I removed my old rule and added yours for bridge-local interface, set it on the top, and it did not work…
I tried also to turn the option “Use IP Firewall” in Bridge settings on - still no effect.
My internal addresses are 192.169.0.0/24 - does it matter?

[admin@Gateway] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; NAT Loopback
      chain=srcnat action=masquerade src-address=192.169.0.0/24 dst-address=192.169.0.0/24
      out-interface=bridge-local log=no log-prefix=""

Technically that range isn’t part of RFC1918 private IP space. It’s a public subnet and is probably being used by an operator somewhere on the internet. You don’t NAT public IP space, you route it.

That may or may not be part of the problem, but it would be the first thing I would correct. Your internal subnet should be somewhere in either 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 space.

I changed to 192.168.1.0/24, but NAT Loopback still doesn’t work.

That will eliminate any potential issues down the road with routing.

As for the hairpin NAT issue, as far as I can tell your rule is correct. You could try making a slightly more specific one just for testing to see.

Alternatively, you could try getting rid of the bridge interface and see if it works when you specify an individual physical port. It’s possible it’s a bug.

From personal experience, I haven’t used Hairpin NAT since 5.x. I know initially when I went to 6.x I never got it to work, but it wasn’t a huge issue because I made the necessary adjustments on my internal DNS server. You can add your external domains and point them to your internal hosts. This should only affect your local clients.

I created an empty NAT rule with “chain” parameter only:

chain=srcnat action=log protocol=tcp log=no log-prefix="HumbleRule"

And it does not fire when I access my router from inside by LAN address or by WAN address! It fires only when I request some data from Internet.

The only thing appeared to be sensitive to calling my external IP address from inside, is a firewall filter rule (#1 here):

[code]/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

1 chain=input action=accept connection-state=established,related dst-address=MY_EXTERNAL_IP
log=no log-prefix=“”

2 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=“”[/code]

Ok, I understood how to detect necessary packets. Now I need to apply the right action to make packets to be processed as if they arrived from WAN side.

Update:

Mikrotik support gave me a pair of advices that didn’t work and started to ignore my mails instead of giving clear picture of whether they try to do some research or I should try to do something else or they just won’t help me at all. Guys, could you just respond that I should stop asking and I will stop asking if you want to. At this moment it looks from my side as “connection with support team is broken”. I think that the issue is a bug in firmware.

Hi,

I tried the same thing with the NAT rule described here. It doesn’t work. Asked several times for help finding a solution but never got one. I think it’s just not working with the Mikrotik stuff on a bridge. Too bad, I found that a lot of things that are very easy to setup with Cisco stuff (if you know how), is not working or breaks with Mikrotik.

Only working solution I found for this is using DNS entries, but that’s only suitable for small or soho networks and that’s what MT’s are good value for. For real life large business networks, don’t use MT’s.

Finally I got the idea: the first chain to process data is always dstnat, then it comes to srcnat if traffic has passed through dstnat. The masquerade rule from local network to local network is to make response to return to sender.

The only thing is disappointing me: I had to mention my external IP address explicitly in dst-address of dstnat rules. Otherwise it takes several seconds to get response through Hairpin NAT, but I’ll sort it out at some time later.

So if you got it to work would you please post your NAT rules here?

My Hairpin NAT is working fine under 6.28, 6.29.x , 6.30.x & 6.31
WAN on ether1 - DHCP Address from ISP
LAN on ether2 - Using 192.168.1.x as private network for LAN

Masquerade for NAT & Hairpin

add action=masquerade chain=srcnat comment="WAN Masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.1.0/24 out-interface=ether2 src-address=192.168.1.0/24