Hi I’ve got internal network and a guest WiFi network. I’ve got drop rules so both network don’t communicate with each other. I’ve got a device that is on the guest wifi network that needs to access a web server on the internal network. It needs to access it via its Public Ip address. What rules do i need to setup? It is something to do with hairpin nat.
You don’t need hairpin NAT if internal and guest networks have different subnets. You just need dstnat:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<public IP> dst-port=80 protocol=tcp to-addresses=<server IP>
And then allow connection using either specific rule for target address and port, or using universal one for all forwarded ports (must be before your current drop rules):
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Thx. Can I somehow force the traffic that comes out from the guest wifi and come back in via the same public IP address and access the webserver via its public IP not local.
I don’t understand the question, how it differs from original one that I already answered?