I have an hair pin working:
chain dstnat protocol tcp dst port 4000 in interface ether1
action dst-nat to address 192.168.100.70 to ports 4000
chain dstnat protoccol tcp dst port 4000 address type local
action dst-nat to address 192.168.100.70 to ports 4000
chain srcnat dst address 192.168.100.70 protocol tcp dst port 4000 out interface bridge1
action masquerade
this works for device 192.168.100.70 on port 4000 forwarded to port 4000
I need device 192.168.100.77 on port 100 forwarded to port 4100
this is what i’ve tryed without success:
chain dstnat protocol tcp 4100 in interface ether1
action dst-nat to address 192.168.100.77 to port 100
chain dstnat protocol tcp scr port 4100 dst port 100 address type local
action dst-nat to address 192.168.100.77 to port 100
chain srcnat protocol tcp src port 100 dst port 4100 out interface bridge1
action masquerade
Where is my mistake?
thank you
Your entire nat rules should look like this:
/ip firewall nat
add chain=dstnat address-type=local protocol=tcp dst-port=4000 action=dst-nat to-addresses=192.168.100.70
add chain=dstnat address-type=local protocol=tcp dst-port=100 action=dst-nat to-addresses=192.168.100.77 to-ports=4100
add chain=srcnat src-address=192.168.100.0/24 out-interface=bridge1 action=masquerade
add chain=srcnat out-interface=ether1 action=masquerade
That should be all you need - unless there are other pinholes you haven’t mentioned.
If so, just put them in the dstnat chain as these other rules were done.
The first masquerade srcnat rule is the one that enables NAT hairpin - because if the packet is going out on the LAN side of the router, and the source IP is the LAN network address range, then it must have been a nat pinhole that did this - so masquerade as the Mikrotik so the internal server will bounce its replies off of the Mikrotik so it can un-nat the replies.
As the newbie that i am, i’m using webgui for the rules.
add chain=dstnat address-type=local protocol=tcp dst-port=4000 action=dst-nat to-addresses=192.168.100.70
works translated in gui
add chain=srcnat src-address=192.168.100.0/24 out-interface=bridge1 action=masquerade
add chain=srcnat out-interface=ether1 action=masquerade
works translated in gui
add chain=dstnat address-type=local protocol=tcp dst-port=100 action=dst-nat to-addresses=192.168.100.77 to-ports=4100
does not work translated in gui.
If i enter that line in the terminal will it work? Will it show the rule in webgui?
Please answer when you’ve done laughing. 
It looks like those commands should use dst-address-type=local
(I was reading off of winbox and the blank is just called “address-type” there - it’s inside of one of those “collapsing groups” and that collapsing group is “Dst. Address Type”)
If you want to type the command in on telnet, then change address-type to dst-address-type and it will work there.
In the web gui, going from top to bottom on that rule, only listing the fields where I’ve set something, it is:
Enabled=checked
----General----
Chain=dstnat
Protocol=6 (tcp)
Dst. Port= 100
----Extra----
Dst. Address Type - (Open it)
Address Type=local
----Action----
Action=dst-nat
To Addresses=192.168.100.77
To Ports=4100
hi.
Thanks for the fast reply.
I’ve tryed your settings.
Chain=dstnat
Protocol=6 (tcp)
Dst. Port= 100
----Extra----
Dst. Address Type - (Open it)
Address Type=local
----Action----
Action=dst-nat
To Addresses=192.168.100.77
To Ports=4100
The counter doesn’t move when i try to access the site.
If i switch the ports the packet counter and bytes for the rule is showing traffic.
The resource is not working, and the connections remains at syn sent.
The resource works from other networks. It has the mikrotik wan ip hard coded, and i can not add the lan class in the aplication.
I think i need to forward lan requests for port 4100 to lan ip and port, but to the aplication it has to appear as coming from the wan.
And i think i need to forward the replies on the same path to the lan requests.
For now the resource works perfectly form the internet, but the application does not answer on lan.
How can i do this?
I think anyone woth a wordpress setup has this problem…