Hairpin NAT basic setup help

masterchief4224 · June 20, 2023, 6:34pm

Hi guys,

this configuration doesn’t seem to work for Hairpin NAT. Client is .227 and Server .248

/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Hairpin NAT
      chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 
      dst-address=192.168.88.0/24 log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 2    ;;; p1
      chain=dstnat action=dst-nat to-addresses=192.168.88.248 to-ports=7777 
      protocol=udp in-interface-list=WAN dst-port=7777 log=no log-prefix="" 

 3    ;;; p2
      chain=dstnat action=dst-nat to-addresses=192.168.88.248 to-ports=8177 
      protocol=udp in-interface-list=WAN dst-port=8177 log=no log-prefix="" 

 4    ;;; p3
      chain=dstnat action=dst-nat to-addresses=192.168.88.248 to-ports=25565 
      protocol=tcp in-interface-list=WAN dst-port=25565 log=no log-prefix=""

Any idea what could be wrong, I also tried another rule like described in the official video tutorial, which also didn’t work.

https://www.youtube.com/watch?v=1I5FywY6opQ

;;; YT rule
      chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 
      dst-address=192.168.88.248 out-interface=bridge log=no log-prefix=""

I am also uncertain where the rule has to be placed, cannot find info about that in the documentation.

masterchief4224 · June 21, 2023, 5:41pm

If anyone is interested, the issue was using in-interface-list=WAN for the dstnat. This way it was not done after the hairpin, because the request came from inside and not from outside WAN network.

anav · June 26, 2023, 1:16pm

https://forum.mikrotik.com/viewtopic.php?t=179343

Yes, the dst-nat rules require something other than in-interface-lis=WAN ( we are talking dynamic WANIPs here) and as well one needs to ensure the firewall rule is agnostic.
Best is

add chain=forward action=accept connection-nat-state=dstnat