Hairpin NAT configuration help

gtg925j · November 5, 2025, 5:32pm

Hello!

I could use some help with my NAT configuration. I have not been able to configure my router to enable me to connect with a local webserver while on the local network or VPN. I have a AdGuard DNS running on the local network and have DNS rewrite rules set up to redirect to the local address, but this doesn't work well. I'd much rather have this work at the router level. My router config is below. Any help is much appreciated!

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus4 ] rx-flow-control=auto
/interface wireguard
add comment=back-to-home-vpn listen-port=19014 mtu=1420 name=back-to-home-vpn
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add comment="LAN DHCP" name=dhcp ranges=192.168.88.2-192.168.88.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no name=VPN-Access
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=bridge1 interface=*F00000
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=*F00000 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=
192.168.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes name=user1 private-key=
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" public-key=
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allow-lan=yes comment="VPN - Share 1" expires=
"2036-11-04 15:36:00" name=VPN private-key=
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" public-key=
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip dhcp-client
add default-route-tables=main interface=sfp-sfpplus1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.2 client-id=1:d8:5e:d3:3:46:28 comment=MEDIA
mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.88.5 client-id=1:74:d4:35:93:c:5 comment=WEB mac-address=
XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.88.10 client-id=1:6c:cd:d6:dd:e:5b comment=
"Nighthawk WAP" mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
add address=192.168.88.6 client-id=1:54:78:c9:de:46:d2 comment=Printer
mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.88.5
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface-list=
WAN protocol=tcp to-addresses=192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface-list=
WAN protocol=tcp to-addresses=192.168.88.5 to-ports=443
add action=dst-nat chain=dstnat comment=PLEX dst-port=32400
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.2 to-ports=
32400
add action=masquerade chain=srcnat comment="HTTP Hairpin" dst-address-list=
192.168.88.5 dst-port=80 out-interface=bridge1 protocol=tcp
src-address-list=192.168.88.0/24
add action=masquerade chain=srcnat comment="HTTPS Hairpin" dst-address-list=
192.168.88.5 dst-port=443 out-interface=bridge1 protocol=tcp
src-address-list=192.168.88.0/24
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=""
routing-table=VPN-Access scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name="MT Router"
/system routerboard settings
set enter-setup-on=delete-key

anav · November 5, 2025, 5:55pm

Bit confused here, do you have fixed private IP for the WAN, or a fixed or dynamic public IP on the WAN?

gtg925j · November 5, 2025, 5:57pm

Good question. I meant to put that in the description. I have DDNS set up because i have a dynamic IP from my ISP.

jaclaz · November 5, 2025, 6:32pm

dst-address-list should take an address list:

not an IP, I believe, single IP should be dst-address=192.168.88.5 and the other one src-address=192.168.88.0/24

gtg925j · November 5, 2025, 6:55pm

Thanks for the feedback. I added 192.168.88.5 to the dst-address field and added 192.168.88.0/24 to the address list as "LAN". This does not work either. Any other thoughts?

add action=masquerade chain=srcnat comment="HTTPS Hairpin" dst-address=192.168.88.5 dst-port=443 out-interface=bridge1 protocol=tcp src-address-list=LAN to-addresses=192.168.88.5

add action=masquerade chain=srcnat comment="HTTP Hairpin" dst-address=192.168.88.5 dst-port=80 out-interface=bridge1 protocol=tcp src-address-list=LAN

anav · November 5, 2025, 8:56pm

If you have a dynamic PUBLIC IP, then why are you using BTH??

gtg925j · November 5, 2025, 9:04pm

I am still somewhat new to Mikrotik, but i am using BTH for when I am not at home (VPN)? That is a separate issue really but i had openVPN set up and it had a lot of problems. BTH was super easy to set up and allowed me access to devices on my network when not at home.

anav · November 5, 2025, 9:05pm

/ip firewall address-list
add address={DDNS address} list=MyWAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0 \
     dst-address=192.168.88.0  comment=Hairpin
add action=masquerade chain=srcnat out-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 protocol=tcp \
     dst-address-list=MyWAN  to-addresses=192.168.88.5
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 protocol=tcp \
     dst-address-list=MyWAN  to-addresses=192.168.88.5
add action=dst-nat chain=dstnat comment=PLEX dst-port=32400 protocol=tcp \
     dst-address-list=MyWAN to-addresses=192.168.88.2

Hosting a plain server on port 80, planning on getting hacked???

anav · November 5, 2025, 9:06pm

BTH is simple to setup but very unflexible with controlling where it can go and what it can do.
Trust me, you would be far better off ditching it, and creating a normal wireguard interface.

gtg925j · November 5, 2025, 9:37pm

For anyone else who is having issues, this fixed my issue: