Hi,
The picture shows the hairpin NAT I tried to setup, the action is masquerade, it does not work from inside the network, even when I insert the dst nat port and src nat port, please assist.
Sent from my VTR-L09 using Tapatalk
For hairpin NAT you need 3 rules, not just one.
Common rule for Internet interface with destiantion nat from public to private for inbound interface
Destination nat from public to private with your source for inbound local interface
Masquerade nat from your source to private destination for outbound local interface
More control! 
@Anumrak,
I also need Hairpin NAT. Could you be more specific in the setup? Give example CLI commands to setup?
I do have a Dynamic WAN IP and NOT a static WAN IP
Thanx
Karel
for dstnat you can specify input interface instead ip + you need public ip at the wan and dyndns
No, you can’t specify in-interface for dstnat rule, because then it won’t match packets coming from LAN.
It’s really simple. If router has static public address (best case), do e.g.:
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=masquerade
(192.168.88.10 is internal server, 192.168.88.0/24 is local network, change it to what you have)
If public address is dynamic, then use this dstnat rule instead (srcnat rule stays the same):
/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.88.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.10
(192.168.88.1 is router’s LAN address and it’s there to exclude connections to services on router from LAN side, in this case it could be WebFig on port 80)
Thanks @Sob, it works.
Sent from my VTR-L09 using Tapatalk