I have a Mikrotik CCR1009-7G-1C-1S+ with firmware 6.42.6
I have a local web server running tht is accessable from the internet.
As mentioned in several posts on the forum hairpin Nat is required to access the web server from a local machine with the public request.
I have setup a hairpin rule in the frewall but i can not get it working. What do i wrong??
0 ;;; WAN out NAT
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""
1 ;;; hairpin NAT
chain=srcnat action=masquerade src-address=192.168.200.0/24
dst-address=192.168.200.0/24 log=no log-prefix=""
2 ;;; web server
chain=dstnat action=dst-nat to-addresses=192.168.200.26 to-ports=80
protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix=""
3 ;;; web server https
chain=dstnat action=dst-nat to-addresses=192.168.200.26 to-ports=443
protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""
Hairpin NAT is used when you try to reach internal resources by external IP from the internal network, so what you’ve done is not hairpin nat.
You should do something like:
Srcnat rule for hairpin is fine, problem is with dstnat rules. When they have in-interface-list=WAN (where I assume WAN list contains WAN interface), they will only work for connections from internet. But connections from local machine come from LAN, so dstnat part won’t happen for them. The condition needs to be replaces preferably by dst-address= (if it’s static) or dst-address-type=local (matches any address assigned to router). If it’s the latter, make sure it doesn’t conflict with anything else, e.g. if you’d use WebFig on 192.168.200.x:80 (where .x is what router has), you’d also need to add dst-address=!192.168.200.x.