Hairpin nat problem

beb · December 18, 2012, 5:17am

I have set up access from the WAN to a webserver on the LAN. Everything is working, except accessing to webserver from the LAN using the external (WAN) address gets me to the router rather than the internal webserver. Access via the lan address (192.168.40.2) works fine.

I’ve set up a dmz on 192.168.40.0/24. Other lan nets are on 192.168.[10,20,30,50].0/24. Nat rules:

/ip firewall nat
    add chain=srcnat action=masquerade out-interface=ether-wan \
        comment="nat output connections"
    add chain=dstnat action=dst-nat protocol=tcp to-address=192.168.40.2 \
        dst-port=80,443 in-interface=ether-wan comment="web server at 192.168.40.2:80,443"
    add chain=srcnat action=masquerade src-address=192.168.20.0/24 \
        dst-address=192.168.40.2 dst-port=80 protocol=tcp \
        out-interface=bridge-secure comment="hairpin nat"

bridge-secure is one of my lan nets (that I am using for this test). The dmz is on bridge-dmz.

How can I setup “haipin nat”? Many thanks!

nickshore · December 18, 2012, 9:21am

Try changing your out-interface to bridge-dmz in the masquerade rule.

beb · December 20, 2012, 10:45pm

No change.

I’ve ended up creating a stating dns entry for my domain that resolves to the local server. Seems to work fine, not sure what the disadvantages are.