For FORCE all DNS passing trough the Router to be solved from the RouterBOARD internal DNS except (!) all the traffic already from/to Ruoterboard itself…
An easy work around for this problem (often called loopback on other devices) is simply to put the server on its own subnet. {solved}.
As a workaround seems a good idea, but not ideal, nor common i guess…
I don’t think that this is the definition of loopback 
Sorry Zach, old habits LOL. When I used/sold Zyxel gear they had a checkbox for hairpin nat, called loopback.
As for rextended, okay, why do I need those forcing DNS rules. What do they have to do with hairpin nat solutions??
Finally WHO in heck is using DNS that is not already on the routerboard??
Do you let WAN users use your DNS??
WHERE IS THIS OTHER DNS usage coming from??
To be clear, my input chain always ends with
add chain=input action=drop
and thus WAN to router DNS traffic is not permitted
I never say open the internal DNS to WAN side, simply force all LAN side to use RouterBOAD internal DNS.
/ip firewall nat
add chain=dstnat src-address=!192.168.88.1 dst-address=!192.168.88.1 dst-port=53 protocol=udp action=dst-nat to-addresses=192.168.88.1
add chain=dstnat src-address=!192.168.88.1 dst-address=!192.168.88.1 dst-port=53 protocol=tcp action=dst-nat to-addresses=192.168.88.1
All sources going to all destinations (except for one particular subnet) should be sent to the gateway 192.168.88.1 for port 53 UDP and TCP.
But why do you need to do this for your hairpin work around???
So this statement.
"simply force all LAN side to use RouterBOAD internal DNS"
Means all subnet on the LAN side, OTHER than the server subnet???
Why not use existing redirect functionality??
add action=redirect chain=dstnat comment=
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=
tcp src-address-list=!192.168.88.1 (or whatever)
add action=redirect chain=dstnat comment=
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=
udp src-address-list=whatever (or perhaps in-interface-list=LAN)
-
I do not use hairpin nat and what I do is not any form of hairpin nat, and not have nothing to do about hairpin nat.
-
Is like I must rewrite again what already I wrote on this topic…
http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1
http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1
http://forum.mikrotik.com/t/hairpin-nat-the-easy-way/146718/1
I never say open the internal DNS to WAN side, simply force all LAN side to use RouterBOAD internal DNS.
/ip firewall nat
add chain=dstnat src-address=!192.168.88.1 dst-address=!192.168.88.1 dst-port=53 protocol=udp action=dst-nat to-addresses=192.168.88.1
add chain=dstnat src-address=!192.168.88.1 dst-address=!192.168.88.1 dst-port=53 protocol=tcp action=dst-nat to-addresses=192.168.88.1
@anav,
you should use redirect here instead…
Redirect replaces the destination address with the Router’s Local address..
Thanks!
Nat Masquerade 192.168.88.0/24 to 192.168.88.0/24 this works for every services at once. do not specify interfaces or port. internal port must be the same as the external port.
Thanks for this, I have solved my problem with your approach!
Thanks for the guide/tutorial.
As https://wiki.mikrotik.com/wiki/Hairpin_NAT is just returning an Error (well for me it is), this post has become the de facto guide on the topic 
Nice approach…
As @anav said, there are many ways to implement Hairpin NAT…
@Easen take a look here https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT
I attempted to capture all the discussion here as well…
https://forum.mikrotik.com/viewtopic.php?t=179343
If there is anything I missed or should add let me know!!
ok @anav i will have a look later and let you know…
Literally everyone: NAT loopback
Mikrotik: Hairpin NAT
most others - use checkbox dont learn a damn thing
MT - config manually, actually learn how traffic flows within a router…
Sucks to be an Other!
Thank you for the explanation. Great work.
Please, how do you solve the problem of having MORE-THEN-ONE internal servers, on different internal IPs?
For example, one web server 192.168.88.100 listening on port 443 and one mail server 192.168.88.101 on port 25. From the outside they are both reachable on the same DomainName "www.mydomain.it" , and with 2 different dst-nat rules you can reach both.
But from the inside, how do you resolve "www.mydomain.it" in IP address?
If you resolve www.mydomain.it in 192.168.88.100, you can reach web server but you can't reach mail server.
If you resolve www.mydomain.it in 192.168.88.101, you can reach mail server but you can't reach web server
Tia
Stefano
usually I respect a simple “convection”
www.server.net is for… web!!!
mail.server.net is for… mail!!!
and if I have two server, for example one for smtp one for pop3/imap, I have one smtp.server.net and the other or still mail.server.net or I use pop3.server.net or if need imap.server.net!!!
And if I have a unique server that do all, I still register different names for each service…
and again
My network, my rules…
if is my internal network, who stop me to provide mail.server.net to internal devices, also if on real internet that domain not exist?
Split DNS vs Hairpin argument kinda died at the moment users started using DoH and other methods that bypass your local DNS hijacking (some just don’t admit it yet).