Hairpin NAT with dynamic WAN IP

Pea · January 24, 2018, 8:14pm

Hi,
I would like to ask you to review my Hairpin NAT to internal server on 10.0.0.50
The WAN IP is dynamic (VDSL). I access my Server from Internet and also from LAN by using the domain name (WAN IP).

Option A:

/ip firewall nat
add action=masquerade chain=srcnat out-interface="PPPoE client"
add action=masquerade chain=srcnat comment="LAN to Server" dst-address=10.0.0.50 protocol=tcp src-address=10.0.0.0/25
add action=dst-nat chain=dstnat comment="WAN to https Server" dst-address-type=local dst-port=443 protocol=tcp to-addresses=10.0.0.50

Option B:

/ip firewall nat
add action=masquerade chain=srcnat out-interface="PPPoE client"
add action=masquerade chain=srcnat comment="LAN to Server" dst-address=10.0.0.50 out-interface=bridge-local src-address=10.0.0.0/25
add action=dst-nat chain=dstnat comment="WAN to https Server" dst-address=!10.0.0.0/25 dst-address-type=local dst-port=443 protocol=tcp to-addresses=10.0.0.50

I am unable to see the background if both are equal or maybe incorrect/wrong or what is the advantage of each?
But both seems to work well…

Or is there any better Option C?
Thank you!

Steveocee · January 24, 2018, 8:59pm

I made a YouTube video on this subject exactly;
https://www.youtube.com/watch?v=_kw_bQyX-3U

Pea · January 28, 2018, 8:02pm

Thank you Steveocee, based on the tutorial I will try to use this now, Option C:

/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to Server" dst-address=10.0.0.0/25 src-address=10.0.0.0/25
add action=masquerade chain=srcnat out-interface="PPPoE client" src-address=10.0.0.0/25
add action=dst-nat chain=dstnat comment="WAN to https Server" dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.0.50

/ip firewall address-list
add address=server.example.com list=WAN-IP