Hairpin NAT with external src ip - possible?

negavoid · April 12, 2019, 12:43pm

Hello,
I have a typical hairpin NAT setup to access webserver in my LAN.

/ip firewall nat
add action=dst-nat    chain=dstnat dst-address=12.34.56.78   dst-port=80 protocol=tcp to-addresses=192.168.1.140 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.1.140 dst-port=80 protocol=tcp src-address=192.168.1.0/24

Everything works well, and webserver correctly see incoming masqueraded connections from 192.168.1.1. Just… when I had dummy tp-link router, apache saw these connections (to webserver from lan) came from 12.34.56.78 (my external wan ip from isp). Is it possible to do the same with mikrotik?

mkx · April 12, 2019, 1:32pm

Try using

action=src-nat to-addresses=12.34.56.78

instead of

action=masquerade

in your NAT rule.

masquerade is a special case of src-nat where it “intelligently” chooses to-addresses depending on output interface (that’s good if IP address, bound to output interface, is dynamic). In your case, output interface is LAN, so it chooses LAN IP address.

negavoid · April 12, 2019, 2:18pm

It works, Thank you very much!!!