/ip firewall nat
add action=masquerade chain=srcnat comment=“HairPin NAT @ LAN to Server on LAN” dst-address=192.168.88.0/25 src-address=192.168.88.0/25
No need messy scratching of head trying to learn and figure our MicroTik commands for newbies unless you are willing to pay for consultation fee to MicroTik Developer.
Just use my sample command rule on the terminal and you are done! I wonder why MicroTik dicumentation is so difficult to understand since I used MikroTik 25 years ago.
And advise to MicroTik developer. Just give simple examples not rocket science commamds and examples to newbies.
Thanks rodney, but its not your rule and its been stated on many threads. If you want plugNplay use TPLINK or DLINK or NETGEAR etc.
If one wants to learn RoS, the rule is a good starting place but one should learn what is going on with traffic flow to make sense of why the rule works.
Courtesy of Sob, (the problem):
"- _user client 192.168.88.5 wants to connect to www.myserver.net, resolves hostname, gets 47.123.12.89 and sends initial packet to it
client doesn’t have any idea where 47.123.12.89 is, as far as it knows, it can be on the other side of planet
dstnat rule changes packet’s destination address to 192.168.88.68 and sends it to server
source address is not changed, it’s still 192.168.88.5 ← the problem
server gets the packet and sends response directly to 192.168.88.5, because it’s in same subnet_!! - client throws it away, because it doesn’t expect any response from 192.168.88.68 the client is expecting a response from 47.xx
WHY this additional SRC NAT rule works: When the client sends the outgoing request now two things happen, the first thing is as before the destination NAT rule will change the destination from that resolved to the WANIP 47.xx to that of the Server .68, and now additionally, the outgoing traffic also gets masqueraded gets ‘natted’ to the subnet gateway address. Therefore the traffic is now headed to the Server with source IP address of the gateway of the subnet (vice the client). Then when the server replies to the traffic it sends the traffic back to the router as what it sees now as the source (originator of the traffic) is the IP 192.168.88.1. The router tracking the packets then applies the dst-nat rules and masquerade rules recognizing the returned traffic and thus un dst-nats the traffic from dst of 192.168.88.86 back to original dest of 47.xx and un-source nats the traffic from 192.168.88.1 to the original 192.168.88.5 and the packet arrives at the client and is accepted.
Finally this explanation on hairpin nat from MKX is invaluable!!
Standard SRC-NAT is masquerading source address and standard DST-NAT is masquerading destination address. And hairpin NAT is masquerading both addresses, one to each end (client doesn’t use the correct dst-address and server doesn’t see correct src-address).
Usual hair-pin NAT (in typical port forwarding) makes sure that the LAN client can talk to LAN server via some foreign (to both client and server) IP address, in the case of masquerading (redirecting) WANIPs, then the case becomes the WAN client talking to LAN server via some foreign (to both client and server) IP address (and that communication needs to pass router in both directions). Remember that any of the router’s own IP addresses are treated equally regardless of ingress interface of a particular packet
e.g packet targeting router’s WAN IP address, ingressing through LAN interface is treated the same way as packet targeting same IP address ingressing through WAN interface.
Finally if you want to read the explanation of how using hairpin nat addresses a similar situation where the WANIP needs to be ‘fixed’ using source-nat (hairpin technique) for a particular scenario, look at this post! ( example of WAN Client talking to LAN server ) http://forum.mikrotik.com/t/redirect-to-external-domain/156567/25
