Hairpin-NAT

RouterOS Beginner Basics
1

Hello,

the Hairpin-NAT is a good solution ( http://wiki.mikrotik.com/wiki/Hairpin_NAT ) but what, when I want to open on the Webserver (192.168.1.2) a website (http://www.example.com) which is located on the webserver itself?

Then the hairpin-rule does not help because it only realize that requests from 192.168.1.0/24 will be routed to 192.168.1.2.

/ip firewall nat
  add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

But when I want to open the URL from 192.168.1.2 which is hosted on 192.168.1.2 the Hairpin-NAT does not help.

Is there any other solution available?

2

Interessting question!

If any client from the subnet 192.168.1.0/24 tries to open the public IP the NAT-rule works. But what when I want the same thing for the webserver itself (192.168.1.2)?

Here the schema:

**It works with the three rules from the wiki.

  • scrnat to wan masquerade
  • dstnat to public IP
  • srcnat to webserver-ether masquerade**
3

It works exactly the same for server itself as for any other client (192.168.1.2 is part of 192.168.1.0/24, so it makes no difference for router). If it doesn’t work for you, it must be some other rules getting in the way.

4

Also consider that the server probably has entries in its hosts file (or a local DNS resolver, or something) which tell it that the IP of website.example.com is the internal IP. If so, then the server isn’t going to even bother trying to reach the public IP when you type http://website.example.com/ into a browser locally on the server…

Pull up a command prompt and try to ping the website name and see what IP it comes back with.

If it’s the public IP, then Sob is correct - the standard Hairpin NAT configuration you gave shouldn’t care that it’s the server trying to reach itself.