hairpin

hello,

I hope that any body can help me with the hairpin.
I added the following rules.

It’s posible to reach the ip cameara from inside with my public ip but the connetion is verry slow
i only can open the login screen.

on the local side it works perfect, from another public ip it works also fine.


ip firewall nat

add action=dst-nat chain=dstnat disabled=no dst-address=public ip to-addresses=192.168.0.64
add action=src-nat chain=srcnat disabled=no src-address=192.168.0.64 to-addresses=public ip


add chain=srcnat src-address=192.168.0.0/24
dst-address=192.168.0.64 protocol=tcp dst-port=1700
out-interface=LAN action=masquerade

I try to keep mine very simple. Each Mikrotik I deploy I simply add this as the first NAT rule:
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24

This rule works, but it changes all packets so all internal communication is masqueraded. It’s useless workload for router and dst device doesn’t know what is the src.

Well technically this will only hit traffic where the local devices are stupid enough to send their traffic towards the default gateway, even though the destination is within the same subnet - which should never happen if the device has a correctly working IP stack. So there’s really no reason not to implement it that way (if you need NAT loopback, that is) - at least in “normal” setups this will work fine without ill effects.

Caveat: The rule DOES affect local traffic if it passes through a bridge on the router, AND use-ip-firewall for bridge is enabled - you should use more fine-grained rules then.

Exactly. And given that each additional NAT and filter rule is additional work for the router, I prefer to keep them short and sweet. This will ONLY NAT traffic that has been sent to the gateway.