Port forward issue - is this hairpin NAT?

Hi,
I’m pulling my hair here.

So I have this config

WAN is ether1 on PPPoE with fixed public IP

LAN is 192.168.1.0/24 with bridge-local, eth2,3,4 and wlan, DHCP, everything OK.

I have a DVR with a fixed IP, 192.168.1.150, port 3333.

I did forward the port 3333 using:
chain - dstnat
protocol - tcp
dst port - 3333
in-interface - pppoe-out1
action - dst-nat
to-address - 192.168.1.150
to ports - 3333

If I try to access my public WAN IP:3333 or my Mikrotik free cloud dns name while connected to a different network providing Internet, it works, the port forwarding is ok and I can get to my DVR, but If I try to access my DVR using my public WAN IP:3333 or mikrotik cloud dns name while I’m connected to my local LAN via ethernet or wifi it fails! I can access the dvr using the internal ip, 192.168.1.150:3333 though.
I want to be able to access the DVR using the public wan IP\cloud dns name even if I’m connected to my local LAN.

Do I need to set up some hairpin nat rules?

I am on 6.25 hAP.

Yes, that’s what hairpin NAT is for.

You need to remove the in-interface filter from your dstnat and put in dst-address-type=local instead. This is because your hairpin traffic won’t be actually coming in the PPPoE interface.

Then add a second hairpin rule to fix certain tcp reply’s:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.150 protocol=tcp dst-port=3333 \
  out-interface=bridge-local action=masquerade

Yep, that seems to work .

Now, what if I want to portforward multiple ports, do I have to make two rules for each port, or can I specify multiple ports inside one rule?

For example I want, ports 631, 3333 and 37777 to > 192.168.1.150 631, 3333, 37777

If it’s to the same host and protocol (tcp/udp) you can specify multiple port numbers with either a comma or dash for ranges.