Port Mapping *and* Hairpin NAT ?

In the documentation wiki I’ve followed the instructions so Internet hosts can hit my public IP on TCP port 4444 and get redirected to port 80 of host 10.0.6.17 inside my network.

Now what I am having trouble with is getting a configuration where hosts inside the network can hit my public IP on TCP 4444 and connect to port 80 of 10.0.6.17.

Can someone please show me how this is accomplished?

The documentation on hairpin NAT assumes the same port (not what I want). I have tried using a srcnat chain to masquerade in one rule but I can’t put the second srcnat rule to do the dst-nat and set the to-port (and that seems ulgy anyway).

TIA,

–jg3

[SOLUTION]

Try only this rule:

/ip firewall nat
add action=dst-nat chain=dstnat comment=“CATCH ONLY INPUT TRAFFIC” dst-address-type=local dst-port=4444 protocol=tcp to-addresses=10.0.6.17 to-ports=80

This rule WILL NOT interfere with legitime traffic that goes from LAN to some internet server using the same port (4444).

It works also if you have Dynamic IP address.

It works on ROS v6.22

..also, if you are using POLICY ROUTING the rule in the last post will not work.
Please add this on TOP of mangle rule list:

/ip firewall mangle
add chain=prerouting comment=“BYPASS POLICY ROUTING - HAIRPIN NAT” dst-address=!10.0.0.0/8 dst-address-type=local dst-port=4444 in-interface=LAN protocol=tcp



Hope this helps someone..