Local lan : 192.168.88.0/24
Gateway : 192.168.88.1
WAN via PPPoE (IP 100.100.100.100)
Version : 6.35
I have a NAT rule for direct acces to a camera, it is workin from outside. By the way, i i try to reach it from my local lan to its WAN IP, it does not work. (http://100.100.100.100).
You need only one port forwarding rule (dstnat), if you now have two, you can remove the old one. Hairpin NAT rule (srcnat) worked fine, but it was not given any chance to do do anything, if port forwarding was limited only to pppoe-explore as source interface.
FWIW, I had been wrestling with this issue for years and finally got it thanks to this thread. For completeness, here is an actual working hairpin nat with port forwarding configuration:
The first src-nat is the local-to-internet masquerade. Second src-nat is local-to-local masquerade. The dst-nat forwards local and external traffic to port 1234 of external_ip to 192.168.88.120:1234.
Replaced my 8 year old dlink router with a new RouterBoard running v6.38.5. Got it working, the wifi all set up and secured. The basics are all good to go.
So far I’ve read the hairpin nat wiki and a few other various posts.
Added 2 nat rules as it specified in the wiki, but the webserver is still being blocked over port 8080. The webserver is configured to run on both 80 and 8080. Using the local ip:80 it comes right up. The local ip:8080, nothing. It also runs a dynamic dns service, and is configured to point to my public ip:8080, since Cox doesn’t allow outbound port 80. Incoming 8080 traffic to my internet IP needs to be routed to the webserver on the 192 network, same port 8080.
Anyway this didn’t work. Then I read the Hairpin nat wiki. It has 2 rules, the first being very similar to the above, with the addition of
dst-address=(my public ip)
and the removal of the
to-ports=8080
for the first rule, and a second rule of
add chain=srcnat out-interface=ether1 action=masquerade
Added the second rule. Still no luck, even on the local ip:8080. I’ve tried it both with and without the to-ports setting. Doesn’t work either way.
So then I found this thread, looks promising. I am not using pppoe, so perhaps me copying it nearly verbatim is my issue. Here is my current config after updating the NAT rules:
The differences I can see are there is no “in-interface” specified, and the dst-address does not equal entries. Hoping someone can help me get this working
Turns out my rules above were good. The webserver wasn’t serving on 8080 for some reason… When it didn’t work locally on 8080 I thought the firewall was blocking it between the ethernet ports.
Hello, I’ve got the same problem. I’d like to scan my mikrotik router’s public IP. But every time I run nmap it shows open ports for lan, not the wan interface.
You have some internal server with address 10.2.0.X and one or more dstnat rules to forward traffic from public address to 10.2.0.X, right? If so, you want dst-address=10.2.0.X in your last rule. If it does not help, post more info (exact dstnat rule(s), additional details about what exactly are you trying to do, etc…).
The point is – I’d like to be able to scan my mikrotik router’s external interface from any lan clients.
Exactly i’d like to scan nmap -sS -Pn -vvv -O external_ip and see the external interface, not the 10.2.0.1 I see now with open tcp/80 and tcp/8291 ports. And pointing to internal 10.2.0.1 ip I’d like to see all open ports as they should be.
nmap -sS -Pn -vvv -O external_ip
These should allow me to see all ports on the external interface of mikrotik
I don’t think you can do that. If you have some service running on router (e.g. WinBox on tcp/8291), it’s listening on all addresses/interfaces. Even if you limit allowed client addresses in “/ip services”, it won’t allow you to connect from elsewhere, but port will still show as open from everywhere. And if you block incoming connections from internet using firewall (e.g. /ip firewall filter add chain=input protocol=tcp dst-port=8291 in-interface=WAN), so that no one from internet will be able to connect, you’ll get false results when testing from LAN, because no matter what you do, in-interface will be LAN and rule won’t match. In short, if you want to reliably test what’s available from outside, you need to do it from outside.
Thank you Sob, but it rather strange I’m sure I could do this even on basic tomato firmware on linksys wrt-54gl for example – one check named “NAT loopback” and it works.
Quick Google search gave me this and that’s exactly what you can do with hairpin NAT in RouterOS.
It’s when you have some internal service (e.g. webserver), want it available from internet (so you forward port from public address to internal one), and you also want to be able to connect to this server using public address from client in same LAN as server. It doesn’t work by default and wiki page you found explains why and how to fix it.
But when you don’t have any such internal server, this functionality can’t do anything useful for you.
Good day guys,
Sorry to wake up an old post but I have a similar problem except I am running through 2 routers.
My setup is like the following: “I actually have 3 internet routers for fail-over, all on Eth1 - Eth3 of my Office Mikrotik and routes for the fail-over, but I am sure if I can get the main one working the others will be easy and probably work without any additional config”
Mikrotik 1 Internet:
IP → 192.168.1.1
Internet → PPPoE with static public address of 169.255.XXX.XXX
Mikrotik 2 Office:
IP → 192.168.230.1
IP of Eth1 connecting to Mikrotik 1 → 192.168.1.2
Network 1 → 192.168.230.0/24 “for all static devices like cameras and servers”
Network 2 → 192.168.220.0/24 “for all devices like phones and laptops that connects to our wireless”
I have my DNS setup on the IP/Cloud feature pointing to Mikrotik 1 and got all my servers and cameras which needs to be reached from outside working like they should with no issues, only problem I am having is configuring the hairpin nat rule for devices that are inside our office on the 192.168.220.0/24 network and also the 192.168.230.0/24 servers to reach our other services and cams with the DNS name and corresponding port.
Can someone maybe guide me in the right direction
