Subdomain HAIRPIN NAT on local network

leikoilja · May 16, 2021, 8:14am

Hi all, I am struggling to setup hairpin NAT rules to enable reaching my server using subdomains.

My current working configuration involves port forwarding + hairpin NAT allowing me to connect to the server by specifying exact port:

[leikoilja@MikroTik Hub] > ip firewall nat print  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 

 1    ;;; Hairpin NAT dst
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8123 protocol=tcp dst-port=8123 log=no log-prefix="" 

 3    ;;; HomeAssistant Hairpin NAT src
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.10 dst-port=8123 log=no log-prefix="" 

 5    ;;; Raspberry Pi Hassio
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8123 protocol=tcp dst-address=46.162.106.XX in-interface=all-ethernet dst-port=8123 log=no log-prefix="" 

10  ;;; Nginx proxy manager  
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 

11  ;;; Nginx proxy manager   
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp in-interface=ether1 dst-port=443 log=no log-prefix=""

This works fine when I access my server like:
from LAN https://mydomain.com:8123 and from external https://mydomain.com:8123

Now the problem arises when i want to drop the port and just reach the server using subdomain like https://sub.mydomain.com
I setup the nginx proxy manager to point at 192.168.88.10:8123 when reaching on subdoian and it works fine when i access https://sub.mydomain.com from external network, but fails to connect when connecting from LAN. I believe I need to redo my HAIRPIT NAT rules, but i can’t seem to make it work.
Any help is highly appreciated

anav · May 16, 2021, 12:46pm

I would change the the extra source nat rule to
add chain=srcnat action=masquerade src-address=192.168.88.00/24 dst-address=192.168.88.0

Then you need to modify the destination nat rules:
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8123 protocol=tcp dst-port=8123 dst-address=46.162.106.XX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp dst-port=80 dst-address=46.162.106.XX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp dst-port=443 dst-address=46.162.106.XX

This assumes your wanip is 46.162.106.xx and is a static/fixed wanip. If not more work will need to be done,
If its a static fixed wanip then you could change the default source nat rule (either works) to
add chain=srcnat action=src-nat out-interface=eth1 to-addresses=46.162.106.xx

Finally, without a network diagram and a full config, its somewhat guesswork.

leikoilja · May 16, 2021, 6:34pm

Thank you @anav for getting back to me.

Ops, sorry for not including the full config and network diagram (not sure how to do one, but if it would be helpful, I ll try drawing one).
I have tried adding and modifying the NAT rules as you recommended and got partly successful, the requests to my subdomains are just “spinning” in the browser trying now instead of just being “refused connection” as before. Although, still can’t reach them. Maybe I’m still missing something in source nat rule now

Also, I am afraid I can’t rely on the fact that I have a static wanip, so I’d say it’s dynamic. Can you please refer me to how I can account for it?

Here is my full config export:

[leikoilja@MikroTik Hub] > export hide-sensitive
# may/16/2021 20:27:26 by RouterOS 6.47.8
# software id = 63WL-9G9C
#
# model = 2011UiAS-2HnD
# serial number = 467304B1DBAF
/caps-man channel
add control-channel-width=20mhz extension-channel=Ce frequency=2442 name=channel2G tx-power=13
add extension-channel=Ce frequency=5180 name=channel5G tx-power=13
/interface bridge
add admin-mac=4C:5E:0C:43:D6:3E auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(9dBm), SSID: The Apartment, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=sweden distance=indoors installation=indoor mode=ap-bridge ssid="The Apartment" station-roaming=enabled wireless-protocol=802.11
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath2G
add bridge=bridge client-to-client-forwarding=yes name=datapath5G
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip group-encryption=aes-ccm name="Security config 2G"
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip group-encryption=aes-ccm name="Security config 5G"
/caps-man configuration
add channel=channel2G datapath=datapath2G mode=ap name=cfg2G rx-chains=0,1,2,3 security="Security config 2G" ssid="The Apartment" tx-chains=0,1,2,3
add channel=channel5G datapath=datapath5G mode=ap name=cfg5G rx-chains=0,1,2,3 security="Security config 5G" ssid="The Apartment-5G" tx-chains=0,1,2,3
/caps-man interface
add channel=channel5G configuration=cfg5G configuration.mode=ap datapath=datapath5G disabled=no mac-address=00:00:00:00:00:00 master-interface=none name=capsman radio-mac=00:00:00:00:00:00 radio-name="" security=\
    "Security config 5G"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-script="# DNS TTL to set for DNS entries\
    \n:local dnsttl \"00:15:00\";\
    \n\
    \n###\
    \n# Script entry point\
    \n#\
    \n# Expected environment variables:\
    \n# leaseBound         1 = lease bound, 0 = lease removed\
    \n# leaseServerName    Name of DHCP server\
    \n# leaseActIP         IP address of DHCP client\
    \n#leaseActMAC      MAC address of DHCP client\
    \n###\
    \n\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\
    \n:local ip2Host do=\\\
    \n{\
    \n  :local outStr\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\
    \n  {\
    \n    :local tmp [:pick \$inStr \$i];\
    \n    :if (\$tmp =\".\") do=\\\
    \n    {\
    \n      :set tmp \"-\"\
    \n    }\
    \n    :set outStr (\$outStr . \$tmp)\
    \n  }\
    \n  :return \$outStr\
    \n}\
    \n\
    \n:local mapHostName do={\
    \n# param: name\
    \n# max length = 63\
    \n# allowed chars a-z,0-9,-\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\
    \n  :local numChars [:len \$name];\
    \n  :if (\$numChars > 63) do={:set numChars 63};\
    \n  :local result \"\";\
    \n\
    \n  :for i from=0 to=(\$numChars - 1) do={\
    \n    :local char [:pick \$name \$i];\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local lowerCase do={\
    \n# param: entry\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\
    \n  :local result \"\";\
    \n  :for i from=0 to=([:len \$entry] - 1) do={\
    \n    :local char [:pick \$entry \$i];\
    \n    :local pos [:find \$upper \$char];\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\
    \n{\
    \n  :log error \"\$LogPrefix: empty lease address\"\
    \n  :error \"empty lease address\"\
    \n}\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  # new DHCP lease added\
    \n  /ip dhcp-server\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\
    \n\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\
    \n\
    \n #Hostname cleanup\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\
    \n  }\
    \n  :set hostname [\$lowerCase entry=\$hostname]\
    \n  :set hostname [\$mapHostName name=\$hostname]\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\
    \n\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\
    \n    :error \"Empty domainname for '\$leaseActIP'\"\
    \n  }\
    \n\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\
    \n\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\
    \n      :do {\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\
    \n    }\
    \n\
    \n} else={\
    \n# DHCP lease removed\
    \n  /ip dns static remove [find comment=\$token];\
    \n}" name=DhcpWithScript
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
add name=homeassistant policy=read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg2G
add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=cfg5G
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=87.96.165.183/25 interface=ether1 network=87.96.165.128
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.11 mac-address=00:17:88:A6:88:5D server=DhcpWithScript
add address=192.168.88.12 comment="Xiomi Desk Lamp" mac-address=F0:B4:29:C5:6D:71 server=DhcpWithScript
add address=192.168.88.13 client-id=1:c4:ad:34:e4:39:3c mac-address=C4:AD:34:E4:39:3C server=DhcpWithScript
add address=192.168.88.10 client-id=1:b8:27:eb:5d:10:2b comment="Hassio - old" disabled=yes mac-address=B8:27:EB:5D:10:2B server=DhcpWithScript
add address=192.168.88.15 client-id=1:8:66:98:8b:46:dd comment=AppleTV mac-address=08:66:98:8B:46:DD server=DhcpWithScript
add address=192.168.88.16 client-id=1:c0:d2:dd:79:4f:39 comment=Android-dashboard mac-address=C0:D2:DD:79:4F:39 server=DhcpWithScript
add address=192.168.88.14 client-id=1:48:8f:5a:6d:0:83 mac-address=48:8F:5A:6D:00:83 server=DhcpWithScript
add address=192.168.88.9 comment="Ikea Tradfri gateway" mac-address=58:D5:0A:B3:A7:A3 server=DhcpWithScript
add address=192.168.88.17 comment="Broadlink remote" mac-address=24:DF:A7:7A:8E:51 server=DhcpWithScript
add address=192.168.88.8 client-id=1:b8:27:eb:c0:ef:3f comment=Pihole mac-address=B8:27:EB:C0:EF:3F server=DhcpWithScript
add address=192.168.88.41 comment="Big Nest speaker" mac-address=14:C1:4E:32:3D:7F server=DhcpWithScript
add address=192.168.88.31 mac-address=44:07:0B:42:0C:B6 server=DhcpWithScript
add address=192.168.88.10 client-id=1:dc:a6:32:76:ee:a7 comment=HomeAssistant mac-address=DC:A6:32:76:EE:A7 server=DhcpWithScript
add address=192.168.88.18 client-id=1:90:2b:34:5f:4a:51 comment="Next Cloud server" mac-address=90:2B:34:5F:4A:51 server=DhcpWithScript
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.8 domain=local gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.34 comment=DhcpWithScript-3C:71:BF:F0:B3:78 name=192-168-88-34.local ttl=15m
add address=192.168.88.17 comment=DhcpWithScript-24:DF:A7:7A:8E:51 name=rm3-7a-8e-51--.local ttl=15m
add address=192.168.88.13 comment=DhcpWithScript-C4:AD:34:E4:39:3C name=mikrotik-cap-ap-living-room.local ttl=15m
add address=192.168.88.14 comment=DhcpWithScript-48:8F:5A:6D:00:83 name=mikrotik-cap-ap-hallway.local ttl=15m
add address=192.168.88.11 comment=DhcpWithScript-00:17:88:A6:88:5D name=philips-hue.local ttl=15m
add address=192.168.88.15 comment=DhcpWithScript-08:66:98:8B:46:DD name=family-room.local ttl=15m
add address=192.168.88.23 comment=DhcpWithScript-50:D4:F7:5E:BB:B6 name=hs100.local ttl=15m
add address=192.168.88.9 comment=DhcpWithScript-58:D5:0A:B3:A7:A3 name=gw-58d50ab3a7a3.local ttl=15m
add address=192.168.88.18 comment=DhcpWithScript-90:2B:34:5F:4A:51 name=nextcloud.local ttl=15m
add address=192.168.88.24 comment=DhcpWithScript-50:D4:F7:5E:BF:6B name=hs100.local ttl=15m
add address=192.168.88.41 comment=DhcpWithScript-14:C1:4E:32:3D:7F name=nest-audio.local ttl=15m
add address=192.168.88.26 comment=DhcpWithScript-F0:EF:86:07:F5:7F name=google-nest-mini.local ttl=15m
add address=192.168.88.33 comment=DhcpWithScript-E4:F0:42:56:FE:DF name=google-home-mini.local ttl=15m
add address=192.168.88.31 comment=DhcpWithScript-44:07:0B:42:0C:B6 name=google-home-mini.local ttl=15m
add address=192.168.88.30 comment=DhcpWithScript-78:4F:43:5D:63:E5 name=macs-mbp.local ttl=15m
add address=192.168.88.32 comment=DhcpWithScript-32:E2:15:4F:98:71 name=josef-s-s10.local ttl=15m
add address=192.168.88.28 comment=DhcpWithScript-BC:83:85:EE:CB:03 name=desktop-tdi4gvl.local ttl=15m
add address=192.168.88.19 comment=DhcpWithScript-A6:A6:CD:64:D9:9C name=ll.local ttl=15m
add address=192.168.88.45 comment=DhcpWithScript-A0:78:17:71:3F:86 name=macbook-pro-4.local ttl=15m
add address=192.168.88.10 comment=DhcpWithScript-DC:A6:32:76:EE:A7 name=homeassistant.local ttl=15m
add address=192.168.88.25 comment=DhcpWithScript-AE:82:F2:D7:81:2C name=ipad.local ttl=15m
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Nginx Proxy Manager " dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=80
add action=dst-nat chain=dstnat comment="Nginx Proxy Manager " dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=443
add action=dst-nat chain=dstnat comment="Hairpin DST - homeassistent" disabled=yes dst-port=443 in-interface=bridge protocol=tcp to-addresses=192.168.88.10 to-ports=443
add action=masquerade chain=srcnat comment="HAIRPIN SRC - test" dst-address=192.168.88.0 protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="Raspberry Pi Hassio" disabled=yes dst-port=8123 protocol=tcp to-addresses=192.168.88.10 to-ports=8123
add action=dst-nat chain=dstnat comment="Hairpin DST - nextcloud" disabled=yes dst-port=443 protocol=tcp to-addresses=192.168.88.10 to-ports=8124
add action=masquerade chain=srcnat comment="Hairpin SRC - nextcloud" disabled=yes dst-address=192.168.88.10 dst-port=8124 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Next Cloud server" disabled=yes dst-port=8222 in-interface=all-ethernet protocol=tcp to-addresses=192.168.88.18 to-ports=443
add action=dst-nat chain=dstnat comment="Mikrotik SSH" disabled=yes dst-port=795 in-interface=ether1 protocol=tcp to-addresses=192.168.88.1 to-ports=22
add action=dst-nat chain=dstnat comment="RPi SSH - 794" disabled=yes dst-port=794 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=22
add action=dst-nat chain=dstnat comment="Next Cloud SSH - 793" disabled=yes dst-port=793 in-interface=ether1 protocol=tcp to-addresses=192.168.88.18 to-ports=22
add action=dst-nat chain=dstnat dst-address=87.96.165.183 dst-port=8123 protocol=tcp to-addresses=192.168.88.10 to-ports=8123
add action=dst-nat chain=dstnat dst-address=87.96.165.183 dst-port=80 protocol=tcp to-addresses=192.168.88.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=87.96.165.183 dst-port=443 protocol=tcp to-addresses=192.168.88.10 to-ports=443
add action=dst-nat chain=dstnat dst-address=87.96.165.183 dst-port=8124 protocol=tcp to-addresses=192.168.88.10 to-ports=8124
/ip service
set www port=82
set www-ssl certificate=Webfig
/ip ssh
set always-allow-password-login=yes
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="MikroTik Hub"
/system routerboard settings
set auto-upgrade=yes cpu-frequency=700MHz silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · May 16, 2021, 10:00pm

Too funny, you can use complicated scripts for iP lease and conduct capsman programming, stuff I dont dream of trying, but no plain port fowarding.
Oh well, its fun at least.

This error I see thus far…
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0or
interface should be the BRIDGE!!

Okay so lets look at the nat rules… assuming dynamic WAN IP
/ip firewall nat
add action=masquerade chain=srcnat comment=“HAIRPIN” dst-address=192.168.88.0/24 src-address=192.168.88.0/24 (Modified to be correct)
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN (OKAY)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Also be advised you cannot have duplicates of destination port. The router will not know where to send them…
The rules for destination nat are duplicated and messy as heck, delete them all.

We have these three rules for destination nat, correct??
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8123 protocol=tcp dst-port=8123 dst-address=46.162.106.XX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp dst-port=80 dst-address=46.162.106.XX
chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp dst-port=443 dst-address=46.162.106.XX

What they should look like (quick and dirty by using config trickery for dynamic WAN):
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.8.1 protocol=tcp dst-port=8123 to-addresses=192.168.88.10
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.8.1 protocol=tcp dst-port=80 to-addresses=192.168.88.10
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.8.1 protocol=tcp dst-port=443 to-addresses=192.168.88.10

A more elegant solution…
https://www.youtube.com/watch?v=_kw_bQyX-3U&t=186s

In a nutshell: We are mimicking the case with static/fixed WANIP that simply can use dst-address by ALWAYS getting the current wanip. Enable the IP cloud available in MT, copy the ddns long winded host name on the router and put it in the firewall address list and name the list “myWANIP”. The firewall list will resolve the name to your current wanip.

then your rules become:
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=tcp dst-port=8132 to-addresses=192.168.88.10
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=tcp dst-port=80 to-addresses=192.168.88.10
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=tcp dst-port=443 to-addresses=192.168.88.10

Of course you could make this one single rule
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=tcp dst-port=8132,80,443 to-addresses=192.168.88.10

leikoilja · May 17, 2021, 7:21am

haha, this is exactly what happens when you have “high demands on home network, but have no skills or knowledge in this area”. All the setup I have now came throughout the years by googling and asking help from competent people as you
Thanks tons and tons for you help and especially for the youtube reference about “cloud” feature and firewall nat address list.
I have implemented all your suggestion and it works smoothly now!

This is the final version of NAT rules

[leikoilja@MikroTik Hub] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; HAIRPIN NAT
      chain=srcnat action=masquerade to-addresses=192.168.88.10 protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

 2    ;;; Nginx Proxy Manager
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix=""

 3    ;;; Nginx Proxy Manager
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp in-interface=ether1 dst-port=443 log=no log-prefix=""

 8    ;;; Hairpin DST - homeassistant
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8123 protocol=tcp dst-address-type=local dst-address-list=WAN-IP dst-port=8123 log=no log-prefix=""

 9    ;;; Hairpin DST - nginx proxy manager
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp dst-address-type=local dst-address-list=WAN-IP dst-port=80 log=no log-prefix=""

10    ;;; Hairpin DST - nginx proxy manager
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp dst-address-type=local dst-address-list=WAN-IP dst-port=443 log=no log-prefix=""

11    ;;; Hairpin DST - nextcloud
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=8124 protocol=tcp dst-address-type=local dst-address-list=WAN-IP dst-port=8124 log=no log-prefix=""

Having the last 4 rules in a one-liner would be so much better, but UI or console doesn’t seem to allow me to specify multiple ones, maybe because of my RouterOS v6.47.8. I’ll update to the latest and try again.
Thanks @anav for the help!

anav · May 17, 2021, 9:53pm

Four rules, I only saw three, ports 80,442 and 8132 to the same IP.
What is the fourth rule…

For example here is one of my rules and no the version should not matter as only recent ones are available and all work
add action=dst-nat chain=dstnat comment=“CompanyA_TCP”
dst-port=1001,30578,3282,4283,9799 in-interface-list=WAN log=yes
protocol=tcp src-address-list=Technicians to-addresses=192.168.2.2

You will note that I dont leave open ended dstnat rules, they are always limited to a source address list.

leikoilja · May 19, 2021, 7:45pm

@anav, thanks so much!
Indeed, it was not the router os problem, but me being silly and trying to put destination ports under to-ports field, when in reality they obviously have to go under dst-port, spotted it thanks to your config line.

So now it all smooth and pretty like

11    ;;; Hairpin DST - Raspberry Pi
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 protocol=tcp dst-address-type=local dst-address-list=WAN-IP dst-port=8124,8123,80,443 log=no log-prefix=""

The 4th port is one of the other web servers I’m loading on my raspberry. A few home automation stuff like homeassistant(port 8123), nextcloud and nginx proxy manager.

Also you explicitly mention that you don’t leave open ended dstnat rules, they are always limited to a source address list for you. Is there any security reason for that? And if so, what is “Technicians” list look like in your case?

anav · May 19, 2021, 10:46pm

Couple of reasons.
I like to limit exposure of ports on the net.
When one uses a firewall address list as source address on a dst nat rule.
the port is not visible on scanning from the internet.

If one does NOT use a source address list, the port is visible on generic scans but appears closed.

Also it just is an easy limiting.control on access, not foolproof but some protection.