lets say I have public IP 66.66.66.66. I want to allow users from LAN access services exposed via public IP. Unfortunately there's quadrillion of zone-like firewall rules, PBR, QoS and tons of other crap. Adding exceptions everywhere for such traffic would be complete clusterf*ck and I'm trying to avoid it like fire. Also seeing LAN IP address as source in server logs would be at best confusing and uncomfortable because direct access from lan to DMZ is obviously strictly forbidden. I can probably perform src-nat to external IP but still quite serious firewall reworking would be necessary.

I tried to use action=route in mangle table but it doesn't seem to work for packets recognized as "input" chain.

Our old ISP router could perform such routing (so that packets incoming to mikrotik had our external IP as source-address) but since we replaced it with pure modem, now we need to accomplish similar thing with mikrotik. Though it didn't really have any meaningful firewall for LAN traffic so it prorably had easier task...

What is wrong with Harpin NAT? It is just name of technology which "other" routers do behind the scenes.
One line for NAT. That is all.

What is wrong with Harpin NAT? It is just name of technology which "other" routers do behind the scenes.
One line for NAT. That is all.

I just noticed that if I do what I just described MikroTik accepts all dst-nated packets, bypassing all firewall rules whatsoever ._. That's first thing. So basically when I add second line here:
It doesn't matter whether I do src nat or not. It just accepts dst-nat'ed packets that are looped back to the same interface.

and now from LAN i can access all servers on all ports (I mean packets are dropped by core router, not by edge MikroTik) What's interesting is that it doesn't happen for actually forwarded packets (ones that go out of different interface than they came in, so eg. I can't access anything from internet, only from LAN). It's terrifying... HOW COULD ANYONE ACCEPT SUCH BEHAVIOR???

lapsio

Look at this: viewtopic.php?f=2&t=102483&p=509070&hilit=port#p508981

Look at this: viewtopic.php?f=2&t=102483&p=509070&hilit=port#p508981

In the end I used srcnat to router's external IP so basically hairpin NAT just with public IP, not private. It works. Servers see in logs my external public IP and packets are "properly" forwarded. Except 2 issues:
1. I don't have static IP but I made script that updates this rule alongside with sending update to dyndns via API.
2. viewtopic.php?f=2&t=138032