Community discussions

MikroTik App
 
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 175
Joined: Mon Oct 07, 2019 11:42 pm

Hairpin NAT - the easy way

Sun Feb 07, 2021 4:54 pm

Decided to write a simple guide on Hairpin NAT, because quite a lot of users struggle to understand how to set it up.

I am not a networking professional and I am open to any criticism on how to implement it in a better way.

Official wiki page by Mikrotik regarding Hairpin NAT: https://wiki.mikrotik.com/wiki/Hairpin_NAT

Step 1 - add LANs to "address-list"

List all your LANs like this:
/ip firewall address-list add address=192.168.10.0/24 comment=Management list=LANs
/ip firewall address-list add address=192.168.11.0/24 comment=Work list=LANs
/ip firewall address-list add address=192.168.12.0/24 comment=Security list=LANs
/ip firewall address-list add address=192.168.13.0/24 comment=Home list=LANs
/ip firewall address-list add address=192.168.14.0/24 comment=Guest list=LANs

Step 2 - add WANs to "address-list"

If you have a single dynamic IP - add your "/ip cloud" domain to address-list named "WANs" and Mikrotik will automatically resolve it to IP. Using custom script in "/ip dhcp-client" is another option in order to keep WAN IP address in address-list updated.
If you have multiple WANs - it gets a little more complicated. I've written a simple solution for multiple dynamic WANs here: viewtopic.php?f=9&t=171049#p836067

List all your WANs like this:
/ip firewall address-list add address=123.123.123.123 list=WANs

Step 3 - mark connections from LANs to WANs

Use this rule:
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" dst-address-list=WANs new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs

Step 4 - perform Hairpin NAT

Use this rule, placed before any other NAT rule:
/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" place-before=0

Step 5 - port forwarding

Setup port-forwarding like this:
/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward: something1" dst-address-list=WANs dst-port=5001 protocol=tcp to-addresses=192.168.0.8 to-ports=5001
/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward: something2" dst-address-list=WANs dst-port=5002 protocol=tcp to-addresses=192.168.0.9 to-ports=5002
 
Halfeez92
newbie
Posts: 45
Joined: Tue Oct 30, 2012 12:58 pm
Contact:

Re: Hairpin NAT - the easy way

Sun Feb 21, 2021 7:33 pm

Thanks for the tutorial, but I have done it on different approach, so I don't need to do hairpin nat. My config is like this:

/ip firewall nat add action=dst-nat chain=dstnat comment="Port forward" dst-port=5001 protocol=tcp dst-address-type=local dst-address-list=!router to-addresses=192.168.0.8 to-ports=5001

Whereas the address list for "router" is your router gateway addresses on /ip address. With this setup you don't need to have a hairpin nat rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6138
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hairpin NAT - the easy way

Thu Feb 25, 2021 7:39 pm

There are several ways to handle hairpin nat.
Understand hairpin nat is a situation where the admin wants local users, ON THE SAMELAN subnet as the server, to access the server NOT by lanip address but by the routers public IP address.

An easy work around for this problem (often called loopback on other devices) is simply to put the server on its own subnet. {solved}.
The regular rules for destination NAT will work fine.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 5 guests