I'm a Network Engineer and I learnt something! I had heard the term Hairpin NAT, but had never looked into it before. Thank you for explaining WHY you would use Hairpin NAT, it makes sense and I can see the use cases :)

I'm discovery this alone... on dificults of day of day... but, this information is amazing on these format! Thanks Mikrotik! 😊

When i see a new video of you thats make feel very happy 😊

Now this is a nice one! I have static DNS entries with the local addresses on the server subnet, but now I can have piece of mind by removing all the DNS entries and "fix" it with a simple firewall rule. No more forgetting to add/remove domains. Thanks a lot!

Thanks. Seems it is one of the favorite FAQ for user migrate to use Mikrotik router and finally get the official answer.

Thank you very much. He explained everything very clearly.

THANK YOU SOO MUCH. IT IS WORKING AND YOU HAVE SAVED ME

Great explanation! Thank you!

Now, if you want multiple websites/services on a single port (for example 443) I think you'd need to internally target a reverse proxy which then distributes request to targets based of URL. This can also simplify the https setup to a only that reverse proxy. I still recommend using at least self signed certificates on the final backends.

This is why i love mikrotik for routing love from India.

This settings works like a charm :)

Worked great for allowing access to my Blue Iris webserver by using WAN IP on WiFi. Now I wont need 2 hyperlinks to choose from depending on whether I'm on WiFi or mobile network to check my cams!

Thank you. This helped

I just recently discovered src-nat masquerading when I was trying to solve the issue of getting into a VPN client's network from the host's public when the client was set up for split tunneling. I had the same basic problem. I wanted to port-forward from my host network's public IP over the VPN to a client that only had internet access through CG-NAT. Packets would dst-nat to the server behind the VPN client but exit out the CG-NAT connection via the default route. The solution was to src-nat & masquerade all ppp connections. Hard not to love MikroTik the more I learn with them.

For the hairpin rule, why wouldn't you just set dst-address=10.0.0.0/24 for your LAN instead of a particular IP, to handle all your port forwards, instead of just the one for that server?

great shirt! :)

There also example using connection mark without using out interface for masquerade if we use the general rule for all posible nat reflections with LAN and WAN address lists.

You can fool a program that refuses to connect to localhost into thinking the server is actually on the internet, or the other way around. I love how on Mikrotik we can have many combinations of nats simultaneously active.

I have been wanting to make this work literally for years. This did the trick. I had not realized before that there is no need for selecting the WAN as the "in interface" for port forwarding rule. Once I removed that from my rule(s) the hairpin rule magically started working. One down, one to go. Can you cover how to configure dual WAN (DHCP, not static, addressing) with failover/load balancing? It'd be much appreciated.

Got it to work thanks. Only thing I am logically confused about is why the server is in the DST address field when setting up the hairpin NAT rule. Shouldn't it be in the SRC, since the issue is the PC (client) getting the answer from internal server IP causing the issue. I assume it's about how the connection is started / established, and that's why server has to go in DST? Afterwards the router treats the whole connection with action = masquerade?

Excelent!

Hi, Thanks that! How can this work if the server on a VLAN and the local PC is on the bridge? That settings will work? I do not think so. VLAN managed on Layer 2, NAT may on Layer 3 or am I wrong? Thanks any.

As far as i know the dst nat rule doesnt work at all in case of the insider request that contain the public ip, and in 2:20 you say that the server see the request came from the 10.0.0.2 🤔..? What I understand from this statement is that the dst nat rule is worked when this request come and the output result of this request is 10.0.0.3 duo to the predefined rule, that is make the server see that the request from 10.0.0.2 Is that correct..? Please can you explain.??

Advantage/Disadvantage vs the Split DNS way ???

But the server receives the packet with the source IP of the Public IP of the router - Why would it know anything about the end host?

My prayers answered! sick of putting local IP to DNS in the hosts file!

That is also called NAT reflection.

What happens when you public ip is dynamic address via PPPoE interface?

New video o/ ❤

Nice to have, but for a LAN, it may be less convoluted to simply set this up in DNS - point the web URL to the internal web server IP.

The end of video 3:54 seems wrong. I think the correct one is ...and puts the original destination IP address of 172.16.16.1 into the source IP address field, and the original source IP address of 10.0.0.2 into the destination IP address field.

a more productive solution in the described example would be a static dns entry with a local ip

In my opinion, it is better to use static DNS for this purpose. This is because in investigation processes, you will see no source address in the application log.

You have an error in paragraph 2 showing at time 3:23, SPECIFICALLY, paragraph 2. The first sentence is correct but the second sentence should state: "The source IP address 10.0.0.2 is sourcenatted to the lP address of the LAN interface 10.0.0.1 which should be displayed ( as per your own words! ).

That will hide source IP in the web server logs. It’s a workaround.

Thank You for the video. One cuestion, ¿It work if I dont have a fixed IP public?. I work with the cloud IP of MK.

But in this scenario all requests from lan to 10.0.0.3 will work like you talk to 172.16.16.1. And this is not the expected behaviour. I think we need better solution.

Never got it to work at all

...or i can just static dns mapped to the LAN IP, right?

Make a video about multicast vxlan please

Could you show me how to limit clients download speed big files but if clients browser normal internet they will get max speed. I have tried queue but not working.

Hi there - thank you for these informed videos. I am posting here, as this actually gets some attention. We run an enterprise size network with Mikrotik only, and have some very intricate setups, with intricate questions. Why won't you please consider creating expert paid support, so we can have your engineer inputs on demand ? Also, I am sure that when you can get info about big setups, you can build your software better. Thank you

@MikroTik, in my PortForward rules, I an bit able to configure a static "destination ip", since it's a rotating ip address of my ISP. So I thought to configure In.Interface "WAN" instead of the "Dst. IP".. but by that, all traffic is masqeraded to the webserver ^^. Did I miss anything?

What if you have a dynamic public IP address?

In my home network I have my own DNS server, so I just redirect the address directly to the internal IP of the server, completely bypassing the router.

😋fullcone nat (3-tuple) on routeros, it that possible?

Other vendors have this feature by default for 10+ years. Mikrotik is still not there 😭

spoke too soon. Doing this method broke my internet. It would be nice if in these videos they actually showed all this working. Just do not understand why Mikrotik simply does not have a dedicated setting for hairpin like other router OSes. Just frustrating.

Thanks Obi-Wan Kenobi

Why not access your server by LANIP............... ;-) Excellent visual representation.

Really helpfull, but maybe it's just me but it is a bit confusing to read at 3:30 from the text that the "source ip address stays the same : 10.0.0.2" and you say the router srcnat-ed the source address to 10.0.0.1 (thus the packet will go back to the router) Or maybe i'm not really familiar with the lingo at this point.

the only acceptable solution is split-dns.

star wars, star wars, seaguls

or, u can use dst-address-type=local add action=dst-nat chain=dstnat dst-address=YOUR_PUBLIC_IP dst-address-type=local \ dst-port=8000 protocol=tcp to-addresses=172.25.50.2 to-ports=8000

What if we have several devices working in the same network on the same port and a dynamic IP address on the gateway (public IP) Is this configuration (it definitely works) but correct? /interface list add name=WAN add name=LAN /interface list member add interface=br0 list=LAN add interface=sfp1 list=WAN /ip cloud set ddns-enabled=yes ddns-update-interval=5m /ip firewall address-list add address=xxxxxxxxxxxx.sn.mynetname.net list=WAN-IP /ip firewall nat add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.2 to-ports=443 add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.88.2 to-ports=443 add action=masquerade chain=srcnat dst-address=!192.168.88.1 out-interface=br0 protocol=tcp src-address=192.168.88.0/24

AFAIK 172.16.x.x is a private IP pool.