I'm a Network Engineer and I learnt something! I had heard the term Hairpin NAT, but had never looked into it before. Thank you for explaining WHY you would use Hairpin NAT, it makes sense and I can see the use cases :)

Now this is a nice one! I have static DNS entries with the local addresses on the server subnet, but now I can have piece of mind by removing all the DNS entries and "fix" it with a simple firewall rule. No more forgetting to add/remove domains. Thanks a lot!

I'm discovery this alone... on dificults of day of day... but, this information is amazing on these format! Thanks Mikrotik! 😊

For the hairpin rule, why wouldn't you just set dst-address=10.0.0.0/24 for your LAN instead of a particular IP, to handle all your port forwards, instead of just the one for that server?

When i see a new video of you thats make feel very happy 😊

Thanks. Seems it is one of the favorite FAQ for user migrate to use Mikrotik router and finally get the official answer.

Now, if you want multiple websites/services on a single port (for example 443) I think you'd need to internally target a reverse proxy which then distributes request to targets based of URL. This can also simplify the https setup to a only that reverse proxy. I still recommend using at least self signed certificates on the final backends.

You can fool a program that refuses to connect to localhost into thinking the server is actually on the internet, or the other way around. I love how on Mikrotik we can have many combinations of nats simultaneously active.

This is why i love mikrotik for routing love from India.

I just recently discovered src-nat masquerading when I was trying to solve the issue of getting into a VPN client's network from the host's public when the client was set up for split tunneling. I had the same basic problem. I wanted to port-forward from my host network's public IP over the VPN to a client that only had internet access through CG-NAT. Packets would dst-nat to the server behind the VPN client but exit out the CG-NAT connection via the default route. The solution was to src-nat & masquerade all ppp connections. Hard not to love MikroTik the more I learn with them.

You have an error in paragraph 2 showing at time 3:23, SPECIFICALLY, paragraph 2. The first sentence is correct but the second sentence should state: "The source IP address 10.0.0.2 is sourcenatted to the lP address of the LAN interface 10.0.0.1 which should be displayed ( as per your own words! ).

Thank you very much. He explained everything very clearly.

THANK YOU SOO MUCH. IT IS WORKING AND YOU HAVE SAVED ME

Got it to work thanks. Only thing I am logically confused about is why the server is in the DST address field when setting up the hairpin NAT rule. Shouldn't it be in the SRC, since the issue is the PC (client) getting the answer from internal server IP causing the issue. I assume it's about how the connection is started / established, and that's why server has to go in DST? Afterwards the router treats the whole connection with action = masquerade?

In my opinion, it is better to use static DNS for this purpose. This is because in investigation processes, you will see no source address in the application log.

I have been wanting to make this work literally for years. This did the trick. I had not realized before that there is no need for selecting the WAN as the "in interface" for port forwarding rule. Once I removed that from my rule(s) the hairpin rule magically started working. One down, one to go. Can you cover how to configure dual WAN (DHCP, not static, addressing) with failover/load balancing? It'd be much appreciated.

The end of video 3:54 seems wrong. I think the correct one is ...and puts the original destination IP address of 172.16.16.1 into the source IP address field, and the original source IP address of 10.0.0.2 into the destination IP address field.

There also example using connection mark without using out interface for masquerade if we use the general rule for all posible nat reflections with LAN and WAN address lists.

This settings works like a charm :)

Great explanation! Thank you!

Worked great for allowing access to my Blue Iris webserver by using WAN IP on WiFi. Now I wont need 2 hyperlinks to choose from depending on whether I'm on WiFi or mobile network to check my cams!

As far as i know the dst nat rule doesnt work at all in case of the insider request that contain the public ip, and in 2:20 you say that the server see the request came from the 10.0.0.2 🤔..? What I understand from this statement is that the dst nat rule is worked when this request come and the output result of this request is 10.0.0.3 duo to the predefined rule, that is make the server see that the request from 10.0.0.2 Is that correct..? Please can you explain.??

a more productive solution in the described example would be a static dns entry with a local ip

Hi, Thanks that! How can this work if the server on a VLAN and the local PC is on the bridge? That settings will work? I do not think so. VLAN managed on Layer 2, NAT may on Layer 3 or am I wrong? Thanks any.

This is really good, but one point could be made a little more strongly. You are hardcoding the WANIP, but in the case that your WANIP is dynamic (which is quite common), you should use address lists and maybe DYDNS

But the server receives the packet with the source IP of the Public IP of the router - Why would it know anything about the end host?

great shirt! :)

Other vendors have this feature by default for 10+ years. Mikrotik is still not there 😭

That is also called NAT reflection.

What if you have a dynamic public IP address?

That will hide source IP in the web server logs. It’s a workaround.

Thank you. This helped

What happens when you public ip is dynamic address via PPPoE interface?

Advantage/Disadvantage vs the Split DNS way ???

Nice to have, but for a LAN, it may be less convoluted to simply set this up in DNS - point the web URL to the internal web server IP.

My prayers answered! sick of putting local IP to DNS in the hosts file!

Thank You for the video. One cuestion, ¿It work if I dont have a fixed IP public?. I work with the cloud IP of MK.

But in this scenario all requests from lan to 10.0.0.3 will work like you talk to 172.16.16.1. And this is not the expected behaviour. I think we need better solution.

...or i can just static dns mapped to the LAN IP, right?

Could you show me how to limit clients download speed big files but if clients browser normal internet they will get max speed. I have tried queue but not working.

Hi there - thank you for these informed videos. I am posting here, as this actually gets some attention. We run an enterprise size network with Mikrotik only, and have some very intricate setups, with intricate questions. Why won't you please consider creating expert paid support, so we can have your engineer inputs on demand ? Also, I am sure that when you can get info about big setups, you can build your software better. Thank you

spoke too soon. Doing this method broke my internet. It would be nice if in these videos they actually showed all this working. Just do not understand why Mikrotik simply does not have a dedicated setting for hairpin like other router OSes. Just frustrating.

Never got it to work at all

Excelent!

Why not access your server by LANIP............... ;-) Excellent visual representation.

In my home network I have my own DNS server, so I just redirect the address directly to the internal IP of the server, completely bypassing the router.

@MikroTik, in my PortForward rules, I an bit able to configure a static "destination ip", since it's a rotating ip address of my ISP. So I thought to configure In.Interface "WAN" instead of the "Dst. IP".. but by that, all traffic is masqeraded to the webserver ^^. Did I miss anything?

Make a video about multicast vxlan please

New video o/ ❤

😋fullcone nat (3-tuple) on routeros, it that possible?

Thanks Obi-Wan Kenobi

Really helpfull, but maybe it's just me but it is a bit confusing to read at 3:30 from the text that the "source ip address stays the same : 10.0.0.2" and you say the router srcnat-ed the source address to 10.0.0.1 (thus the packet will go back to the router) Or maybe i'm not really familiar with the lingo at this point.

the only acceptable solution is split-dns.

star wars, star wars, seaguls

of course, another useless tutorial that does not work at all.

or, u can use dst-address-type=local add action=dst-nat chain=dstnat dst-address=YOUR_PUBLIC_IP dst-address-type=local \ dst-port=8000 protocol=tcp to-addresses=172.25.50.2 to-ports=8000

AFAIK 172.16.x.x is a private IP pool.