18

I've successfully setup a port forwarding on a Mikrotik router that translates every request going to WAN ip address on port 8844 (let's say: 20.20.20.22:8844) of mikrotik to the local ip address and the same port.

As I have a DNS name for the WAN ip address (20.20.20.22), I would like this rule to also work from inner network:

192.168.111.77 -> 20.20.20.22:8844 -> 192.168.111.2:8844

I have found a Mikrotik web page that describes this situation: http://wiki.mikrotik.com/wiki/Hairpin_NAT But I wasn't able to achieve the same.

Here is a printscreen of the rule

enter image description here

It's just a partial printscreen but everything else is not set (blank).

EDIT: the port forwarding rule and the classic masquerade on the router looks like this:

/ip firewall nat
add chain=dstnat in-interface=ether1-gateway protocol=tcp dst-port=8844 \
  action=dst-nat to-address=192.168.111.2 to-port=8844
add chain=srcnat out-interface=ether1-gateway action=masquerade
gparyani
  • 1,845
  • 9
  • 30
  • 48
Joudicek Jouda
  • 958
  • 5
  • 18
  • 34

2 Answers2

17

The solution is to rewrite the port forwarding to rule to not to use in-interface=ether1-gateway, but dst-address-type=local:

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=8844 \
  action=dst-nat to-address=192.168.111.2 to-port=8844

Then add the hairpin NAT as specified in the original post:

/ip firewall nat
add chain=srcnat src-address=192.168.111.0/24 \
  dst-address=192.168.111.2 protocol=tcp dst-port=8844 \
  out-interface=bridge-local action=masquerade
Joudicek Jouda
  • 958
  • 5
  • 18
  • 34
  • I'm unable to get this to work if using a bridge. Any ideas? – pcunite Nov 08 '13 at 19:37
  • @pcunite: just tested this with RouterOS 6.24 + bridge-local and it works perfect! – lifeofguenter Dec 29 '14 at 19:55
  • @JoudicekJouda I also followed the instructions on the wiki https://wiki.mikrotik.com/wiki/Hairpin_NAT but they never said to use **dst-address-type=local** on the port forwarding rule rather than **in-interface=ether1-gateway**. Why does that make a difference, I wonder? – Jonathan Komar Jul 01 '17 at 13:56
1

Nat Masquerade 192.168.111.0/24 to 192.168.111.0/24 this works for every services at once. do not specify interfaces or port. internal port must be the same as the external port.

user721084
  • 11
  • 1
  • 1
    Welcome to Super User! Your [answer](http://superuser.com/help/how-to-answer) could be improved by providing a bit more detail how to implement it, especially for those who might be new to the system in question. – I say Reinstate Monica Apr 22 '17 at 14:02