Setting up Hairpin NAT on RouterOS (Mikrotik)

1
(4)

In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).
There are cases when, for example, a server or a DVR is located in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not by the external one, which is on the router’s WAN interface.

Let’s say the WAN IP address of the router is 1.1.1.1, LAN is 192.168.88.1, the server IP address is 192.168.88.254.
Let’s say there is a standard NAT rule (let’s leave it):

ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

Now configure “Hairpin NAT” (forward port 22 for SSH):

/ip firewall nat add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=22 protocol=tcp to-addresses=192.168.88.254
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.254 dst-port=22 out-interface=bridge protocol=tcp src-address=192.168.88.0/24

That’s all.

4,411

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 4

No votes so far! Be the first to rate this post.

Scroll to Top