Hello guys,

I bought my first Mikrotik hAP (RB962UiGS-5HacT2HnT) a week ago. I am a newbie regarding RouterOS.
However I created a NAT rule for port forwarding to access internal host from the Internet and it works without problems. But I cannot access this host from the LAN using the public IP address.
I searched but I did not find any setting in GUI for NAT Loopback (or as it is called in DDWRT - WAN NAT Redirect). Is there a reliable instruction how to create the NAT loopback in RouterOS?

Thank you.
Have a good one ahead!

Hi,

Please refer to the MikroTik RouterOS documentation for NAT, there is a section about Hairpin NAT which I believe is what you are looking for:

https://help.mikrotik.com/docs/display/ ... HairpinNAT

Hopefully this helps and you can find the solution by following that documentation.

Yes, thank you!

Hello guys,

I bought my first Mikrotik hAP (RB962UiGS-5HacT2HnT) a week ago. I am a newbie regarding RouterOS.
However I created a NAT rule for port forwarding to access internal host from the Internet and it works without problems. But I cannot access this host from the LAN using the public IP address.
I searched but I did not find any setting in GUI for NAT Loopback (or as it is called in DDWRT - WAN NAT Redirect). Is there a reliable instruction how to create the NAT loopback in RouterOS?

Thank you.
Have a good one ahead!

Good day,
Hairpin NAT can be easily avoided by
a. using LANIP for server
b. moving server to a different subnet (so users are not on the same LAN).

There is one way to avoid getting into DST and Source NAT rule changes for hairpin nat and that is to use DNS.
Lets say your server IP was 192.168.88.68 and your domainname for the server was www.myserver.net
Create the following rule!
/ip dns static
add address=192.168.88.68 regexp="(^|www\\.)myserver\\.net\$" ttl=5m

The precedence for using DNS within the router is as follows...........
a. static first
b. static regexp next
c. others...

This rule will capture any request for DNS when looking for that domain name and direct the query to the server IP.
However, some users on the same subnet may have DNS hard coded on their PCs...... and thus you need to redirect all DNS queries to the router to handle.

add action=redirect chain=dstnat comment="Force Users to Router for DNS - TCP" \
dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=redirect chain=dstnat comment="Force Users to Router for DNS - UDP" \
dst-port=53 protocol=udp src-address=192.168.88.0/24

This should effectively ensure that regardless of PC DNS settings, all the queries from the subnet will go through the router and thus hit the static DNS rule created.
Two important points.
(1) You'd need to make sure "allow remote request" is turned on in /IP DNS, and
(2) *BE SURE* that your input firewall filter blocks DNS requests from the Internet itself so that you don't get this router taken over by a dns-amp ddos attack.
(covered by default input firewall rule, or any substitution by drop all else rule!)

Then there are some hairpin NAT type rules if the DNS method is not what is desired.
One should know if one has a fixed WANIP/static or a dynamic WANIP as that will dictate the design.

Then there are some hairpin NAT type rules if the DNS method is not what is desired.
One should know if one has a fixed WANIP/static or a dynamic WANIP as that will dictate the design.

WANIP is static

Did you try the DNS method yet??

For static wanip or dynamic wanip you need to add a sourcenat rule.
format: server lan subnet 192.168.66.x
add chain=srcnat action=masquerade dst-address=192.168.66.0/24 src-address=192.168.66.0/24

If you have a dynamic IP then your dst nat rules which should be in this format do not have to change
add chain=dstnat action=dst-nat dst-address=wanip port=xxxx protocol=aaa to-addresses=IPofServer

If you have a dynamic wanip then the dst nat rule needs to change
FROM
add chain=dstnat action=dst-nat in-interface-list=WAN port=xxx protocol=aaa to-addresses=IPofServer

TO and you have a number of choices;
a. make a funky rule such that it works by telling the router that one is stating hey use a local destination address but not one from the 192.168.66.1 and that leaves the local WAN address to use.
What is not clear to me on this one is what if you have multiple subnets, so it appears this one is only applicable for a one trick pony aka a single subnet network.
add chain=dstnat action=dst-nat dst-address-type=local dst-address=!192.168.66.1 \
protocol=bbb dst-port=xx to-adresses=192.168.66.x


b. uses the fact that you have IP cloud available to update the WANIP with the actual WANIP as determined by an IPcloud update and putting this address in a firewall address list.
https://www.youtube.com/watch?v=_kw_bQyX-3U&t=257s

Thus the nat rule becomes ( a destination address list vice destination address)
add chain=dstnat action=dst-nat dst-address-list=WAN-IP port=xxx protocol=aaa to-addresses=IPofServer

c. Similar to the ip cloud approach where one uses a firewall address list, one uses a DHCP Script to update dynamic wanip with the actual WANIP as determined by your dhcp client actions.
Such that the rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan port=xxx protocol=aaa to-addresses=IPofServer

DHCP lease script:
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan

Advantages: The advantage over relying on method b. is that unlike DDNS updates this method is instant. However, the b. method, DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address.

Overall the DNS redirect is perhaps the most efficient.