Hello all,

I have searched many times, read many posts, read and re-read the wiki page, but I unable to get Hairpin NAT working with a dynamic public IP.

This is for a RB2011 with default settings. I disabled the dhcp-client on ether1-gateway and statically assign the IP so it is easier to change during testing.
ether1-gateway: 10.1.1.1/24 (Once testing is complete this will be a real public IP)
bridge-local: 192.168.88.1/24
Server: 192.168.88.254 with MySQL configured and working.
Workstation: 192.168.88.48

ros code

[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade 
     out-interface=sfp1-gateway 

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 2   ;;; Public MySQL (by interface)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 
     protocol=tcp in-interface=ether1-gateway dst-port=3306 

 3 X ;;; Public MySQL (by IP)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 
     protocol=tcp dst-address=10.1.1.1 dst-port=3306 

 4   ;;; Hairpin NAT MySQL
     chain=srcnat action=masquerade protocol=tcp 
     src-address=192.168.88.0/24 dst-address=192.168.88.254 
     out-interface=bridge-local dst-port=3306

With rule 2 active I am unable to connect from 192.168.88.48->10.1.1.1 and have it redirect (hairpin NAT) to 192.168.88.254. It I disable rule 2 and enable rule 3, then hairpin NAT works. The problem with rule 3 is it does not work if the IP on ether1-gateway changes.

Can someone point out my problem? I am stuck.

Thank you,
James

Hello all,

I have searched many times, read many posts, read and re-read the wiki page, but I unable to get Hairpin NAT working with a dynamic public IP.

This is for a RB2011 with default settings. I disabled the dhcp-client on ether1-gateway and statically assign the IP so it is easier to change during testing.
ether1-gateway: 10.1.1.1/24 (Once testing is complete this will be a real public IP)
bridge-local: 192.168.88.1/24
Server: 192.168.88.254 with MySQL configured and working.
Workstation: 192.168.88.48

ros code

[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade 
     out-interface=sfp1-gateway 

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 2   ;;; Public MySQL (by interface)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 
     protocol=tcp in-interface=ether1-gateway dst-port=3306 

 3 X ;;; Public MySQL (by IP)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 
     protocol=tcp dst-address=10.1.1.1 dst-port=3306 

 4   ;;; Hairpin NAT MySQL
     chain=srcnat action=masquerade protocol=tcp 
     src-address=192.168.88.0/24 dst-address=192.168.88.254 
     out-interface=bridge-local dst-port=3306

With rule 2 active I am unable to connect from 192.168.88.48->10.1.1.1 and have it redirect (hairpin NAT) to 192.168.88.254. It I disable rule 2 and enable rule 3, then hairpin NAT works. The problem with rule 3 is it does not work if the IP on ether1-gateway changes.

Can someone point out my problem? I am stuck.

Thank you,
James

You can either write a script to update the rule or you can use dst-address-type=local instead of dst-address in rule 3...

-Eric

That worked! Thank you so much. Now that I have read the wiki for dst-address-type it makes perfect sense. For others searching, here is my complete NAT rules:

ros code

[admin@MikroTik] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway 

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=ether1-gateway 

 2 X ;;; Public MySQL (by interface)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp 
     in-interface=ether1-gateway dst-port=3306 

 3   ;;; Public MySQL (by any local IP)
     chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp 
     dst-address-type=local dst-port=3306 

 4   ;;; Hairpin NAT MySQL
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 
     dst-address=192.168.88.254 out-interface=bridge-local dst-port=3306

NOTE: Rule 2 is not needed. I just left it in for completeness.

Thank you,
James

here's another working example.. this is assuming you have a dhcp-client on your WAN interface which in my case is ether5-gateway. I have two internal port forwards for examples. RouterOS version 6 you can specify "all ethernet" so if running older version your local interface should be the LAN interface(s) of your router.

And of course you still need your traditional WAN port forwarding that is not shown below inbound via WAN interface.

/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" out-interface=\
ether5-gateway src-address-list=use_hairpin_nat to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-type=local \
dst-port=5000 protocol=tcp to-addresses=10.19.88.2 to-ports=5000
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
10.19.88.2 dst-port=5000 out-interface=all-ethernet protocol=tcp \
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-type=local \
dst-port=2210-2211 protocol=tcp to-addresses=172.19.88.2 to-ports=\
2210-2211
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
172.19.88.2 dst-port=2210-2211 out-interface=all-ethernet protocol=tcp \
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000
add action=dst-nat chain=dstnat comment="hairpin nat" dst-address-type=local \
dst-port=80 protocol=tcp to-addresses=10.19.88.2 to-ports=80
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
10.19.88.2 dst-port=80 out-interface=all-ethernet protocol=tcp \
src-address-list=use_hairpin_nat to-addresses=10.19.88.2 to-ports=5000