Hello,

before sending, I have read this tutorial https://wiki.mikrotik.com/wiki/Hairpin_NAT but I could not work with.

I have multiple LAN Subnet and 1 Wan Interface with multiple Public IP.

Currently, for my LAN Subnet (dmz, lan..) is going out to internet with SRCNAT / SRCNAT and then I choose the SrcNat Action which Public Address I choose to go out for internet.

My LAN subnets are (on different interface):

• 172.10.10.0/24

• 192.168.1.0/24

• 192.168.2.0/24

My Wan Interface got 10 public IP assigned:

• 100.100.100.1

• 100.100.100.2

• 100.100.100.2

• 100.100.100.2

Port Forwarding is working fine outside of Mikrotik Network:

• Chain DstNat Dest Addrr 1.1.1.2 Protocol TCP Dest Port 80 Int. interface: Wan - Action Dsnat To local IP 172.10.10.20 To Ports 80

When I am on my Lan Subnet 192.168.1.0/24 and I go to 1.1.1.2 (tcp http 80) -> Webpage loading is mikrotik login page.

I try the Hairpin_NAT with going out by the add chain=srcnat out-interface=WAN action=masquerade

Then I did:
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=172.10.10.20 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade

But each time I want access to 1.1.1.2, it is loading the mikrotik page -> it should be the 172.10.10.20 port 80 web page.

many thanks for your help

In your dst-nat rule you have input-interface WAN, here you must add your LAN Interface also, because you want dst-nat in both cases, otherwise traffic goes to input chain and router web-page appears!

The ip firewall nat rule is needless, exepct in cases where from a subnet you want to access the server within same subnet. Then traffic goes from server direct to host and dstnat is not reversed. To force traffic through router you need srNat on itself.

/ip firewall nat
add chain=srcnat src-address=172.10.10.20 \
dst-address=172.10.10.20 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade

This looks strange but is rquired.

Thank you.

So I have to create two DSNAT ?
/ip firewall nat
add chain=dstnat dst-address=1.1.1.2 Int. interface=Wan protocol=tcp dst-port=80 \
action=dst-nat to-address=172.10.10.20 To-ports=80

add chain=dstnat dst-address=1.1.1.2 Int. interface=Lan protocol=tcp dst-port=80 \
action=dst-nat to-address=172.10.10.20 To-ports=80

add chain=srcnat out-interface=WAN action=masquerade

This is working

so I dont have to do any Srcnat as writen in the tutorial ?!

thanks

I wrote the same time. See my update. srcnat is needed if host and server are in the same subnet.

thank you

good afternoon

you are welcome