Configure Hairpin NAT on RouterOS (Mikrotik)

In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).

I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.

Suppose the router’s WAN IP address is 1.1.1.1, the LAN is 192.168.88.1, the server’s IP address is 192.168.88.254.

Suppose there is a standard NAT rule (let’s leave it):

ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

Now configure “Hairpin NAT” (forward port 22 for SSH):

ip firewall nat add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=22 protocol=tcp to-addresses=192.168.88.254
ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.254 dst-port=22 out-interface=bridge protocol=tcp src-address=192.168.88.0/24

Done.

See also my article:
Port forwarding on Mikrotik routers
Configuring Remote Access in Mikrotik Router

Join the Conversation

2 Comments

Leave a Reply

  1. This is the most simple and comprehensive example for Hairpin configuration that I found on the internet and it works smoothly. Thank you so much for sharing.
    CLAUDIU

  2. Doesn’t that mean that the clients’ IP addresses will be always NATted to the router’s LAN address, even if the request comes from source (example) 192.168.88.5 to destination 192.168.88.254? I know this is the official Mikrotik solution, but is it elegant enough?

Discover more from IT Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading