MikroTik RouterOS Hairpin NAT – Public WAN Port Forward From LAN

Switching from a cheaper brand router to something classier can cause a lot of surprises: from broader set of functions to unforeseen security options. One of which is the fact that trying to connect to one of the ports of the public WAN IP address of the router will most likely cause the connection to be terminated by a timeout error message.

Why should you care? Well, suppose that you have a device at home that you would like to reach from anywhere around the world – wouldn’t it be neat if you didn’t have to use a separate address to use while at home (from your LAN) and one that is for when you are outside of your home (from WAN side)?

We won’t go into the beauties of NAT and port forward in this post (let alone dynamically assigned IP addresses for that matter) so I’ll presume you have a public address (or routed address) that you can safely map back to. I’m also assuming you have your port forward rules up and running.

We’ll be using the MikroTik RouterOS feature called Hairpin NAT that will enable us to reach the forwarded port from LAN side, meaning that the outside reaching point of 1.2.3.4:8080 will safely map back to 192.168.0.2:80 when called from any device within the LAN – so you’ll have to save only one address to use.

The scenario

Home server/camera/seedbox/nas: 192.168.0.2
Home server/camera/seedbox/nas port: 80
Router’s LAN address: 192.168.0.1
Router’s WAN public address: 1.2.3.4
Router’s forwarded port: 80

[192.168.0.2:80] <-> [192.168.0.1][1.2.3.4:80]<->[0.0.0.0]

Hit up your WinBox Terminal or telnet/ssh your way into your RouterBoard (or RouterOS installation) and issue the following – remember to substitute the values with your ones!

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.2 protocol=tcp dst-address=!192.168.0.0/24 dst-address-type=local dst-port=80 comment="Hairpin to .2"

/ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24
dst-port=80 comment="Local to Local NAT"

Read more if interested in the MikroTik Forums