How to configure Hairpin NAT on Mikrotik

No comments
Every time you configure DNat on any router you're unable to connect to server via external hostname or IP from internal network.

To solve this issue we need configure HairPin on our router. In my case it's Mikrotik hAP AC.


Let assume that our server internal IP for which we do dst-nat is 192.168.0.10, our internal network is 192.168.0.0/24 and we configure dst-nat for SSH/HTTP/HTTPS.
[username@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 1    chain=dstnat action=netmap to-addresses=192.168.0.10 to-ports=22 protocol=tcp dst-address= dst-port=22 log=no log-prefix=""
 2    chain=dstnat action=netmap to-addresses=192.168.0.10 to-ports=80 protocol=tcp dst-address= dst-port=80 log=no log-prefix=""
 3    chain=dstnat action=netmap to-addresses=192.168.0.10 to-ports=443 protocol=tcp dst-address= dst-port=443 log=no log-prefix=""
We want connect to our server from local network by external name (example.com) for example, but got connection refised or connection timeout. So in this case we need add Hairpin nat rules to allow connections from local network via internal network and not via external network. Here is rule set:
[username@MikroTik] /ip firewall nat> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 4    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.10 out-interface=local dst-port=80
 5    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.10 out-interface=local dst-port=22
 6    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.10 out-interface=local dst-port=443

No comments :

Post a Comment