Express guide how to to create proper NAT rule (port forwaring) for external and internal network on MikroTik (so called Hairpin NAT).
For imagination this is our lab environment where we want to create port forwaring for external clients and internal clients as well:
- Internal network: 192.168.1.0/24
- Gateway IP: 192.168.1.1
- External IP: 93.180.10.10
- Desired port forwarded service: 192.168.1.155:80
This is workflow how Hairpin NAT must proceed:
- Internal IP of the Client (192.168.1.10) > External IP of the Router (93.180.10.10)
- Internal IP of the Router (192.168.1.1) > Internal IP of the NATted server (192.168.1.155)
- Internal IP of the NATted server (192.168.1.155) > Internal IP of the Router (192.168.1.1)
- External IP of the Router (93.180.10.10) > Internal IP of the Client (192.168.1.10)
Most mistakes of creating NAT rules is step 1. is proceeded but later is discarded because it expects reply back from 93.180.10.10 and not from 192.168.1.155 (so communication can’t go directly client to client internally).
To create proper Hairpin NAT do following:
- First in order of proceeding – This is by default pre-created rule src-nat local-to-internet masquerade in ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
- Second in order of proceeding – Create another src-nat which will take care of local-to-local masquerade.
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.1.1 src-address=192.168.1.0/24
- Third in order of proceeding – This dst-nat forwards local and external traffic to port 80 via external IP to 192.168.1.155 port 80.
add action=dst-nat chain=dstnat comment=NAT_80_TCP dst-address=!192.168.1.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.1.155 to-ports=80
If you wish to create additional NAT rules repeat third step.