MikroTik Hairpin NAT

I'm a Network Engineer and I learnt something! I had heard the term Hairpin NAT, but had never looked into it before. Thank you for explaining WHY you would use Hairpin NAT, it makes sense and I can see the use cases :)

oliver

When i see a new video of you thats make feel very happy 😊

salembaabbad

I'm discovery this alone... on dificults of day of day... but, this information is amazing on these format! Thanks Mikrotik! 😊

pedrojunior

Now this is a nice one! I have static DNS entries with the local addresses on the server subnet, but now I can have piece of mind by removing all the DNS entries and "fix" it with a simple firewall rule. No more forgetting to add/remove domains.
Thanks a lot! <3

katsurokurosaki

This is why i love mikrotik for routing

love from India.

jakirbasha

Now, if you want multiple websites/services on a single port (for example 443) I think you'd need to internally target a reverse proxy which then distributes request to targets based of URL. This can also simplify the https setup to a only that reverse proxy. I still recommend using at least self signed certificates on the final backends.

squid

Thanks. Seems it is one of the favorite FAQ for user migrate to use Mikrotik router and finally get the official answer.

DickyChengHK

Thank you very much. He explained everything very clearly.

SergeyKo.

For the hairpin rule, why wouldn't you just set dst-address=10.0.0.0/24 for your LAN instead of a particular IP, to handle all your port forwards, instead of just the one for that server?

kchiem

You can fool a program that refuses to connect to localhost into thinking the server is actually on the internet, or the other way around. I love how on Mikrotik we can have many combinations of nats simultaneously active.

jndominica

THANK YOU SOO MUCH. IT IS WORKING AND YOU HAVE SAVED ME

OsbertMagara

I just recently discovered src-nat masquerading when I was trying to solve the issue of getting into a VPN client's network from the host's public when the client was set up for split tunneling. I had the same basic problem. I wanted to port-forward from my host network's public IP over the VPN to a client that only had internet access through CG-NAT. Packets would dst-nat to the server behind the VPN client but exit out the CG-NAT connection via the default route. The solution was to src-nat & masquerade all ppp connections.
Hard not to love MikroTik the more I learn with them.

tech-kyle

Worked great for allowing access to my Blue Iris webserver by using WAN IP on WiFi. Now I wont need 2 hyperlinks to choose from depending on whether I'm on WiFi or mobile network to check my cams!

frostbite

In my opinion, it is better to use static DNS for this purpose. This is because in investigation processes, you will see no source address in the application log.

livankiv

What happens when you public ip is dynamic address via PPPoE interface?

rodneyyeo

There also example using connection mark without using out interface for masquerade if we use the general rule for all posible nat reflections with LAN and WAN address lists.

ivicastojadinovic

You have an error in paragraph 2 showing at time 3:23, SPECIFICALLY, paragraph 2. The first sentence is correct but the second sentence should state: "The source IP address 10.0.0.2 is sourcenatted to the lP address of the LAN interface 10.0.0.1 which should be displayed ( as per your own words! ).

Anavllama

a more productive solution in the described example would be a static dns entry with a local ip

zemeroff

My prayers answered! sick of putting local IP to DNS in the hosts file!

fish_bacon

Nice to have, but for a LAN, it may be less convoluted to simply set this up in DNS - point the web URL to the internal web server IP.

Aviduduskar