Last updated: August 14, 2013 at 20:55 pm

Down & dirty hairpin NAT example:

Here is the setup for an IP camera located at It can be reached locally or remotely at http://jims.ddns.address:8090.

[jim@Jims_Mikrotik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0 ;;; default configuration
 chain=srcnat action=masquerade to-addresses= out-interface=ether1-gateway
1 ;;; loopback
 chain=srcnat action=masquerade src-address-list=LocalNet dst-address-list=LocalNet out-interface=ether2-master
2 ;;; IP Cam - hairpin
 chain=dstnat action=dst-nat to-addresses= to-ports=80 protocol=tcp

Rule 0

This is the default Masquerade rule that is in place by default.

Rule 1

This is on an RB750GL, so the out-interface in rule 1 is ether2-master, since that is the master interface for my LAN. On an RB2011 the out-interface in that rule should be bridge-local (if the default settings haven’t been changed).

The LocalNet address list is simply, since that is the only subnet I’m using.

Rule 2

The dist-address of is actually my WAN IP.  This is automatically updated by script that looks for the word “hairpin” in the Comment. This is explained more in this Article.

  • Pedro Diaz

    Jim: Could you explain what the first line of the script means, specially [Jim@Jims_MIkrotik]

    • admin

      Yeah, that’s not a script, it’s just the “print” output from Terminal. The first line is the Terminal prompt, then me typing the print command at /ip firewall nat

      This is just an example of what YOUR “print” output would look like it that scenario.

  • Pedro Diaz

    Oh, I see.