Last updated: August 14, 2013 at 20:55 pm
Down & dirty hairpin NAT example:
Here is the setup for an IP camera located at http://192.168.0.200:80. It can be reached locally or remotely at http://jims.ddns.address:8090.
[jim@Jims_Mikrotik] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 1 ;;; loopback chain=srcnat action=masquerade src-address-list=LocalNet dst-address-list=LocalNet out-interface=ether2-master 2 ;;; IP Cam - hairpin chain=dstnat action=dst-nat to-addresses=192.168.0.200 to-ports=80 protocol=tcp dst-address=xxx.xxx.xxx.xxx dst-port=8090
This is the default Masquerade rule that is in place by default.
This is on an RB750GL, so the out-interface in rule 1 is ether2-master, since that is the master interface for my LAN. On an RB2011 the out-interface in that rule should be bridge-local (if the default settings haven’t been changed).
The LocalNet address list is simply 192.168.0.0/24, since that is the only subnet I’m using.
The dist-address of xxx.xxx.xxx.xxx is actually my WAN IP. This is automatically updated by script that looks for the word “hairpin” in the Comment. This is explained more in this Article.