Hairpin NAT – Mikrotik

Denne bloggen er i utgangspunktet ment for å hjelpe andre og gi de hint og tips, da gjerne gjennom den velprøvde “google-it”-metoden når de har problemer.
Derfor tar jeg denne posten på engelsk.

Most router/firewalls have loopback(or “hairpin”) NAT set up in the firmware.  Core routers whose main purpose is not gateway-functionality might not have this, and until you start using “heavy machinery” you might not even have heard of the problem with loopback NAT.

When visiting degree-sites from inside our LAN after switching our core gateway to Mikrotik, we started getting timeouts. We host this blog, and other sites inside the core gateway, and so NAT would cause e.g. “” to switch-back to the dmz lan-address(which the sites won’t accept). To solve this we have to enable masquerading on lan-wan-lan-connections.

To enable loopback NAT’ing, set up src-nat for your local network and masquerade your LAN as well as the gateway-interface.

For Mikrotik on specific ports:
/ ip firewall nat
add chain=dstnat dst-address=<Public_IP_address> protocol=tcp dst-port=80 action=dst-nat to-addresses=<Web_Server_IP_address>
to-ports=0-65535 comment=”” disabled=no

add chain=srcnat dst-address=<Web_Server_IP_address> protocol=tcp dst-port=80 action=src-nat to-addresses=<Router_Internal_IP_address>
to-ports=0-65535 comment=”” disabled=no

Or when your Mikrotik is your gateway(and your DNS is inside the lan, so traffic should never hit the gateway unless targeted for WAN)

(assuming you’re masquerading your LAN)

/ip firewall
add chain=srcnat src-address= <LAN NET> dst-address=<WEB SERVER> protocol=tcp dst-port=80 out-interface0LAN action=maquerade


  • Aage Andre

    Hi, please comment in english(or norwegian 😉 ).
    But sure, use it and repost it as much as you’d like.