I'm a Network Engineer and I learnt something! I had heard the term Hairpin NAT, but had never looked into it before. Thank you for explaining WHY you would use Hairpin NAT, it makes sense and I can see the use cases :)
Me too. Although I have a decade of enterprise networking experience, I always learn something from these videos - even if I already "know" the answer.
Now this is a nice one! I have static DNS entries with the local addresses on the server subnet, but now I can have piece of mind by removing all the DNS entries and "fix" it with a simple firewall rule. No more forgetting to add/remove domains. Thanks a lot!
Now, if you want multiple websites/services on a single port (for example 443) I think you'd need to internally target a reverse proxy which then distributes request to targets based of URL. This can also simplify the https setup to a only that reverse proxy. I still recommend using at least self signed certificates on the final backends.
For the hairpin rule, why wouldn't you just set dst-address=10.0.0.0/24 for your LAN instead of a particular IP, to handle all your port forwards, instead of just the one for that server?
I just recently discovered src-nat masquerading when I was trying to solve the issue of getting into a VPN client's network from the host's public when the client was set up for split tunneling. I had the same basic problem. I wanted to port-forward from my host network's public IP over the VPN to a client that only had internet access through CG-NAT. Packets would dst-nat to the server behind the VPN client but exit out the CG-NAT connection via the default route. The solution was to src-nat & masquerade all ppp connections. Hard not to love MikroTik the more I learn with them.
You have an error in paragraph 2 showing at time 3:23, SPECIFICALLY, paragraph 2. The first sentence is correct but the second sentence should state: "The source IP address 10.0.0.2 is sourcenatted to the lP address of the LAN interface 10.0.0.1 which should be displayed ( as per your own words! ).
You can fool a program that refuses to connect to localhost into thinking the server is actually on the internet, or the other way around. I love how on Mikrotik we can have many combinations of nats simultaneously active.
The end of video 3:54 seems wrong. I think the correct one is ...and puts the original destination IP address of 172.16.16.1 into the source IP address field, and the original source IP address of 10.0.0.2 into the destination IP address field.
Got it to work thanks. Only thing I am logically confused about is why the server is in the DST address field when setting up the hairpin NAT rule. Shouldn't it be in the SRC, since the issue is the PC (client) getting the answer from internal server IP causing the issue. I assume it's about how the connection is started / established, and that's why server has to go in DST? Afterwards the router treats the whole connection with action = masquerade?
In my opinion, it is better to use static DNS for this purpose. This is because in investigation processes, you will see no source address in the application log.
Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
There also example using connection mark without using out interface for masquerade if we use the general rule for all posible nat reflections with LAN and WAN address lists.
As far as i know the dst nat rule doesnt work at all in case of the insider request that contain the public ip, and in 2:20 you say that the server see the request came from the 10.0.0.2 🤔..? What I understand from this statement is that the dst nat rule is worked when this request come and the output result of this request is 10.0.0.3 duo to the predefined rule, that is make the server see that the request from 10.0.0.2 Is that correct..? Please can you explain.??
Worked great for allowing access to my Blue Iris webserver by using WAN IP on WiFi. Now I wont need 2 hyperlinks to choose from depending on whether I'm on WiFi or mobile network to check my cams!
I have been wanting to make this work literally for years. This did the trick. I had not realized before that there is no need for selecting the WAN as the "in interface" for port forwarding rule. Once I removed that from my rule(s) the hairpin rule magically started working. One down, one to go. Can you cover how to configure dual WAN (DHCP, not static, addressing) with failover/load balancing? It'd be much appreciated.
He is not correct. Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
Hi, Thanks that! How can this work if the server on a VLAN and the local PC is on the bridge? That settings will work? I do not think so. VLAN managed on Layer 2, NAT may on Layer 3 or am I wrong? Thanks any.
This is really good, but one point could be made a little more strongly. You are hardcoding the WANIP, but in the case that your WANIP is dynamic (which is quite common), you should use address lists and maybe DYDNS
That way you will not know if your real visitors can also open your site, any dns issue could be missed. Also your public IP could change and you would not notice. Always test 1:1 just like your customers will see your page
use the ip -> cloud -> ddns function, create address list (under firewall) -> put the dyndns there + give it a name (DDNS_NAME). in the nat rule choose -> dst address list -> DDNS_NAME
If you don't have a fixed IP, you could use MikroTik Cloud DNS name, then purchase a domain name and use that as CNAME alias. Your IP still needs to be a public IP.
yes, Sean is right, if your Hairpin NAT rule references a specific IP address, it will stop working if your public IP changes. Some scripting will be required in addition to what is in the video.
@MikroTik, in my PortForward rules, I an bit able to configure a static "destination ip", since it's a rotating ip address of my ISP. So I thought to configure In.Interface "WAN" instead of the "Dst. IP".. but by that, all traffic is masqeraded to the webserver ^^. Did I miss anything?
Thought someone would ask that. I have the same issue, i commented that (or more) Rule with "HNAT" and then wrote a small script that takes the external IP from either WAN Interface or the IP/Cloud Menu and puts it in every NAT Rule with the Comment "HNAT" as Destination IP. Run that every 5 Minutes or wo, works great so far! Also my Cloudflare DynDNS Script works awesome to renew DNS Entries when it's changed
Could you show me how to limit clients download speed big files but if clients browser normal internet they will get max speed. I have tried queue but not working.
Router doesn’t know which file is big, because it has not seen it yet. So it’s not possible. You can use Burst function to allow fast speed for a few seconds and the slow down the download. It will have a similar effect
But in this scenario all requests from lan to 10.0.0.3 will work like you talk to 172.16.16.1. And this is not the expected behaviour. I think we need better solution.
Hi there - thank you for these informed videos. I am posting here, as this actually gets some attention. We run an enterprise size network with Mikrotik only, and have some very intricate setups, with intricate questions. Why won't you please consider creating expert paid support, so we can have your engineer inputs on demand ? Also, I am sure that when you can get info about big setups, you can build your software better. Thank you
@@mikrotik no that’s not your engineers that are doing support. Those are people having studied your courses. We are looking for direct support from your own Mikrotik engineers and design team, and are willing to pay for that.
@@fluppir a correct answer is a correct answer, regardless of the source. there are plenty of resources available. if you NEED something THAT boutique and customized and your configs are THAT complex, you're probably designing your networks sub-optimally. i'd look at why you think you require this level of support in the first place.
Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
@@mikrotik That has nothing to do with hairpin nat which is not required for external access. Wrong thinking. One can easily check reaching a server by using cellular service or ask a friend.
I already clarified why it's bad advice above your comment. If you are using a different IP to access your webserver, you will not get the same experience as your real users from the internet side. If your public IP stops working, your internet connection has issues, you will not see this, because it will work for yourself.
spoke too soon. Doing this method broke my internet. It would be nice if in these videos they actually showed all this working. Just do not understand why Mikrotik simply does not have a dedicated setting for hairpin like other router OSes. Just frustrating.
In my home network I have my own DNS server, so I just redirect the address directly to the internal IP of the server, completely bypassing the router.
You are missing the point of the issue. If you use your own dns, you have a different usage experience than your website visitors. If your website is configured incorrectly or is having a dns problem, you will not see it. Using hairpin NAT helps you to see your website just like all the other users.
Really helpfull, but maybe it's just me but it is a bit confusing to read at 3:30 from the text that the "source ip address stays the same : 10.0.0.2" and you say the router srcnat-ed the source address to 10.0.0.1 (thus the packet will go back to the router) Or maybe i'm not really familiar with the lingo at this point.
That is not correct. Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
or, u can use dst-address-type=local add action=dst-nat chain=dstnat dst-address=YOUR_PUBLIC_IP dst-address-type=local \ dst-port=8000 protocol=tcp to-addresses=172.25.50.2 to-ports=8000
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
I'm a Network Engineer and I learnt something! I had heard the term Hairpin NAT, but had never looked into it before. Thank you for explaining WHY you would use Hairpin NAT, it makes sense and I can see the use cases :)
Its often done on other routers by a checkbox called Loop back.
Me too. Although I have a decade of enterprise networking experience, I always learn something from these videos - even if I already "know" the answer.
Now this is a nice one! I have static DNS entries with the local addresses on the server subnet, but now I can have piece of mind by removing all the DNS entries and "fix" it with a simple firewall rule. No more forgetting to add/remove domains.
Thanks a lot!
When i see a new video of you thats make feel very happy 😊
I'm discovery this alone... on dificults of day of day... but, this information is amazing on these format! Thanks Mikrotik! 😊
Now, if you want multiple websites/services on a single port (for example 443) I think you'd need to internally target a reverse proxy which then distributes request to targets based of URL. This can also simplify the https setup to a only that reverse proxy. I still recommend using at least self signed certificates on the final backends.
Thanks. Seems it is one of the favorite FAQ for user migrate to use Mikrotik router and finally get the official answer.
For the hairpin rule, why wouldn't you just set dst-address=10.0.0.0/24 for your LAN instead of a particular IP, to handle all your port forwards, instead of just the one for that server?
Just because he's not lazy.
Thank you very much. He explained everything very clearly.
This is why i love mikrotik for routing
love from India.
Great explanation!
Thank you!
THANK YOU SOO MUCH. IT IS WORKING AND YOU HAVE SAVED ME
I just recently discovered src-nat masquerading when I was trying to solve the issue of getting into a VPN client's network from the host's public when the client was set up for split tunneling. I had the same basic problem. I wanted to port-forward from my host network's public IP over the VPN to a client that only had internet access through CG-NAT. Packets would dst-nat to the server behind the VPN client but exit out the CG-NAT connection via the default route. The solution was to src-nat & masquerade all ppp connections.
Hard not to love MikroTik the more I learn with them.
You have an error in paragraph 2 showing at time 3:23, SPECIFICALLY, paragraph 2. The first sentence is correct but the second sentence should state: "The source IP address 10.0.0.2 is sourcenatted to the lP address of the LAN interface 10.0.0.1 which should be displayed ( as per your own words! ).
I was going to point out this exact same thing too😅
@@mfarokh27 Thats okay it was a beta video jajajajaja
@@Anavllama 😂
Agree, and I was wondering if they capture bridge traffic and mess with IP headers 😂
You can fool a program that refuses to connect to localhost into thinking the server is actually on the internet, or the other way around. I love how on Mikrotik we can have many combinations of nats simultaneously active.
The end of video 3:54 seems wrong.
I think the correct one is ...and puts the original destination IP address of 172.16.16.1 into the source IP address field, and the original source IP address of 10.0.0.2 into the destination IP address field.
Got it to work thanks. Only thing I am logically confused about is why the server is in the DST address field when setting up the hairpin NAT rule. Shouldn't it be in the SRC, since the issue is the PC (client) getting the answer from internal server IP causing the issue. I assume it's about how the connection is started / established, and that's why server has to go in DST? Afterwards the router treats the whole connection with action = masquerade?
This settings works like a charm :)
In my opinion, it is better to use static DNS for this purpose. This is because in investigation processes, you will see no source address in the application log.
Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
Of course, you are right, but i'm talking about visibility, not accessibility
@@mikrotik but if you are under dynamic IP public address static dns it's the only solution because you don't allow DST Ip has a dinàmic name
No, but there are other ways to solve it. Static DNS is direct way to undiagnosed network problems.
There also example using connection mark without using out interface for masquerade if we use the general rule for all posible nat reflections with LAN and WAN address lists.
As far as i know the dst nat rule doesnt work at all in case of the insider request that contain the public ip, and in 2:20 you say that the server see the request came from the 10.0.0.2 🤔..? What I understand from this statement is that the dst nat rule is worked when this request come and the output result of this request is 10.0.0.3 duo to the predefined rule, that is make the server see that the request from 10.0.0.2 Is that correct..? Please can you explain.??
Worked great for allowing access to my Blue Iris webserver by using WAN IP on WiFi. Now I wont need 2 hyperlinks to choose from depending on whether I'm on WiFi or mobile network to check my cams!
I have been wanting to make this work literally for years. This did the trick. I had not realized before that there is no need for selecting the WAN as the "in interface" for port forwarding rule. Once I removed that from my rule(s) the hairpin rule magically started working. One down, one to go. Can you cover how to configure dual WAN (DHCP, not static, addressing) with failover/load balancing? It'd be much appreciated.
great shirt! :)
Thank you. This helped
What if you have a dynamic public IP address?
ddns
a more productive solution in the described example would be a static dns entry with a local ip
Can you explain why?
He is not correct. Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
That is also called NAT reflection.
But the server receives the packet with the source IP of the Public IP of the router - Why would it know anything about the end host?
Hi, Thanks that! How can this work if the server on a VLAN and the local PC is on the bridge? That settings will work? I do not think so. VLAN managed on Layer 2, NAT may on Layer 3 or am I wrong? Thanks any.
Advantage/Disadvantage vs the Split DNS way ???
This is really good, but one point could be made a little more strongly. You are hardcoding the WANIP, but in the case that your WANIP is dynamic (which is quite common), you should use address lists and maybe DYDNS
My prayers answered! sick of putting local IP to DNS in the hosts file!
...or i can just static dns mapped to the LAN IP, right?
That way you will not know if your real visitors can also open your site, any dns issue could be missed. Also your public IP could change and you would not notice. Always test 1:1 just like your customers will see your page
What happens when you public ip is dynamic address via PPPoE interface?
use the ip -> cloud -> ddns function, create address list (under firewall) -> put the dyndns there + give it a name (DDNS_NAME). in the nat rule choose -> dst address list -> DDNS_NAME
Thank You for the video. One cuestion, ¿It work if I dont have a fixed IP public?. I work with the cloud IP of MK.
If you don't have a fixed IP, you could use MikroTik Cloud DNS name, then purchase a domain name and use that as CNAME alias. Your IP still needs to be a public IP.
it will work with no problems.
@@seantellsit1431 i use like he said in the vídeo and i have a dynamic IP address.
yes, Sean is right, if your Hairpin NAT rule references a specific IP address, it will stop working if your public IP changes. Some scripting will be required in addition to what is in the video.
That will hide source IP in the web server logs. It’s a workaround.
Nice to have, but for a LAN, it may be less convoluted to simply set this up in DNS - point the web URL to the internal web server IP.
@MikroTik, in my PortForward rules, I an bit able to configure a static "destination ip", since it's a rotating ip address of my ISP.
So I thought to configure In.Interface "WAN" instead of the "Dst. IP".. but by that, all traffic is masqeraded to the webserver ^^.
Did I miss anything?
Thought someone would ask that. I have the same issue, i commented that (or more) Rule with "HNAT" and then wrote a small script that takes the external IP from either WAN Interface or the IP/Cloud Menu and puts it in every NAT Rule with the Comment "HNAT" as Destination IP. Run that every 5 Minutes or wo, works great so far! Also my Cloudflare DynDNS Script works awesome to renew DNS Entries when it's changed
@@Dgeigerd would you share this script with me?
Could you show me how to limit clients download speed big files but if clients browser normal internet they will get max speed. I have tried queue but not working.
Router doesn’t know which file is big, because it has not seen it yet. So it’s not possible. You can use Burst function to allow fast speed for a few seconds and the slow down the download. It will have a similar effect
@@mikrotik Could you please give me how to use Burst function ?
Other vendors have this feature by default for 10+ years. Mikrotik is still not there 😭
We have this feature for more than 20 years
@@mikrotik "by default" = out of the box = no configuration needed
IMO with Mikrotik it's an advanced topic and very setup/configuration specific.
@@MyAeroMove Use "by default" dvice and maybe it' yur advanced style) But we love MT advanced zeeroconf style (' ')
But in this scenario all requests from lan to 10.0.0.3 will work like you talk to 172.16.16.1. And this is not the expected behaviour. I think we need better solution.
Never got it to work at all
Hi there - thank you for these informed videos. I am posting here, as this actually gets some attention. We run an enterprise size network with Mikrotik only, and have some very intricate setups, with intricate questions. Why won't you please consider creating expert paid support, so we can have your engineer inputs on demand ? Also, I am sure that when you can get info about big setups, you can build your software better. Thank you
We actually do have paid support. Check this link for information mikrotik.com/consultants
@@mikrotik no that’s not your engineers that are doing support. Those are people having studied your courses. We are looking for direct support from your own Mikrotik engineers and design team, and are willing to pay for that.
We do not provide such services. Our engineers are busy making products.
@@fluppir a correct answer is a correct answer, regardless of the source. there are plenty of resources available. if you NEED something THAT boutique and customized and your configs are THAT complex, you're probably designing your networks sub-optimally. i'd look at why you think you require this level of support in the first place.
Make a video about multicast vxlan please
Why not access your server by LANIP............... ;-) Excellent visual representation.
Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
@@mikrotik That has nothing to do with hairpin nat which is not required for external access. Wrong thinking. One can easily check reaching a server by using cellular service or ask a friend.
This is truly bad advice.
@@mikrotik Nice an opinion with no facts. Keep up the misinformation.
I already clarified why it's bad advice above your comment. If you are using a different IP to access your webserver, you will not get the same experience as your real users from the internet side. If your public IP stops working, your internet connection has issues, you will not see this, because it will work for yourself.
spoke too soon. Doing this method broke my internet. It would be nice if in these videos they actually showed all this working. Just do not understand why Mikrotik simply does not have a dedicated setting for hairpin like other router OSes. Just frustrating.
Excelent!
New video o/ ❤
In my home network I have my own DNS server, so I just redirect the address directly to the internal IP of the server, completely bypassing the router.
You are missing the point of the issue. If you use your own dns, you have a different usage experience than your website visitors. If your website is configured incorrectly or is having a dns problem, you will not see it. Using hairpin NAT helps you to see your website just like all the other users.
😋fullcone nat (3-tuple) on routeros, it that possible?
Really helpfull, but maybe it's just me but it is a bit confusing to read at 3:30 from the text that the "source ip address stays the same : 10.0.0.2" and you say the router srcnat-ed the source address to 10.0.0.1 (thus the packet will go back to the router)
Or maybe i'm not really familiar with the lingo at this point.
Me too
Thanks Obi-Wan Kenobi
the only acceptable solution is split-dns.
That is not correct. Accessing by LAN IP will give you false sense of “it’s all working” when it may be not working from public IP for your regular website viewers. If you want to see your server in the same way as your other visitors, you must access it the same way.
there is one other solution in some non RouterOS firewalls - DNS rewrite option in NAT translation
star wars, star wars, seaguls
of course, another useless tutorial that does not work at all.
or, u can use dst-address-type=local
add action=dst-nat chain=dstnat dst-address=YOUR_PUBLIC_IP dst-address-type=local \
dst-port=8000 protocol=tcp to-addresses=172.25.50.2 to-ports=8000
AFAIK 172.16.x.x is a private IP pool.
Would you rather us give a real existing IP in the example?