Mikrotik Hairpin NAT

  Firewall, Linux, NAT, Routers, Unix

I needed to configure some NAT rules on a Mikrotik, but the rules only worked from outside in. The customer uses split DNS for the domain, so a local address on the mail client, and it needed a loopback rule. In the end I wrote the rules into the router using the terminal, or ssh.

Here’s an example of forwarding port 25.

Router is on

Server is on

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=25 \
action=dst-nat to-address= to-port=25
/ip firewall nat
add chain=srcnat src-address= \
dst-address= protocol=tcp dst-port=25 \
out-interface=bridge-local action=masquerade


You can then open up winbox, go to IP / Firewall / NAT and you will see your new rules.