Mikrotik Hairpin NAT

  Firewall, Linux, NAT, Routers, Unix

I needed to configure some NAT rules on a Mikrotik, but the rules only worked from outside in. The customer uses split DNS for the domain, so a local address on the mail client, and it needed a loopback rule. In the end I wrote the rules into the router using the terminal, or ssh.

Here’s an example of forwarding port 25.

Router is on 192.168.1.254

Server is on 192.168.1.250

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=25 \
action=dst-nat to-address=192.168.1.250 to-port=25
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.250 protocol=tcp dst-port=25 \
out-interface=bridge-local action=masquerade

 

You can then open up winbox, go to IP / Firewall / NAT and you will see your new rules.

 

LEAVE A COMMENT