How to: MikroTik Hairpin NAT with dynamic WAN IP for dummies

9 January 2019: This post is obsolete. Please refer to this awesome video tutorial by Stevocee who explains how to use the (free built-in) DDNS feature to setup Hairpin NAT with Dynamic WAN IP and port forwarding:

About half a year ago, I bought a Mikrotik RouterBoard RB962UiGS-5HacT2HnT hAP AC (Phew! What a mouthful!). It’s a great router, or should I say routerboard, which has more features I could ever wish for… maybe even too many!

Nevertheless, out of the box, I was unable to visit my local NAS/Webserver using the WAN IP from my local network. After a quick Google DuckDuckGo search, I discovered that this requires a so-called ‘Hairpin NAT’. Basically, it reroutes all traffic sent to your WAN IP from your local network, back to (a specific IP address in) your local network. Graphically, it looks like this:

See the arrow which, with a little bit of imagination, looks like a hairpin? Hence the name…anyway, let’s continue!

However, the issue with most Hairpin NAT configurations you find online is that it requires you to have a static WAN IP, which I don’t have. Additionally, most tutorials use the terminal, whereas I prefer the graphical interface of Winbox. Therefore, I figured out how to setup a Hairpin NAT in combination with a dynamic WAN IP using Winbox myself and since ‘sharing is caring’, here’s how to do it:

  1. Connect to your Mikrotik using Winbox
  2. Select IP –> Firewall from the menu
  3. Make sure that the default ‘defconf: masquerade’ rule is on top, which looks as follows:
  4. Add a new rule as follows, name it ‘Hairpin NAT’, which looks as follows (replace with your own local network IP range):
  5. Add another rule. This rule will contain the IP and port you are trying to reroute. For example, lets say I want to connect to my local NAS running on IP and port 1337 using my WAN IP, my rule would look like this:
    Don’t forget the exclamation mark in front of the Destination Address!
    Protip: You can add more ports in the same rule. Just split ranges with dashes like this: 1330-1337 and multiple ports with commas like so: 80,443,1330-1337
  6. Done! You should now be able to access your NAS/Webserver using your WAN IP from your local network. Feel free to add more rules to your liking, but remember, the order is important. So first the ‘defconf: masquerade’ rule, then the ‘Hairpin NAT’ rule and then all other rules :)

14 thoughts on “How to: MikroTik Hairpin NAT with dynamic WAN IP for dummies

  1. It’s working! Thank you for taking your time for the explanation! (and yes, I forgot the exclamation mark at the end :-) )

  2. Thanks….
    can you explain please, which step make server can be access from internet with IP Public and which step make server can be access from local network using public IP ?

    1. Hi! Thanks for your comment. I don’t quite understand what you mean. Could you please clarify your question a bit more so that I can be of help? Thank you!

  3. Great article… worked for me… but I would like to understand why you wrote the rules the way you did…most people wouldn’t care to know the why as long as it works but you have effectively fixed an issue I couldn’t find an explanation for…
    Would you be so kind to explain the logic behind each rule? Specially what the “type local” is doing

    1. Hi Mike! Thanks for your comment. To be honest, I don’t exactly know the logic behind each rule. The rule-set in my post is the result of a lot of trail-and-error. Sorry!

  4. Hi,
    Thanks for this info.

    Just a question if you can help me out.

    The question is:
    Webserver ( —-> Mikrotic —-> Router ADSL (33.44.4.xx:8080) Ether3 ——- >MIKROTIC
    PC ( —————————> Ether4 ———> //
    2 – How can a pc is able to access a webserver which is on a different subnet using Mikrotic.


    1. Hi Jacob,
      Great question, but it has nothing to do with setting up a Hairpin NAT AFAIK. Honestly, I don’t know, sorry!
      Kind regards,

Leave a Reply

Your email address will not be published. Required fields are marked *