9 January 2019: This post is obsolete. Please refer to this awesome video tutorial by Stevocee who explains how to use the (free built-in) DDNS feature to setup Hairpin NAT with Dynamic WAN IP and port forwarding:
About half a year ago, I bought a Mikrotik RouterBoard RB962UiGS-5HacT2HnT hAP AC (Phew! What a mouthful!). It’s a great router, or should I say routerboard, which has more features I could ever wish for… maybe even too many! Nevertheless, out of the box, I was unable to visit my local NAS/Webserver using the WAN IP from my local network. After a quick Google DuckDuckGo search, I discovered that this requires a so-called ‘Hairpin NAT’. Basically, it reroutes all traffic sent to your WAN IP from your local network, back to (a specific IP address in) your local network. Graphically, it looks like this: However, the issue with most Hairpin NAT configurations you find online is that it requires you to have a static WAN IP, which I don’t have. Additionally, most tutorials use the terminal, whereas I prefer the graphical interface of Winbox. Therefore, I figured out how to setup a Hairpin NAT in combination with a dynamic WAN IP using Winbox myself and since ‘sharing is caring’, here’s how to do it: Connect to your Mikrotik using Winbox Select IP –> Firewall from the menu
Make sure that the default ‘defconf: masquerade’ rule is on top, which looks as follows:
Add a new rule as follows, name it ‘Hairpin NAT’, which looks as follows (replace 192.168.88.0/24 with your own local network IP range):
Add another rule. This rule will contain the IP and port you are trying to reroute. For example, lets say I want to connect to my local NAS running on IP 192.168.88.50 and port 1337 using my WAN IP, my rule would look like this:
Don’t forget the exclamation mark in front of the Destination Address!
Protip: You can add more ports in the same rule. Just split ranges with dashes like this: 1330-1337 and multiple ports with commas like so: 80,443,1330-1337 Done! You should now be able to access your NAS/Webserver using your WAN IP from your local network. Feel free to add more rules to your liking, but remember, the order is important. So first the ‘defconf: masquerade’ rule, then the ‘Hairpin NAT’ rule and then all other rules :)