Does Hairpin NAT work with UDP?

Yes. Create a similar dst-nat rule with protocol=udp.

Hairpin NAT or local DNS?

Hairpin provides identical behavior for all devices. Split DNS is cleaner, but only applies to internal clients.

Hairpin NAT doesn’t work — what should I check first?

NAT rule order, FastTrack, established/related in forward, correct srcnat to LAN, and conflicting generic dst-nat rules.

Do I need a rule for every port?

Only if you have separate forwards. A range (e.g. 8000–8010) is fine.

Is there any performance impact?

Negligible in typical scenarios.

Quick help: We can configure Hairpin NAT remotely (AnyDesk/SSH) in 10–15 min.

15–20 min consultation 📞 +359 2 958 6535

MikroTik Hairpin NAT (NAT loopback) – full configuration

Step-by-step for RouterOS v7 and v6 + troubleshooting, common mistakes, and split-DNS comparison.

⚠ This guide is for system administrators and advanced MikroTik users. We show when Hairpin NAT is needed and how to configure it correctly so you can open a local server via its public IP.

Hairpin NAT – access internal server via public IP

Hairpin NAT lets LAN clients access an internal server using its public IP address. Without it, the request stays on the router and fails. Hairpin rewrites the traffic so it looks “external” and the connection succeeds.

1) What is Hairpin NAT

When trying to reach an internal server via the router’s public IP on the same device, packets don’t leave the router and the reply never reaches the client. Hairpin NAT redirects and rewrites the connection so it “loops back” to the server with correct addressing.

2) When it’s needed

Internal server 192.168.88.10, published as 203.0.113.10:8080, must be reachable at the same address from the LAN.
You have internal DNS pointing a service to its public IP.
You want identical URLs/behavior inside and outside (QA, staging, demos).

3) Prerequisites

RouterOS v7 or v6, connection tracking enabled (enabled by default).
Correct interface lists – LAN and WAN.
A working dst-nat rule for external access to the server.

4) Configuration (RouterOS v7 & v6)

4.1 RouterOS v7 – TCP 8080 example

/ip firewall nat
add chain=dstnat in-interface-list=WAN dst-address=203.0.113.10 protocol=tcp dst-port=8080 action=dst-nat to-addresses=192.168.88.10 to-ports=8080 comment="External access"
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.10 action=masquerade comment="Hairpin NAT"

Make sure WAN interfaces are members of in-interface-list=WAN.

4.2 RouterOS v6 – equivalent

/ip firewall nat
add chain=dstnat in-interface=<WAN-IFACE> dst-address=203.0.113.10 protocol=tcp dst-port=8080 action=dst-nat to-addresses=192.168.88.10 to-ports=8080 comment="External access"
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.10 action=masquerade comment="Hairpin NAT"

UDP and port ranges

/ip firewall nat
add chain=dstnat in-interface-list=WAN dst-address=203.0.113.10 protocol=udp dst-port=1194 action=dst-nat to-addresses=192.168.88.10 to-ports=1194
/ip firewall nat
add chain=dstnat in-interface-list=WAN dst-address=203.0.113.10 protocol=tcp dst-port=8000-8100 action=dst-nat to-addresses=192.168.88.10

5) Example diagram


        [ Client 192.168.88.99 ]
                 │
                 │  (LAN)
                 ▼
          ┌──────────────┐
          │   MikroTik   │───► Internet (203.0.113.10)
          └──────────────┘
                 │
                 │ (LAN)
                 ▼
        [ Server 192.168.88.10:8080 ]

Without Hairpin NAT, http://203.0.113.10:8080 won’t open from the LAN, even if the site is accessible from outside. With Hairpin — it works normally.

6) Troubleshooting

Rule order: Place the Hairpin srcnat and the specific dstnat above generic rules.
Forward firewall: do you have accept for connection-state=established,related?
FastTrack: temporarily disable it for testing — it can bypass processing.
Verification: inspect the NAT/connection tables and watch traffic with torch.

/ip firewall nat print detail
/ip firewall connection print where dst-address~"192.168.88.10"
/tool torch interface=<LAN-IFACE> src-address=192.168.88.0/24 dst-address=192.168.88.10

/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established,related"

/ip firewall filter print where action=fasttrack-connection
/ip firewall filter disable X
/ip firewall filter enable X

PBR/VRF: with policy routing/VRF, ensure the return traffic reaches the client.
DNS: split-horizon DNS can “hide” the problem — test directly via public IP/port.

7) Hairpin NAT vs local DNS (Split-horizon)

Approach	Pros	Cons	When?
Hairpin NAT	Same URL inside/outside; no client DNS changes	Extra NAT rule; careful ordering	Small/medium networks, quick rollout
Split-horizon DNS	Clean internal traffic; less conntrack	Requires internal DNS; different inside/outside behavior	Larger environments with central DNS

8) FAQ

Does it work with UDP? Yes — create a similar dst-nat with protocol=udp.
Do I need it for every port? For many ports, use a range (e.g. 8000–8100).
Performance impact? In typical cases — minimal; monitor NAT/conntrack under heavy load.
Is local DNS better? For larger environments — yes. For small/medium — Hairpin is faster and simpler.
FastTrack? Disable it for testing or exclude the specific traffic from fasttrack.

Need help with the setup?

Proper Hairpin NAT configuration (v7/v6)
Port forwarding and unified access (LAN/Internet)
Firewall troubleshooting and optimization

Email us at office@ntg.bg or request a free consultation. More guides: WireGuard site-to-site, MikroTik DNS forwarders.

Tip: keep comments and order tidy in your NAT rules — it makes diagnosing conflicts much easier.

Comments

Loading…

Only registered and logged-in users can comment.