Port forwarding when connecting from LAN to external address

So, you have a WEB server sitting in your LAN, with the IP address of

You set up the port forwarding at your MikroTik router and anyone from the Internet can now connect to your WEB server quite happily.

Except for yourself.

None of the requests to the external address of your WEB server ever gets a response as long as your computer has its IP address from the internal address pool of LAN.

Now, fire up the MikroTik console or log in with SSH and run these two commands:

  • ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=80 action=dst-nat to-address= to-port=80
  • ip firewall nat add chain=srcnat src-address= dst-address= protocol=tcp dst-port=80 out-interface=bridge-local action=masquerade

Why is this happening? You may want to read about hairpin NAT.

The idea in a nutshell is that while your client computer is requesting data from the server via router, the server is sending the response back to the client directly, so the client computer gets confused, as it does not know what to do with the data it (as much as it is aware of) had never requested, and drops it. So we tell the router to pretend to the server that it was the router itself who had requested the data from the server (we tell nothing about the client to the server) and upon receiving the response pass it further to the client. In short, we ask the router to remain a middle-man for all the length of the communication, not only for the requests from the client, as it is normally done when the requests come from the external networks with their foreign addresses.

Side effect of this is that all requests to the server will seem to come from the same IP address – from that of the router. So you will not be able, for example, to tell who exactly of your colleagues had browsed the web pages of the local server. As long as your colleagues are connecting to the external IP address of the router.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.