EdgeRouter manual port forward with hairpin NAT
By Ward Pieters at
I keep forgetting how to setup manual port forwarding with hairpin NAT, so that's why this post exists.
Note that the internal port is the port that the service is listening on, and the external port is the port that is exposed to the internet.
Replace these details with your own.
First, we need to create a firewall rule to allow the traffic to reach the destination. This is done by creating a new rule in the
You can specify a source address or address group to limit the traffic to a specific IP or range of IPs. If you want to allow all traffic, leave this field empty.
Note: you don't have to add your local network range to the source address list, as this isn't a firewall rule for the LAN interface.
Next, we need to create a DNAT rule to forward external traffic to the internal IP and port.
And, another DNAT rule. This time, we need to forward the traffic to the external IP and port.
Finally, to wrap it all up, we need to create an SNAT rule to allow the traffic to return to the client.
That's it! You should now have your port(s) forwarded and accessible from your local network and the internet.
This post has been written with the outmost care, but if you find any mistakes or have any suggestions, please let me know.
If you encounter any problems, check all the steps again and make sure you have followed them correctly. Setting this up involves multiple steps, so it's important to double-check and ensure that each step is followed correctly.