EdgeRouter manual port forward with hairpin NAT

By Ward Pieters at


I keep forgetting how to setup manual port forwarding with hairpin NAT, so that's why this post exists.


External port: 8081

Internal IP:
Internal port: 8080

Note that the internal port is the port that the service is listening on, and the external port is the port that is exposed to the internet.

WAN: pppoe0
LAN: switch0.1

Replace these details with your own.


First, we need to create a firewall rule to allow the traffic to reach the destination. This is done by creating a new rule in the WAN_IN (interface pppoe0/in) group.

You can specify a source address or address group to limit the traffic to a specific IP or range of IPs. If you want to allow all traffic, leave this field empty.

Note: you don't have to add your local network range to the source address list, as this isn't a firewall rule for the LAN interface.


Next, we need to create a DNAT rule to forward external traffic to the internal IP and port.

And, another DNAT rule. This time, we need to forward the traffic to the external IP and port.


Finally, to wrap it all up, we need to create an SNAT rule to allow the traffic to return to the client.


That's it! You should now have your port(s) forwarded and accessible from your local network and the internet.


This post has been written with the outmost care, but if you find any mistakes or have any suggestions, please let me know.

If you encounter any problems, check all the steps again and make sure you have followed them correctly. Setting this up involves multiple steps, so it's important to double-check and ensure that each step is followed correctly.


EdgeRouter - Hairpin NAT (help.ui.com)
EdgeRouter - Destination NAT (help.ui.com)
EdgeRouter - Source NAT and Masquerade (help.ui.com)