Anybody using HA behind Mikrotik? How do you pass through the connection? Mind share your experience?
@moskovskiy82 Perhaps you could further explain what you mean by pass through? Are you just wanting to forward port 8123 or are you needing more? If you just need to forward port 8123 then you might get more thorough support from the Mikrotik forums.
Well just want to find a user of mikrotik and see the best practice as i’m not quite familiar with the possibilities.
Switched from sophos where a web proxy was also possible to Mikrotik hap.
Well yes mikrotik forums might be of help but if some user has already passed this complicated path on HA forum - might get help faster here. HA is set up with SSL
Tried port forwarding but with no luck
Went to IP-Firewall-NAT
Set a rule with
General:
Chain - dstnat
protocol - tcp
dst port - 8123
In interface - Internet
Advanced and Extra untouched
Action
Action - dst-nat
to addresses - HA internal address
To ports - 8123
And it works from outside. But when trying to connect from the intranet - nothing happens
1 Like
From what you have posted here, you will be much better-served form the Mikrotik forums. Every router seems to have its own complicated setup and the Mikrotik experts will be the best place to get advice.
Well think about all i have to explain on the mikrotik forum with the HA in mind, So hopefully some owner of mikrotik will pass by and give a hint 
Especially considering it’s Mikrotik - seems extremely complicated in options - but performance wise - i’m not ready to go back
Use your internal IP address when you’re inside, don’t use your domain name and you’d be good. If you want to use your domain on the inside, you’d need to create a srcnat rule, and redirect your external IP address. I can’t give you a hint how to do that with the GUI but that’s how it looks on the command line:
/ip firewall nat add chain=srcnat action=src-nat to-addresses=EXTERNALIP protocol=tcp src-address=INTERNALIP src-port=8123 log=no log-prefix=""
I think you can figure it out on the GUI. Make sure you place the rule around the incoming DSTNAT rule (mine is right below the SRCNAT rule).
P.S. I haven’t actually tried this with HASS, but it works with a general HTTP/HTTPS server just fine.
2 Likes
There isn’t anything unusual about HA that would require explaining to Mikrotik.
This.
You just tell them you want hairpin NAT
1 Like
Hi there.
It would be helpful if you describe in more details what particular issue you try to solve.
I suppose that you can start with this explanation http://wiki.mikrotik.com/wiki/Hairpin_NAT if you want to use your dns name within local network.
You will need the rule like (for 192.168.192.0/24 network) :
add action=masquerade chain=srcnat comment=
“HairPin solution to access Raspberry HASS from LAN.” dst-address=
192.168.192.HASS dst-port=8123 out-interface=ether2-master protocol=tcp
src-address=192.168.192.0/24
Otherwise use local ip address in url to your HA. But in this case you will run into the error message about wrong ssl certificate. Just save security rules exception for the HA.
1 Like
Thanks!
Followed your guide.
If somebody stumbles upon this here - the guide is a little wrong on the official web site.
For the dnat rule dst-address-type=local shall be put in place
Hi Do you perhaps know how do I use my duckdns name on my mikrotik to redirect to local ip.
So should there be slow internet or no internet, I will not be affected when using the app?
I’ve tested kirichkov method, which works but i am getting the certificate error message via the app.
I basically want to be able to connect to my duckdns URL internally via local Lan, externally via WAN
Please help
If anyone will need hairpin this works perfectly
https://www.steveocee.co.uk/mikrotik/hairpin-nat/hairpin-nat-video/
1 Like