Local WAN Redirect on Mikrotik

As a keeper of the family Minecraft server, I had the holy duty of setting up the firewall to accept it from the outside. External DNS was as easy as CNAME toward the router cloud name. Sorting out redirects was equally uneventful. Just poke a few holes in the firewall so it plays nice with NAT and you’re essentially done:

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=25565 \
    comment="Accept Minecraft"
add action=accept chain=forward in-interface=ether1 protocol=tcp dst-port=25565 \
    comment="Accept Minecraft (Internet)"

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp dst-port=25565 \
    to-addresses=192.168.1.4 to-ports=25565 comment="Minecraft WAN Redirect" 

In order to access it from the internal network, I just added entry in my DNS server with the local address and life was good.

However, with the move toward encrypted DNS, my Mikrotik wasn’t the main source of truth anymore. Suddenly computers on my network would receive external IP and my router didn’t know how to route that. Since routing is one of its duties, you can see why I would have a problem with this.

Most solutions I’ve seen dealt with hairpin NAT but one didn’t. And my solution was essentially the same:

/ip firewall address-list
add address=10.0.0.0/8 list=local-list
add address=172.16.0.0/12 list=local-list
add address=192.168.0.0/16 list=local-list

/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp dst-port=25565 \
    dst-address-list=!local-list dst-address-type=local \
    to-addresses=192.168.1.4 to-ports=25565 comment="Minecraft Local WAN Redirect" 

This essentially says to redirect any address local to router (and WAN address is present on router even in DHCP case) but not present in the list of local addresses (i.e. globally routable) to our internal IP and port. As simple as it gets.