From 62f6baf948890a89ae3125defa38fa66658135c6 Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Sun, 31 May 2026 03:14:46 +0200
Subject: [PATCH] hairpin nat cluster

---
 ansible/roles/routeros/tasks/firewall.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ansible/roles/routeros/tasks/firewall.yml b/ansible/roles/routeros/tasks/firewall.yml
index decb79f..a7c6e9d 100644
--- a/ansible/roles/routeros/tasks/firewall.yml
+++ b/ansible/roles/routeros/tasks/firewall.yml
@@ -43,6 +43,11 @@
         comment: Allow from SRV to internet
         in-interface: vlan4
         out-interface-list: wan
+      - action: accept
+        chain: forward
+        comment: Allow from SRV to SRV
+        in-interface: vlan4
+        out-interface: vlan4
       - action: accept
         chain: forward
         comment: Allow from SRV to CAM
@@ -277,6 +282,11 @@
         in-interface: '!pppoe-gpon'
         protocol: tcp
         to-addresses: 128.0.70.5
+      - action: masquerade
+        chain: srcnat
+        comment: hairpin to LoadBalancer pool (vlan4 -> vlan4)
+        dst-address: 10.44.0.0/16
+        in-interface: vlan4
       - action: dst-nat
         chain: dstnat
         comment: HTTPS