Hairpinning is a networking technique that lets a device on a private network reach another device on the same network by using a public IP address. Also called NAT loopback or NAT reflection, it solves a specific and common problem: when you try to access your own server using its public address from inside your network, and the connection fails. The term comes from the shape of the traffic path, which leaves the network, hits the router, and bends right back in, like a hairpin turn.
The Problem Hairpinning Solves
Imagine your company hosts a web server on the office network. From the outside world, anyone can reach it at something like https://yourcompany.com, which points to your public IP address. But when someone inside the office types that same URL into their browser, the request doesn’t work the way you’d expect.
Here’s why. Your router knows that the public IP address belongs to itself, not to the internal server. So when an internal device sends a request to that public address, the router intercepts the packet but doesn’t know to forward it back inside the network to the actual server. Without hairpinning configured, the connection simply times out or fails. The classic symptom: a service works perfectly from outside the network but shows a black screen, timeout error, or refused connection from inside it.
How the Traffic Flows
When hairpinning is enabled, the router acts as a translator for internal traffic that targets the public IP. The process works like this:
- Step 1: A device on the local network (say, 192.168.1.10) sends a packet to the public IP address (say, 203.0.113.1) on port 443.
- Step 2: The router receives the packet and recognizes that 203.0.113.1 is its own external address.
- Step 3: A NAT rule rewrites the destination from the public IP to the internal server’s private address (say, 172.16.1.1) before passing the packet along.
- Step 4: The server responds to the router, which translates the addresses back and delivers the reply to the original device.
The firewall handles the address translation before applying its filtering rules, so the internal device never needs to know the server’s private IP. From its perspective, it connected to the public address and got a response, just like an external user would.
When You Need It
Hairpinning comes up in a handful of recurring scenarios. The most common is hosting a web server or application behind your router that both internal and external users access through the same domain name. Without hairpinning, you’d need to tell internal users to use a different URL or IP address, which creates confusion and extra maintenance.
It’s also useful for employees who move between the office and remote locations. If hairpinning is working, they can save one bookmark or one configuration and it works everywhere, whether they’re on the internal network or connecting from a coffee shop. Peer-to-peer applications that rely on external IP addresses for device discovery also benefit, since some of these tools break when two devices on the same local network try to connect through public addresses. Developers testing applications that integrate with external services use hairpinning to simulate outside access patterns without leaving the internal network.
Router Support and Configuration
Most modern routers and firewalls support hairpinning, though it’s not always enabled by default. Enterprise platforms like Cisco ASA, pfSense, OPNsense, and MikroTik’s RouterOS all offer it. On MikroTik devices, every model runs the same operating system, so hairpinning works across their entire product line. The configuration typically involves adding a NAT masquerade rule that applies when both the source and destination are on the local network, combined with a destination NAT rule that redirects traffic aimed at the public IP to the internal server.
Consumer routers are less consistent. Some support it out of the box, others bury it in advanced settings, and some don’t support it at all. If you’re running a home server and can’t reach it by its public address from inside your network, this is likely the missing piece.
Security Considerations
Enabling hairpinning increases the attack surface of your network. It creates additional NAT rules that route internal traffic through the firewall in ways that wouldn’t otherwise occur, and this opens potential paths for network exploitation. For this reason, many network administrators discourage it in security-sensitive environments.
The core concern is that hairpinning lets internal devices interact with services through the public-facing path rather than a controlled internal path. If an attacker gains access to one device on the network, hairpinning rules could give them additional ways to reach internal servers by targeting the public IP from inside.
Split DNS as an Alternative
The main alternative to hairpinning is split DNS (sometimes called split-horizon DNS). Instead of configuring NAT rules to bend traffic back into the network, you run a local DNS server that gives internal devices the server’s private IP address directly. External DNS continues to resolve the domain to the public IP as usual.
With split DNS, internal traffic never touches the router’s public interface at all. The device sends its request straight to the private IP, which is faster (no extra NAT translation) and avoids the security concerns of hairpinning. The tradeoff is complexity: you need to maintain two sets of DNS records and keep them in sync. When you add a new service or change an IP, you have to update both the public and internal DNS. For small networks, hairpinning is simpler to set up. For larger or security-conscious environments, split DNS is generally the better approach.
Hairpins in Biology
If you arrived here from a biology context, “hairpin” refers to something entirely different. In molecular biology, a hairpin (or stem-loop) is a structure that forms when a single strand of RNA or DNA folds back on itself. One section of the strand pairs with a complementary section nearby, creating a double-stranded “stem,” while the unpaired bases in between form a loop at the top. The shape resembles a hairpin.
These structures are one of the most common features of RNA. They protect messenger RNA molecules from being broken down too quickly, help guide the three-dimensional folding of the molecule, and serve as recognition sites where proteins attach. Some hairpin structures are remarkably stable. Research has identified “unbreakable” hairpins in bacterial genomes that maintain their shape even when the surrounding genetic sequence is rearranged, which may help organisms like bacterial spores survive extreme conditions such as radiation, desiccation, and heat.