The laptop at 192.168.1.10 wants to communicate with the web server on 192.168.1.10 via the external IP address of the Mikrotik router at 1.1.1.1. Say you have a service such as webmail, which has a nat rule to allow access from an external network... /ip firewall nat add chain=dstnat action=dst-nat dst-address=1.1.1.1 protocol=tcp dst-port=888 to-port=80 to-address=192.168.1.10 This works fine of course, so users set up the shortcut to http://1.1.1.1:888 Problem is when they are on the internal network it doesn't work, because the Mikrotik router won't send the reply data back out the same interface. A work-around is to create a src-nat rule directly below the dst-nat rule like this. /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.10 Goes something like this.. 1. Client initiates http request to 1.1.1.1:888 2. MT receives and translates destination to 192.168.1.10 as per 1st rule 3. MT then translates the...