Having an issue with hairpin NAT, can’t seem to get it to function. Have a webserver internally. These two rules don’t seem to work. Forwarding from outside is working fine.
So I do have the destination nat rules for port forwarding of an RDP and additional RDP port on internal network but from inside when I telnet to those ports from a machine on the LAN I get no response to the external interface for those.
Pretty sure the hairpin nat is supposed to fix this but possibly the rule order for allowing my machines to NAT the public IP first is the issue?
Oddly enough as well if I use tshark to check packets on br0 which is where the LAN traffic would be coming out of it works fine but once I stop tshark it again stops working properly.
Oh nevermind that is because it puts the interface in promiscuous mode and it then receives the traffic. I do not have any firewall rules besides established and connected so maybe I need to do some allows
Thanks for the update Steve. I feel dumb as I finally tried this from another machine on the LAN and I found it is working as expected just not from my machine I was testing it from since it is my main machine. Grrr so it works fine and I just have to see what is going on with that machine in regards to the traffic.
I appreciate all the replies and hope they help someone else out who has the same issue crop up. Be sure to test from other machines on the LAN.
I’ve found that configuraion somewhere searching with google, it seems that should create a NAT hairpin valid for all my LAN subnet. But also this is not working in my case.
Do you have any suggestion?
Am I missing something?
has anyone mastered this yet?
it works for me “kind of” the hairpin ability works, and the outside in works, but the issue i am having is anything that has a hairpin defined, all the connections show as coming from that IP, not the users external ip address, and network to network traffic (non-nat) translate to the public ip as well. which is rather frustrating when the PBX gets a tone of invalid requests from the outside and i try to login and it locks me out as well.
I am guessing additional filtering is needed on the hairpin to only translate on local subnet?
Trust me to Necro a thread, but I thought I might just follow this up for anyone else following along.
You have to be careful with Hairpinning because if you don’t properly do the “source” NAT, you end up translating ALL traffic if you’re doing pinholing, to your Internal IP. This means you can’t tell the real source IP of any traffic coming in, attacker or otherwise. You see this mentioned above by the post from @jesnofear.
So to do it properly:
[edit nat destination]
rule 200 {
description "Hairpin NAT for Home Assistant"
destination {
address <external IP/32>
port 8123
}
inbound-interface eth1 [This is my LAN Interface]
protocol tcp
translation {
address 192.168.0.7 [This is the Internal IP of my Home Assistant Instance]
}
}
[edit nat source]
rule 200 {
description "Hairpin NAT for Home Assistant"
destination {
address 192.168.0.7
port 8123
}
outbound-interface eth1
protocol tcp
source {
address 192.168.0.0/16 [THIS IS IMPORTANT!!!!]
}
translation {
address masquerade
}
}
If you don’t match on the source range of your Internal Interface on the “nat source” rule, you’ll find that all traffic coming into your box from external hits this rule too and it all gets rewritten to appear from the masquerade address (the primary IP Address interface of eth1).
This is bad because you can’t tell the true external IP anymore, and any internal IP Access listing you’ve got going on on a server won’t work.