Trust me to Necro a thread, but I thought I might just follow this up for anyone else following along.
You have to be careful with Hairpinning because if you don’t properly do the “source” NAT, you end up translating ALL traffic if you’re doing pinholing, to your Internal IP. This means you can’t tell the real source IP of any traffic coming in, attacker or otherwise. You see this mentioned above by the post from @jesnofear.
So to do it properly:
[edit nat destination]
rule 200 {
description "Hairpin NAT for Home Assistant"
destination {
address <external IP/32>
port 8123
}
inbound-interface eth1 [This is my LAN Interface]
protocol tcp
translation {
address 192.168.0.7 [This is the Internal IP of my Home Assistant Instance]
}
}
[edit nat source]
rule 200 {
description "Hairpin NAT for Home Assistant"
destination {
address 192.168.0.7
port 8123
}
outbound-interface eth1
protocol tcp
source {
address 192.168.0.0/16 [THIS IS IMPORTANT!!!!]
}
translation {
address masquerade
}
}
If you don’t match on the source range of your Internal Interface on the “nat source” rule, you’ll find that all traffic coming into your box from external hits this rule too and it all gets rewritten to appear from the masquerade address (the primary IP Address interface of eth1).
This is bad because you can’t tell the true external IP anymore, and any internal IP Access listing you’ve got going on on a server won’t work.
I hope this helps someone in the future.