NAT Hairpin not working on VyOS 1.3 rolling

Bugs
,
1

Hi guys!

I don’t know why it doesn’t work but NAT Hairpin is not working on

This is my NAT config

set nat destination rule 1 description 'NAT Reflection: INSIDE'
set nat destination rule 1 destination port '8444'
set nat destination rule 1 inbound-interface 'br0'
set nat destination rule 1 protocol 'tcp'
set nat destination rule 1 translation address '192.168.1.3'
set nat destination rule 20 description 'Remote Utilities'
set nat destination rule 20 destination port '28058'
set nat destination rule 20 inbound-interface 'pppoe0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.168.1.6'
set nat destination rule 21 description 'Chia-Node'
set nat destination rule 21 destination port '8444'
set nat destination rule 21 inbound-interface 'pppoe0'
set nat destination rule 21 protocol 'tcp'
set nat destination rule 21 translation address '192.168.1.3'
set nat destination rule 21 translation port '8444'
set nat destination rule 22 description 'Chia-Farmer'
set nat destination rule 22 destination port '8447'
set nat destination rule 22 inbound-interface 'pppoe0'
set nat destination rule 22 protocol 'tcp'
set nat destination rule 22 translation address '192.168.1.3'
set nat destination rule 22 translation port '8447'
set nat destination rule 23 description 'SFTP'
set nat destination rule 23 destination port '5982'
set nat destination rule 23 inbound-interface 'pppoe0'
set nat destination rule 23 protocol 'tcp'
set nat destination rule 23 translation address '192.168.1.7'
set nat destination rule 23 translation port '22'
set nat destination rule 24 description 'HELIUM'
set nat destination rule 24 destination port '44158'
set nat destination rule 24 inbound-interface 'pppoe0'
set nat destination rule 24 protocol 'tcp'
set nat destination rule 24 translation address '192.168.1.4'
set nat destination rule 25 description 'PLEX'
set nat destination rule 25 destination port '32400'
set nat destination rule 25 inbound-interface 'pppoe0'
set nat destination rule 25 protocol 'tcp'
set nat destination rule 25 translation address '192.168.1.8'
set nat source rule 1 description 'NAT Reflection: INSIDE'
set nat source rule 1 destination address '192.168.0.0/16'
set nat source rule 1 outbound-interface 'br0'
set nat source rule 1 protocol 'tcp'
set nat source rule 1 source address '192.168.0.0/16'
set nat source rule 1 translation address 'masquerade'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 outbound-interface 'wg0'
set nat source rule 101 translation address 'masquerade'

I’m able to connect to port 8444 TCP via external network without problems. But from the internal network, it doesn’t work.

This is my interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
br0              192.168.1.1/24                    u/u  LAN
br0.10           192.168.10.1/24                   u/u  MINING
eth0             -                                 u/u  BELL_FIBER
eth0.35          -                                 u/u  BELL_VLAN
eth1             -                                 u/u
eth2             -                                 u/u
eth3             -                                 u/D
eth4             -                                 u/u
eth5             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
pppoe0           ********/32                 u/u
wg0              *******/32                       u/u  NordLynx

This is the version of VyOS

Version:          VyOS 1.3-rolling-202111201226
Release train:    equuleus

Built by:         f******@gmail.com
Built on:         Sat 20 Nov 2021 12:26 UTC
Build UUID:       1e349e0d-c3ab-4b99-ab64-c35b62a1fffd
Build commit ID:  95a93de8fea084-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Default string
Hardware model:   Default string
Hardware S/N:     Default string
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors

Does anyone know why? Thanks

2

You need to set that to be the IP Address of an Interface on your router. I’d change that to 192.168.1.1 and I think you’ll find it works.

Examples here: Hairpin NAT

3

Thanks for your answer but it doesn’t seems to work.

This is my new nat config.

set nat destination rule 1 description 'NAT Reflection: INSIDE'
set nat destination rule 1 destination port '8444'
set nat destination rule 1 inbound-interface 'br0'
set nat destination rule 1 protocol 'tcp'
set nat destination rule 1 translation address '192.168.1.1'
set nat destination rule 20 description 'Remote Utilities'
set nat destination rule 20 destination port '28058'
set nat destination rule 20 inbound-interface 'pppoe0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.168.1.6'
set nat destination rule 21 description 'Chia-Node'
set nat destination rule 21 destination port '8444'
set nat destination rule 21 inbound-interface 'pppoe0'
set nat destination rule 21 protocol 'tcp'
set nat destination rule 21 translation address '192.168.1.3'
set nat destination rule 21 translation port '8444'
set nat destination rule 22 description 'Chia-Farmer'
set nat destination rule 22 destination port '8447'
set nat destination rule 22 inbound-interface 'pppoe0'
set nat destination rule 22 protocol 'tcp'
set nat destination rule 22 translation address '192.168.1.3'
set nat destination rule 22 translation port '8447'
set nat destination rule 23 description 'SFTP'
set nat destination rule 23 destination port '5982'
set nat destination rule 23 inbound-interface 'pppoe0'
set nat destination rule 23 protocol 'tcp'
set nat destination rule 23 translation address '192.168.1.7'
set nat destination rule 23 translation port '22'
set nat destination rule 24 description 'HELIUM'
set nat destination rule 24 destination port '44158'
set nat destination rule 24 inbound-interface 'pppoe0'
set nat destination rule 24 protocol 'tcp'
set nat destination rule 24 translation address '192.168.1.4'
set nat destination rule 25 description 'PLEX'
set nat destination rule 25 destination port '32400'
set nat destination rule 25 inbound-interface 'pppoe0'
set nat destination rule 25 protocol 'tcp'
set nat destination rule 25 translation address '192.168.1.8'
set nat source rule 1 description 'NAT Reflection: INSIDE'
set nat source rule 1 destination address '192.168.0.0/16'
set nat source rule 1 outbound-interface 'br0'
set nat source rule 1 protocol 'tcp'
set nat source rule 1 source address '192.168.0.0/16'
set nat source rule 1 translation address 'masquerade'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 outbound-interface 'wg0'
set nat source rule 101 translation address 'masquerade'
4

Your destination address needs to be the IP address of your ppp interface.

Traffic going OUT of your LAN, destinated to your public IP address (pppoe).

Please look again at the example I provided:

[edit nat destination]
 rule 200 {
     description "Hairpin NAT for Home Assistant"
     destination {
         **address <external IP/32>**  <--- This will be your Public IP address.
         port 8123
     }
5

I just do the same thing as your example above.

set nat destination rule 1 description 'NAT Reflection: INSIDE'
set nat destination rule 1 destination address '***.***.***.133/32'
set nat destination rule 1 destination port '8444'
set nat destination rule 1 inbound-interface 'br0'
set nat destination rule 1 protocol 'tcp'
set nat destination rule 1 translation address '192.168.1.3' // I tried 192.168.1.1 too
set nat destination rule 20 description 'Remote Utilities'
set nat destination rule 20 destination port '28058'
set nat destination rule 20 inbound-interface 'pppoe0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.168.1.6'
set nat destination rule 21 description 'Chia-Node'
set nat destination rule 21 destination port '8444'
set nat destination rule 21 inbound-interface 'pppoe0'
set nat destination rule 21 protocol 'tcp'
set nat destination rule 21 translation address '192.168.1.3'
set nat destination rule 21 translation port '8444'
set nat destination rule 22 description 'Chia-Farmer'
set nat destination rule 22 destination port '8447'
set nat destination rule 22 inbound-interface 'pppoe0'
set nat destination rule 22 protocol 'tcp'
set nat destination rule 22 translation address '192.168.1.3'
set nat destination rule 22 translation port '8447'
set nat destination rule 23 description 'SFTP'
set nat destination rule 23 destination port '5982'
set nat destination rule 23 inbound-interface 'pppoe0'
set nat destination rule 23 protocol 'tcp'
set nat destination rule 23 translation address '192.168.1.7'
set nat destination rule 23 translation port '22'
set nat destination rule 24 description 'HELIUM'
set nat destination rule 24 destination port '44158'
set nat destination rule 24 inbound-interface 'pppoe0'
set nat destination rule 24 protocol 'tcp'
set nat destination rule 24 translation address '192.168.1.4'
set nat destination rule 25 description 'PLEX'
set nat destination rule 25 destination port '32400'
set nat destination rule 25 inbound-interface 'pppoe0'
set nat destination rule 25 protocol 'tcp'
set nat destination rule 25 translation address '192.168.1.8'
set nat source rule 1 description 'NAT Reflection: INSIDE'
set nat source rule 1 destination address '192.168.1.3'
set nat source rule 1 outbound-interface 'br0'
set nat source rule 1 protocol 'tcp'
set nat source rule 1 source address '192.168.0.0/16'
set nat source rule 1 translation address 'masquerade'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 outbound-interface 'wg0'
set nat source rule 101 translation address 'masquerade'

This is not working this way too.

The thing is that my WAN PPPoE IP can change. Is there way to don’t have to change NAT rule everytime my IP change?

6

I’m not sure how to do it if your WAN IP is going to change on a regular basis. My WAN IP is static, so I was able to do it that way.

I have a Home Assistant instance listening on 192.168.0.7 port 8123. You can access it by my public IP address on 8123 as well. At home on the LAN I can still hit my public IP address port 8123 and it works fine. If I look at the logs, it shows the requests coming from 192.168.0.1 (as it should)

Here’s the complete ruleset that works for me for this:

tim@ferrari# show source rule 200
 description "Hairpin NAT for Home Assistant"
 destination {
     address 192.168.0.7
     port 8123
 }
 outbound-interface eth1
 protocol tcp
 source {
     address 192.168.0.0/24
 }
 translation {
     address masquerade
 }

tim@ferrari# show destination rule 200
 description "Hairpin NAT for Home Assistant"
 destination {
     address X.X.X.17  <------- Public IP Address, note no /32 at the end.
     port 8123
 }
 inbound-interface eth1
 protocol tcp
 translation {
     address 192.168.0.7
 }

tim@ferrari# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u  WAN Interface
eth1             192.168.0.250/24                  u/u  LAN Network 
                 192.168.0.1/24
lo               127.0.0.1/8                       u/u  
                 ::1/128
pppoe0           X.X.X.17                          u/u <----- Public IP Interface