Possible hairpin nat issue

Hi,

I have a setup l like this.

eth0 - public ip - example: 203.0.113.10
eth1 = 10.100.10.254/24 and 10.100.17.254/24

site www.domain.com → 203.0.113.10 (eth0) dst nat to 10.100.17.10

10.100.17.10 is a nginx reverse proxy which has 2 interfaces

eth0 - default route → 10.100.10.10 / default gw = 10.100.10.254 ( which is vyos) eth1 - 10.100.17.10/24 ( no default route )

The issue is from the outside, visiting www.domain.com works fine
from the server itself, if I do curl www.domain.com, it does not work.

here flow will be 10.100.10.10 → 10.254 → 113.10 → 17.254 → 17.10 ??

because i have 2 networks on the same interface ( necessity ) and there are 2 networks involved 10.x making request translated to 17.x, i am not sure how to do the hairpin nat.

Please let me know how to troubleshoot this.

You should configure Snat on the eth1 interface, with source address 10.100.17.0/24 and destination address 10.100.17.10/32

Instead of 1 flow, you have 2 flows since you’re using proxy
Flow1 from client to NGINX
Client 10.100.10.10 sends packet to 203.0.113.10:80
This arrives at VyOS, and should be dNATted to 10.100.17.10:80, and returned on same interface.
Return traffic from NGINX flows from 10.100.17.10:80 to 10.100.10.10. Note these are different subnets, so packet flow is via VyOS. And you don’t need extra sNAT rule
Zone base firewall on VyOS should allow this traffic (in same zone)

Flow2 from NGINX to webserver
NGINX opens connection to webserver, like from 10.100.17.10 to x.x.x.x:80. (not sure what webserver IP is)
This flow is identical for connection from outside, and thus works.

So focus on flow 1
Use tcpdump, and look into NAT table on VyOS to see where packet ends up

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.