Running services on LAN hosts - hairpin NAT vs split-DNS?

I have a headscale server that is running inside my LAN.

I can register clients with this server from outside the LAN, using the DNAT (port forwarding) and firewall rules I’ve setup on VyOS.

However, for hosts inside the LAN - they can’t register correctly to the headscale server, since they need to connect using the FQDN.

Apparently one solution is to use hairpin NAT:

https://docs.vyos.io/en/equuleus/configuration/nat/index.html#hairpin-nat-nat-reflection

I’m still trying to wrap my head around that - one point

However, it did mention in that article that split-DNS is another option, if you have your own DNS infrastructure.

But VyOS already runs PowerDNS, right? Would it be possible to set this up to solve this problem as well? Or how would you solve this?

I use split-dns at home, otherwise all traffic has to go via the router for hairpin nat.

I use the static-host-mapping to give my hosts the internal IP they require, while all external hosts learn the external IP. No hairpin required.

Hmm, do you mean you create a static hosts entry (i.e. /etc/hosts, but via VyOS command)?

https://docs.vyos.io/en/latest/configuration/system/host-name.html#static-hostname-mapping

This would work for resolving from the VyOS router itself - but you’re saying that also works for LAN hosts trying to resolve things as well?

Thanks,
Victor

Yes, that’s what I’m saying. If you have static-host-mappings in and your clients are using your router as their DNS resovolver, it will look at static-host-mappings and return any results from there (/etc/hosts)
IMHO this is what the feature is designed for.

I have

set system static-host-mapping host-name radio.domain.com inet '192.168.0.5'

From a host on my LAN using my Vyos router as its DNS resolver

{6:33}~ ➭ ping radio.domain.com
PING radio.domain.com (192.168.0.5) 56(84) bytes of data.
64 bytes from micro.domain.com (192.168.0.5): icmp_seq=1 ttl=64 time=3.11 ms
64 bytes from micro.domain.com (192.168.0.5): icmp_seq=2 ttl=64 time=0.116 ms
^C
--- radio.domain.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.116/1.615/3.114/1.499 ms

I have 50 unique entires:

tim@ferrari:~$ show configuration commands | match static-host-mapping | match inet | count
50
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.