Hairpin routing
-
Here's a sample router config.
Router has two external IPs
12.12.12.10
12.12.12.12The default IP for the router is 12.12.12.10. Natting is setup for all normal internet traffic to flow through this IP.
A 1-1 Static NAT is setup for 12.12.12.12 to 10.10.10.12, internal OwnCloud server
Can you enable hairpining on the static NAT'ed address for the internal network?
Here's a story of why one would want to do this.
Your company deploys Pertino or ZeroTier. Owncloud does not support either. Internal DNS of course typically has assigned an internal IP for the Owncloud server for internal use.
The problem is, when a user is offsite, the Owncloud server only works through the external ISP connection, not over Pertino, but your client PC when resolving the IP for Owncloud of course only get an IP from inside your network.
The proposal is to change the internal DNS to list Owncloud as the external IP address. Now when internal clients attempt to go there, they will go to the external IP, but the hairpin rule on the firewall will push the request back internal. External requests will work as normal external requests do.
-
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
-
@Dashrender said:
Your company deploys Pertino or ZeroTier. Owncloud does not support either.
Before getting bogged down and missing this... what do you mean that ownCloud does not support Pertino and ZeroTier?
-
@scottalanmiller said:
@Dashrender said:
Your company deploys Pertino or ZeroTier. Owncloud does not support either.
Before getting bogged down and missing this... what do you mean that ownCloud does not support Pertino and ZeroTier?
How did I know you were going to ask that - It's not my situation, so I can't answer you. That said, just go with the flow and assume they don't. oh and you can't install a gateway appliance either (don't ask me why).
-
Okay, so just so we are all clear, it does support Pertino and ZeroTier
-
What if you use a DNS entry that exists in one form externally and a different one internally? That way it goes to different IP addresses depending on where you are?
-
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
-
@scottalanmiller said:
What if you use a DNS entry that exists in one form externally and a different one internally? That way it goes to different IP addresses depending on where you are?
Won't work when you're using AD Connect because all DNS quiries go through AD's DNS.
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
-
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
-
Set internal DNS to IP (A-record) to be different than outside world?
meaning, Internal or LAN will point to DNS address that is specific to internal?
Typically I do similar.
Internal DNS i would create an A-Record that points to internal LAN IP server address. External DNS A-record will point to my ISP provided IP address (12.12.12.12)
So hosts internally will auto-map to internal owncloud server, and not have to re-route over interwebz? maybe my logic is flawed
-
@Dashrender said:
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
This sounds like layer after layer of bad decision making. There is a reason why split horizon (I know one bad MS document says split brain but that really should be avoided) DNS is not a good practice.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
-
@scottalanmiller said:
@Dashrender said:
And since you're running a split brain DNS (internal is the same as external - example.com) you'll never get a reply from an external DNS server.
This sounds like layer after layer of bad decision making. There is a reason why split horizon (I know one bad MS document says split brain but that really should be avoided) DNS is not a good practice.
It may not be, but MS does it themselves.
What is the name of the internal NTG domain?
-
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
-
@Dashrender said:
It may not be, but MS does it themselves.
I'm going out on a limb here only because they can't possibly have warned against it more but I've never signed into their network but...
No, they absolutely don't do this.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
It's being suggested that hairpin cannot be turned on for non default interfaces on a router (specifically the ERL).
I've not tried it on the ERL, but does it need to be "turned on?" If I request goes out the default gateway and is destined for another interface on the router, it should come back in? Or is this two IPs on the same interface?
two IP's on the same interface - but you bring up a great point. If the ERL is a 5 port or larger unit, you could assign the two different external IPs to two different ports, and have them both connect to the ISP's device via a switch... nice!
Should "just work." Of course, passing storage in and out of the firewall is a bit nutty, but shoudl work.
yeah, if Owncloud is used by internal personal more than external, this is probably a pretty bad setup, stresses the firewall for no good reason.
Even if it is just used "some" it's still not a great setup.
-
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
-
This is an issue I am working on and I don't have time to be here right now, but I will give the full setup anyway.
I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.Setup:
12.12.12.10 = NAT and all working.
12.12.12.12 = 1-1 NAT to proxy server and all working.
Internal DNS is proxy.domain.com = A record 10.202.1.16
Internal ownCloud DNS is oc.domain.com = CNAME proxy.domain.com (also used A record 10.202.1.17 either works fine)
External DNS is oc.domain.com = CNAME proxy.domain.com
External DNS for proxy.domain.com = A record 12.12.12.12Issue:
Laptop has Pertino + ADConnect
So due to ADConnect the laptop ALWAYS gets oc.domain.com as 10.202.1.16 (or .17 when I had the A record internally)
Because the proxy and ownCloud do not have Pertino, the laptop cannot talk to ownCloud.Solution: Hairpin NAT and set internal DNS to External IP
Issue: How to set it up manually on the 1-to-1 NAT.It works as expected on the default masquerade.
https://i.imgur.com/7IW606s.jpg. -
I use name.local here myself... works fine
I just create A-records
to do internal DNS-A record within Windows Server DNS, there is a guide out there
Essentially need to create an internal DNS A-Record to point to the internal IP address of the own cloud server.
Then on the domain Registrar website; create an external DNS A-record and point it to your External WAN address 12.12.12.12 as given in example.
Be sure to have appropriate firewall rule and port forwarding configured to accept traffic on interface for 12.12.12.12 and redirect the requests on destination ports to the internal owncloud IP address
