Hairpin NAT Issue

scottalanmiller

@wirestyle22 said in Hairpin NAT Issue:

@scottalanmiller said in Hairpin NAT Issue:

Check your web logs, is your web server seeing traffic from the hairpin?

This is, indeed, a quote

wirestyle22

I'm not going to post the logs due to client identity for friends of mine that use it, but the packets are never reaching the nginx proxy. Router looks okay, but I will be checking my switch when I have a free minute.

JaredBusch

Use your own NAT rules and don't rely on "magic"

I'll go dig up some examples.

JaredBusch

Obviously you will need to renumber these rules and adjust IP addresses.
destination address 12.34.56.78 = your public IP if you have a dynamic IP from your ISP and use DDNS you can tell it to use the interface address like this destination group address-group ADDRv4_eth0

# enter config mode.
configure

# First you will need a firewall rule as there will not be a "magic" one from port forwarding.
set firewall name WAN_IN rule 40 description 'Allow HTTPS to Nextcloud'
set firewall name WAN_IN rule 40 destination address 192.168.1.100
set firewall name WAN_IN rule 40 destination port 443
set firewall name WAN_IN rule 40 log disable
set firewall name WAN_IN rule 40 protocol tcp
set firewall name WAN_IN rule 40 state established disable
set firewall name WAN_IN rule 40 state invalid disable
set firewall name WAN_IN rule 40 state new enable
set firewall name WAN_IN rule 40 state related disable

# set up the normal destinaiton port forward NAT rule for external traffic.
# there is no source rule, because that goes out with the standard masquerade.
set service nat rule 20 description 'Inbound HTTPS to Nextcloud'
set service nat rule 20 destination address 12.34.56.78
set service nat rule 20 destination port 443
set service nat rule 20 inbound-interface eth0
set service nat rule 20 inside-address address 192.168.1.100
set service nat rule 20 inside-address port 443
set service nat rule 20 log disable
set service nat rule 20 protocol tcp
set service nat rule 20 type destination

# now setup the hairpin port forward, note that it is both a destination and a source rule.
set service nat rule 1000 description 'Nextcloud Hairpin'
set service nat rule 1000 destination address 12.34.56.78
set service nat rule 1000 destination port 443
set service nat rule 1000 inbound-interface eth1
set service nat rule 1000 inside-address address 192.168.1.100
set service nat rule 1000 inside-address port 443
set service nat rule 1000 log disable
set service nat rule 1000 protocol tcp
set service nat rule 1000 type destination

set service nat rule 5011 description 'Nextcloud Hairpin'
set service nat rule 5011 destination address 192.168.1.100
set service nat rule 5011 destination port 443
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface eth1
set service nat rule 5011 protocol tcp
set service nat rule 5011 source address 192.168.1.0/24
set service nat rule 5011 type masquerade

# nuke all traces of port fowarding, the GUI sometimes leaves bits.
delete port-forward

# commit without saving. in case you fuck things up, this lets a reboot put it all back.
commit

# Assuming it works in testing save and exit config mode.
save;exit

JaredBusch

@wirestyle22 said in Hairpin NAT Issue:

change the gui port on my er4

You have zero need to do this. In the 30+ routers I have in my UNMS controller, I have never changed that.

wirestyle22

ran into this

commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined

JaredBusch

@wirestyle22 said in Hairpin NAT Issue:

ran into this

commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined

You don't have a default firewall named WAN IN with an action already set up.

If you used different names, then you need to adjust.

wirestyle22

@JaredBusch said in Hairpin NAT Issue:

@wirestyle22 said in Hairpin NAT Issue:

ran into this

commit
[ firewall name WAN_IN ]
Firewall config error: 'action' must be defined

You don't have a default firewall named WAN IN with an action already set up.

If you used different names, then you need to adjust.

thanks found it. it was one of the rules not having an action not the name

wirestyle22

show service nat

show service nat
 rule 20 {
     description "Inbound HTTPS to NGINX"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth0
     inside-address {
         address 192.168.1.204
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 1000 {
     description "NGINX Hairpin"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth1
     inside-address {
:
 rule 20 {
     description "Inbound HTTPS to NGINX"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth0
     inside-address {
         address 192.168.1.204
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 1000 {
     description "NGINX Hairpin"
     destination {
         address public.ip
         port 443
     }
     inbound-interface eth1
     inside-address {
         address 192.168.1.100
         port 443
     }
     log disable
     protocol tcp
     type destination
 }
 rule 5000 {
     description "maquerade for WAN"
     log disable
     outbound-interface eth0
     protocol all
     type masquerade
 }
 rule 5011 {
     description "NGINX Hairpin"
     destination {
         address 192.168.1.204
         port 443
     }
     log disable
     outbound-interface eth1
     protocol tcp
     source {
         address 192.168.1.0/24
     }
     type masquerade
 }

wirestyle22

show firewall

 all-ping enable
 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name WAN_IN {
     default-action drop
     description "WAN to internal"
     rule 10 {
         action accept
         description "Allow HTTPS to NGINX"
         destination {
             address 192.168.1.204
             port 443
         }
         log disable
         protocol tcp
         state {
             established disable
             invalid disable
             new enable
             related disable
         }
     }
     rule 20 {
         action accept
         description "Allow established/related"
         log disable
         protocol all
         state {
             established enable
             related enable
         }
     }
     rule 30 {
         action drop
         description "Drop invalid state"
         log disable
         protocol all
         state {
             invalid enable
         }
     }
 }
 name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     rule 30 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 40 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
     rule 50 {
         action accept
         description "Inbound Traffic to WEB GUI"
         destination {
             port 8443
         }
         log disable
         protocol tcp_udp
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable

wirestyle22

looking through the configuration for why this is still not functioning correctly