Hairpin NAT Issue



  • I have a physical server at home that hosts multiple webservers and am using an er4 as my firewall.

    I change the gui port on my er4

    configure
    
    set service gui https-port 8443
    set service gui http-port 8080
    
    commmit
    save
    

    I also created a firewall rule to allow inbound traffic on port 8443

    edit firewall name WAN_LOCAL rule 50
    set description "Inbound traffic to Web GUI"
    set action  accept
    set log disable
    set protocol tcp_udp
    set destination port 8443
    

    I can access the router on the new ports. I rebooted the firewall to verify it's correctly applied.

    I setup port forwarding to my nginx reverse proxy

    hairpin.png

    The webservers are accessible from outside of my network but I still can't access them internally. Hairpin NAT is enabled. Any ideas?



  • Internal DNS is definitely resolving to the correct public IP address?



  • Turn on Rule Stats, plz.



  • @scottalanmiller said in Hairpin NAT Issue:

    Internal DNS is definitely resolving to the correct public IP address?

    I just sent you screenshots showing that it is in telegram



  • @scottalanmiller said in Hairpin NAT Issue:

    Turn on Rule Stats, plz.

    rulestats.png



  • Okay, so it is using the rules. That's important to know.



  • Check your web logs, is your web server seeing traffic from the hairpin?



  • @scottalanmiller said in Hairpin NAT Issue:

    Check your web logs, is your web server seeing traffic from the hairpin?



  • @wirestyle22 said in Hairpin NAT Issue:

    @scottalanmiller said in Hairpin NAT Issue:

    Check your web logs, is your web server seeing traffic from the hairpin?

    This is, indeed, a quote 😉



  • I'm not going to post the logs due to client identity for friends of mine that use it, but the packets are never reaching the nginx proxy. Router looks okay, but I will be checking my switch when I have a free minute.



  • Use your own NAT rules and don't rely on "magic"

    I'll go dig up some examples.



  • Obviously you will need to renumber these rules and adjust IP addresses.
    destination address 12.34.56.78 = your public IP if you have a dynamic IP from your ISP and use DDNS you can tell it to use the interface address like this destination group address-group ADDRv4_eth0

    # enter config mode.
    configure
    
    # First you will need a firewall rule as there will not be a "magic" one from port forwarding.
    set firewall name WAN_IN rule 40 description 'Allow HTTPS to Nextcloud'
    set firewall name WAN_IN rule 40 destination address 192.168.1.100
    set firewall name WAN_IN rule 40 destination port 443
    set firewall name WAN_IN rule 40 log disable
    set firewall name WAN_IN rule 40 protocol tcp
    set firewall name WAN_IN rule 40 state established disable
    set firewall name WAN_IN rule 40 state invalid disable
    set firewall name WAN_IN rule 40 state new enable
    set firewall name WAN_IN rule 40 state related disable
    
    # set up the normal destinaiton port forward NAT rule for external traffic.
    # there is no source rule, because that goes out with the standard masquerade.
    set service nat rule 20 description 'Inbound HTTPS to Nextcloud'
    set service nat rule 20 destination address 12.34.56.78
    set service nat rule 20 destination port 443
    set service nat rule 20 inbound-interface eth0
    set service nat rule 20 inside-address address 192.168.1.100
    set service nat rule 20 inside-address port 443
    set service nat rule 20 log disable
    set service nat rule 20 protocol tcp
    set service nat rule 20 type destination
    
    # now setup the hairpin port forward, note that it is both a destination and a source rule.
    set service nat rule 1000 description 'Nextcloud Hairpin'
    set service nat rule 1000 destination address 12.34.56.78
    set service nat rule 1000 destination port 443
    set service nat rule 1000 inbound-interface eth1
    set service nat rule 1000 inside-address address 192.168.1.100
    set service nat rule 1000 inside-address port 443
    set service nat rule 1000 log disable
    set service nat rule 1000 protocol tcp
    set service nat rule 1000 type destination
    
    set service nat rule 5011 description 'Nextcloud Hairpin'
    set service nat rule 5011 destination address 192.168.1.100
    set service nat rule 5011 destination port 443
    set service nat rule 5011 log disable
    set service nat rule 5011 outbound-interface eth1
    set service nat rule 5011 protocol tcp
    set service nat rule 5011 source address 192.168.1.0/24
    set service nat rule 5011 type masquerade
    
    # nuke all traces of port fowarding, the GUI sometimes leaves bits.
    delete port-forward
    
    # commit without saving. in case you fuck things up, this lets a reboot put it all back.
    commit
    
    # Assuming it works in testing save and exit config mode.
    save;exit
    


  • @wirestyle22 said in Hairpin NAT Issue:

    change the gui port on my er4

    You have zero need to do this. In the 30+ routers I have in my UNMS controller, I have never changed that.


Log in to reply