Why (not) use Hairpin NAT

RouterOS General
21

There are few more differences…

Why hairpin NAT is the best thing in the world (only slightly biased comparison with local DNS override :smiley:)

Initial config:

  • common: nothing
  • dns: nothing
  • hairpin: add one srcnat rule

Ooops, hairpin is losing right from the start. Well…

Put company webserver behind router (www.company.tld and company.tld):

  • common: add one dstnat rule to forward ports 80 and 443 to internal server; in public dns, point two hostnames to router’s public address
  • dns: add two hostnames in local dns
  • haipin: nothing to do, everything works

Add another virtual host (eshop.company.tld):

  • common: in public dns, point one hostname to router’s public address
  • dns: add one hostname in local dns (it won’t work for local users until you do)
  • haipin: nothing to do, everything works

Move eshop to different external server:

  • common: in public dns, point eshop hostname to different public address
  • dns: remove eshop hostname from local dns (if you don’t, local users will keep connecting to local server, which either doesn’t run the virtual host anymore or in worse case it has stale version, so it seemingly works, but has old data, e.g. new orders don’t show up)
  • haipin: nothing to do, everything works

Move virtual hosts to different internal server:

  • common: change to-addresses in dstnat rule
  • dns: in local dns, change all hostnames to new address
  • haipin: nothing to do, everything works

Mail server (behind same router) uses common mail.company.tld for everything (smtp, imap, …). For some reason, you need to split the server in two, with smtp port going to one and others to another. You’d like to keep mail.company.tld, because too many people have it configured in all their devices:

  • common: split dstnat rule for port 25 from the rest and set its to-addresses to another server
  • dns: “Houston, we have a problem…”
  • haipin: nothing to do, everything works

Someone scares CEO with DNS-hijacking and recommends to run DNSSEC validating resolver on his own notebook; CEO believes that it’s the only way and refuses to consider any other solution:

  • common: nothing
  • dns: “oh no, not again…”
  • haipin: nothing to do, everything works

CEO has bookmarked company FTP server, which is behind same router, the bookmark is for public numeric address (no hostname) and he insists that it must work even from same LAN (and encryption is required, so there’s no chance for any conntrack magic):

  • common: add one dstnat rule to forward control and passive data ports to internal server
  • dns: “that’s it, I quit!”
  • haipin: nothing to do, everything works

Ok, I know I’m stretching it, but it’s all true.