As the subject states, I have a dynamic IP address. I originally decided to try a convoluted method of updating the NAT rules with a script every time my IP changed, but felt there should be a more elegant way, with less outgoing traffic spam and potential CPU utilization.
I went with a hairpin NAT; but I’ve since run into a problem. Machines can’t connect to themselves through the external interface, they just stall. I attached a filter to log this action, and it looks right to me, but I also guess that it’s continually forwarding in on itself and never actually moving the packet. (ie; 192.168.144.5:55518 to 192.168.144.5:80, but never connects) This breaks the webmail I have running, because .5 can’t IMAP to itself.
Scenario:
192.168.144.250 netcats to port 80 on my external IP address (resolved hostname), it gets through to 192.168.144.5:80
192.168.144.5 netcats to port 80 on my external IP address (resolved hostname), it stalls
Here is my NAT firewall settings currently, if anyone has any advice on a more elegant way to do/fix this (without running scripts every x minutes, to update an address_list, or change my NAT rules) I would much appreciate it.
what ip are you updating in the code below? It looks right, you are not referencing the public IP, just the incoming interface. You shouldnt need to be changing the rules if your external IP changes.
also, the to-ports can be to-ports=0-65535. you only override that when your forcing a change in the port.
your srcnat doesn’t look right. you are specifying the same interface as the dstnat rules. are you running everything on the same interface? no wan and lan separation ?
As I stated, I’m not going with the script update method, I’m simply trying to get a hairpin NAT functional so things can talk to themselves (without the hairpin, none of the local interfaces talk to each other no doubt due to the bridge)
If I set this up, so 24.18.5.89 (my external IP) is static NAT, everything jives. So my original idea was just make a script run every 10 minutes that updates either the NAT forwarding rules I have, or updates an address_list that I’m using as dst.
But now that I’m just using the interface, I need a hairpin in order to get 192.168.144.250 to connect to 192.168.144.5 on any port through ether1-gateway.
I have my cable modem plugged into ether1-gateway, and I have a wireless access-point plugged into ether3, and a 24 port network switch plugged into ether4. My web/E-Mail server, is plugged into ether2 directly. Everything is 192.168.144.0/24 internally, no split horizon DNS, nothing confusing.
Sorry for the above confusion. I guess I’m not plugged directly into ether2, for my FreeBSD server, the switch is. So change those around in my last post, to prevent confusion.
change your “interface=ether2-local” to “interface=bridge” on the ip address. Once you setup a bridge you should not reference the physical interface anymore. The IP address should be on the bridge, not on a single port.
Remove that second to last NAT rule. You don’t need NAT internally, the bridge will just let everyone talk to each other since they are all on the same bridge
Hairpin nat shouldnt be necessary, unless you need to internal servers to talk to internal servers using the public IP address…