Getting port forwards to work from LAN

I’m a new user running 6.2 on an RB2011UAS-RM.

These are my ip/firewall/filter rules:

add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway

Here’s a subset of my ip/firewall/nat rules relevant to my problem:

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="port forward" dst-port=81 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.81 to-ports=80
add action=dst-nat chain=dstnat comment="dmz host" in-interface=ether1-gateway to-addresses=192.168.0.2

From an external host, accessing my WAN IP, lets call it 1.2.3.4, the port forwards work.

From an internal host, accessing 1.2.3.4 goes to the RB2011. How do I get it to behave the same as if I’m coming from an external host ?

All my searches end up in Hairpin NAT being mentioned. I tried adding a rule like:

add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 out-interface=bridge-local src-address=192.168.0.0/24

But that doesn’t seem to do anything. I’m not even sure that’s my issue, as I’m hitting the router, not getting my internal response packet dropped according to the Hairpin NAT page. Any ideas ?

This two day delay before a post goes up is rather annoying.

Help ?

Hairping NAT is what you need. Your problem is that your port forwards are set for in-interface=ether1-gateway, but when connecting from LAN, in-interface is going to be bridge-local, so nothing gets forwarded. You can:

a) Replace in-interface=ether1-gateway with dst-address= if you have static one.
b) Replace in-interface=ether1-gateway with dst-address-type=local, which will match any address owned by router. As a side effect, it will forward not only packets destined for WAN address, but also for 192.168.0.1 (I assume it’s your router’s LAN address) and any other address present on router. But it should not really hurt anything.
c) Duplicate dst-nat rules with in-interface=bridge-local.

Thank you Sob! What wasn’t clear to me was that I needed to have both the hairpin rule as well as modify my port forwards to one of the options you gave above.

a) Most consumer level users don’t have static IPs, so this option doesn’t work for many. It would be nice if some sort of variable could be specified so that this rule would work for people with dynamic IPs from their ISPs as well.

b) This is the route I chose, but to avoid having the port forwards apply for 192.168.0.1 as well, I added a “dst-address=!192.168.0.1” to my port forwards. I’m guessing having the port forwards apply to 192.168.0.1 might create a problem accessing the router since I have a dmz rule.

c) This makes things even more inconvenient than it already is, compared to specifying port forwards in consumer routers.

So, to summarize things for other new users that might have a problem. Here are my ip/firewall/nat rules now compared to what they were in my original post:

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 out-interface=bridge-local src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="port forward" dst-address=!192.168.0.1 dst-address-type=local dst-port=81  protocol=tcp to-addresses=192.168.0.81 to-ports=80
add action=dst-nat chain=dstnat comment="dmz host" dst-address=!192.168.0.1 dst-address-type=local to-addresses=192.168.0.2

Can the hairpin NAT rule:

add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 out-interface=bridge-local src-address=192.168.0.0/24

.. be simplified further to remove the choice of LAN subnet to this:

add action=masquerade chain=srcnat comment=hairpin in-interface=bridge-local out-interface=bridge-local

?