Hairpin NAT issue

rumplebob · June 21, 2015, 4:23pm

Hey everyone,

First post so thanks in advance for any help.

I’m using a webserver on my lan which is accessible from the internet, but I’m unable to access it locally. I’ve set up a hairpin NAT but I can’t seem to get it working still.

Here’s my config:
Local address space: 192.168.0.0/24
Webserver IP: 192.168.0.248
WAN interface: ether1
LAN interface: bridge1

 0    chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=80 
      protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=25 
      protocol=tcp in-interface=ether1 dst-port=25 log=no log-prefix="" 

 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
      dst-address=192.168.0.248 out-interface=bridge1 dst-port=80 log=no 
      log-prefix="" 

 3    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

Thanks everyone!

Caci99 · June 22, 2015, 11:08am

On the hairpinnat rule, try removing the destination port:

chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24
      dst-address=192.168.0.248 out-interface=bridge1 log=no
      log-prefix=""

rumplebob · June 23, 2015, 6:59am

Hi Caci, thanks for the reply.
I’ve tried the above but I’m still seeing the same issue.

IntrusDave · June 23, 2015, 7:12am

Move your masquerade rule to the top position. It should come before all of your other NAT rules.

rumplebob · July 17, 2015, 6:40pm

Hi IntrusDave, I tried this also, but unfortunately I had the same issue. Thanks.

Any other suggestions?

Pea · July 17, 2015, 8:29pm

I had exactly same issue when accessing home server by DNS name.
First I was using static DNS but I must use port in browsers and there were issues with some mobile browsers.
So I started to use masquerade for LAN access instead and everything is working perfect.
(Only one small side effect - all accesses from LAN will show as your router IP only.)

Try this settings modified for your setup (replace xxx.xxx.xxx.xxx by your public IP), it is working fine for me.
(Also check if there is not left any static DNS on router for your webserver.)

 0    ;;; Common masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 1    ;;; WAN to webserver 80
      chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=80 protocol=tcp 
      dst-address=xxx.xxx.xxx.xxx dst-port=80 log=no log-prefix="" 

 2    ;;; WAN to webserver 25
      chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=25 protocol=tcp 
      dst-address=xxx.xxx.xxx.xxx dst-port=25 log=no log-prefix="" 

 3    ;;; LAN to webserver
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.248 
      log=no log-prefix=""

IntrusDave · July 19, 2015, 4:50am

can you post an export of your filter and nat rules? That will help narrow down where your issue is.

gcraenen · July 19, 2015, 12:22pm

Hi,

All variants of srcnat rules do not work on my MT network (ROS v6.29). Strange and not logical but that’s how it is. Only rule that works for me is:

add action=dst-nat chain=dstnat comment="masquerade QQQ from local net" dst-address=\
    WAN-IP dst-port=WAN-natted-port protocol=tcp src-address=192.168.88.0/24 to-addresses=\
    LAN-IP to-ports=LAN-Port

Substitute WAN-IP with your external gateway IP, WAN-natted-port with the external (Inet) port you used in the dsnat rule for portforwarding, src-address with the local address space you are using (watch out when using vlans), to-address with the local server IP and LAN-Port with the port you are using.

I doens’t have to be the top nat-rule. I put these rules right below the portforwarding rule.