Hairpin NAT using Local DNS

wcsnet · March 11, 2024, 4:43pm

Hey Team,

For some web services I run the source ip address is extremely important.
These web services run both internal and external to the network.
When using hairpin nat (src-nat → masquerade ) I obviously lose the ability to see the source ip address.

Is there I way I can use the static dns entries on the actual router instead.

I have tried this and cant get it to work, I added these entries to point to one of the routers lan ip addresses.

mkx · March 11, 2024, 5:38pm

If you want to see actual source IP addresses, then you must not use hairpin NAT … i.e. use split DNS where A record for public internet points at your router’s WAN IP address (and plain dst-nat is enough to have connection working). And A record for “same subnet” clients points directly to server’s LAN IP address so clients can talk to server directly, without (un-necessarily) involving router and its dst-nat.

Or close server into dedicated subnet .. which means that communication with LAN clients will have to pass touter and hair-pin nat is not necessary any more.

wcsnet · March 12, 2024, 8:42am

thanks @mkx

Sounds simple enough I how ever see one concern.
Some of my internal services run on different source ports and I would still require a dot-net to do the port translation

Example service runs on port 1050 and the clients use 5050

wcsnet · March 12, 2024, 8:47am

Currently I have my local dns a records pointing to the router?

mkx · March 12, 2024, 10:58am

In this case the best solution is to move server(s) into dedicated IP subnet. The dst-nat would then work the same way for both internet and LAN clients (no hairpin NAT necessary).

BTW, DNS records have nothing to do with the way NAT is executed, NAT simply works on individual connections (and those are characterized by IP addresses).

wcsnet · March 12, 2024, 1:29pm

Okay that works, however what do I do with servers on the same subnet

mkx · March 12, 2024, 2:31pm

If servers need to communicate with each other, then … I don’t see why you couldn’t configure them to communicate directly (over real ports)?

wcsnet · March 12, 2024, 4:52pm

the config files for applications get pushed globally both internal and external systems use them so one set of ports just makes for easier management

mkx · March 12, 2024, 5:46pm

Well, in such a convoluted setup you’ll have to think it out yourself. I’m not willing to guess the size of your problem and all the interactions.

But the fact is that NAT isn’t exactly piece’a’cake in certain conditions.

anav · March 12, 2024, 9:44pm

Hairpin via dns… Not a clue what it does though, assuming 192.168.88.68 is the IP of the server…

DNS METHOD - AVOID NAT – REDIRECT LAN REQUEST VIA DNS

Create the following rule!
/ip dns static
add address=192.168.88.68 regexp=“(^|www\.)myserver\.net$” ttl=5m