Disclaimer: OP knows enough about networking to be dangerous, but not enough to figure out what I’m doing wrong.
I have a pretty typical SOHO setup, on 6.37.1. Basic NAT rules forwarding a few ports to a few internal IPs, some on the same ports, some on different ports, some are setup my UPnP, and using DDNS. I recognize you’ll probably want to see more info about my config, which I’m happy to provide, just let me know what you need.
I’m trying to add what I would think would be a pretty standard Hairpin NAT rule, but I cannot get it to work for the life of me.
Chain: srcnat
Src address: 192.168.1.0/24
Dest address: 192.168.1.0/24
Out interface: eth2-master-local
Action: masquerade
But I still can’t access any of the forwarded ports internally. What am I missing?
Sorry, figured it was obvious that I had setup the dest-nat rule.
In any event, I did figure out my Hairpin NAT rule wasn’t the issue, it was my dest-nat rule. I had followed the suggestion of using “in interface” for the dest-nat rule, which worked fine for external addresses, but of course internal addresses never hit this because they weren’t coming in that interface, so the NAT never took place internally. Instead I had to use dest-address type of “local” and dest-address of “!192.168.1.0/24”.
That document you linked doesn’t really take into consideration that the WAN interface may be a dynamic IP address, so the rule as is, which probably works fine when that isn’t the case, isn’t applicable. I’m actually kinda surprised as I would expect the port mapping rule that I had to use would be kind of common for SOHO setups that I couldn’t find it documented anywhere… is my approach for the port forwarding rule incorrect here?
Thanks! I see that there is a way I could script the update of a firewall rule, or of a firewall address list referenced by rules more specifically. That would introduce a possible lag behind DHCP renewals from my ISP of whatever my interval is, whereas the declarative approach wouldn’t require scripting, and wouldn’t have that issue… What’s the benefit to doing it this way vs the other way? That possible gap seems like a minor issue, but if the other way has NO issues, then it seems like it’d be better.