Hi I have an internal router with its LAN subnet, where is connected the videosurveillance DVR and mobile phone (by WiFi) to watch cameras, the goal is to manage the traffic locally without load the WAN interface, but the WAN IP address isn’t present on the first hop.
Deeper, the WAN interface of this router1 has IP which is on LAN interface of the main gateway (router2), this gateway has internet WAN with static IP public address. Normally, when the mobile phone of client is connected to internet by LTE for example, he can connect to DVR by a dst NAT on router 2 and dst NAT on router 1. When is connected to local WiFi I can use harpin on the router 2 who has the public IP, but in this way I load the connection between router which is only 10 megabits. Hhow can i create hairpin directly on router1?
I’ve tried to mark connection on router1 with the public IP address (WAN of router2) and then masquerade it, but it doesn’t work.. because the public address it is not managed by itself, and the dstnat roule after masquerade then it won’t work.
How can I do it?
Thanks
I don’t think the soluton is too difficoult, I need to mark the packets exiting with Public IP:targetTCP and somehow reply to them using source adress the Public IP, even if it not present on router1. Can I do it?
Externally, the DNS used will point to the gateway.
Internally the DNS will point direct to the router1
You would perhaps need to create another DNS record specifically for this task.
Another another option
If the access point is a Mikrotik, (or the traffic from the access point to Router2 goes through a Mikrotik)
you can use bridge filtering, or switch rules on the Mikrotik to kick requests for the Router2 IP, VPN port Number into the CPU (routing engine) where you can then dst-nat them to router1, may also need to src-nat them.
This will take a bit of fiddling to get working, (you also need to handle the reverse traffic correctly, src-nat would make this easier)
Thanks for answer and solutions, unfortunately solution with DNS is smart can’t be considered because on router 2 (gateway) thery are connected others internal “router1”, each one with a videorecorder, and the client should be ablt to see other DVR when connected to the wifi of router1. The public IP for all DVRs is the same, and should working on internet as on internal WiFi.
So classic haipin made on gateway router 2 works for all, but the uplinks will be loaded about that.
I have the sensation someone here knows how to deal, to keep the upling free if the connection is local only (from WiFi to DVR), here I try to reproduce what is happening on sock:
Host is generating the first request
HostLAN-IP:sourceTCP - PublicIP:target-dstNAT
the router1 should change the destination IP and send it to DVR:
HostLAN-IP:sourceTCP - DVRinternalIP:target-dstNAT
it looks really easy, but the router can route a packed if the address isn’t its one, so I need to sourceNAT the packet, so the DVR can answer router
router1WAN-IP:sourceTCP - DVRinternalIP:target-dstNAT
when the packet come back the router will reverse the process, performing first the reverse srcNAT, then the dstNAT,
it looks easy, but in my opinion the problem is on the last reversedst nat, the router can’t manage an IP which is not its one, right?
If the router is actually routing the packet, it can dst-nat the packet it doesn’t need to have the IP address on itself.
Because it will presumably be hairpinning the packet, you will need to src-nat the packet as well.
(Possibly the src-nat IP you use does need to be on the router)