I've configured hairpin NAT in order to access my SSH server running on an internal LAN server. On my SSH server I've set up some ip blocking rules to safeguard against brute force attacks. I thought I had it all configured correctly until one day I noticed that I could no longer connect to my SSH server. I was a bit puzzled so I took a closer look at it and I was in for a big surprise. ALL SSH requests came from my routers's IP address no matter if they were from my internal network or from outside on the internet. Then of course it made sense that I could not connect to my SSH server. If all ssh requests seems to originate from my router IP then it will take about 5 minuttes before someone on the outside has triggered the ip blocking rule.
This is my hairpin nat rules :
Chain=src-nat, Dst. Address=mywanip, Protocol=TCP, Dst.Port=22, action=dst.nat, To Addresses=mylanserverip, To Ports=22
Chain=srcnat, Src. Address=mylanipscope,Dst. Address=mylanserverip, Protocol=TCP, Dst. Port=22, out-interface=lan-bridge, action=masquerade