I've configured hairpin NAT in order to access my SSH server running on an internal LAN server. On my SSH server I've set up some ip blocking rules to safeguard against brute force attacks. I thought I had it all configured correctly until one day I noticed that I could no longer connect to my SSH server. I was a bit puzzled so I took a closer look at it and I was in for a big surprise. ALL SSH requests came from my routers's IP address no matter if they were from my internal network or from outside on the internet. Then of course it made sense that I could not connect to my SSH server. If all ssh requests seems to originate from my router IP then it will take about 5 minuttes before someone on the outside has triggered the ip blocking rule.

This is my hairpin nat rules :

Chain=src-nat, Dst. Address=mywanip, Protocol=TCP, Dst.Port=22, action=dst.nat, To Addresses=mylanserverip, To Ports=22
Chain=srcnat, Src. Address=mylanipscope,Dst. Address=mylanserverip, Protocol=TCP, Dst. Port=22, out-interface=lan-bridge, action=masquerade

Which other NAT rules do you have?

Thanks for spending time on my issue and thanks for asking the right question Off course I was to blame. I had by error activated a chain=srcnat action=masquerade rule at the very bottom of my NAT rules. It was part of some experiments i did a long time ago. I had simply forgotten all about it and left it active.

Thanks again. The right question is better than a thousand explanations

Thanks again. The right question is better than a thousand explanations

I'm glad it shone a light on the problem.