EdgeRouter - Hairpin NAT


Overview


Readers will learn how to configure Hairpin NAT (Network Address Translation) to work alongside Destination NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Devices and products used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Configuring Hairpin and Destination NAT
  3. Related Articles

Frequently Asked Questions (FAQ)


Back to Top

1. Do I need to manually configure Hairpin NAT when using Port Forwarding?

No, the Port Forwarding wizard includes a checkbox that will automatically configure Hairpin NAT.

2. Do I need to manually configure Hairpin NAT when using Destination NAT?

Yes, see the steps below.


Configuring Hairpin and Destination NAT


Back to Top

topology.png

Hairpin NAT allows the internal clients (192.168.1.0/24) to reach the UNMS server using the public IP address assigned to the EdgeRouter.


Follow the steps below to add the Destination NAT and firewall rules to the EdgeRouter:

GUI: Access the EdgeRouter Web UI.

1. Add a Destination NAT rule for TCP port 443, with eth0 (WAN) set as the Inbound Interface.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443
NOTE: This NAT rule is applied to eth0 and forwards HTTPS traffic from external clients to the UNMS server.

2. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule

Description: https
Action: Accept
Protocol: TCP
Destination > Port: 443
Destination > Address: 192.168.1.10

Now the Hairpin NAT rules can be added using both Source and Destination NAT rules.

3. Add the first Hairpin NAT rule using Destination NAT with eth1 (LAN) set as the Inbound Interface.

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: hairpin443
Inbound Interface: eth1
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443
NOTE: This rule is nearly a duplicate of the one above, with the exception of the Inbound Interface.

4. Add the second Hairpin NAT rule using Source NAT with eth1 (LAN) set as the Outbound Interface.

Firewall / NAT > NAT > +Add Source NAT Rule

Description: hairpin
Outbound Interface: eth1
Translation: Use Masquerade
Protocol: TCP
Source Address: 192.168.1.0/24
Destination Address: 192.168.1.10
Destination Port: 443

The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description https
set firewall name WAN_IN rule 30 destination port 443
set firewall name WAN_IN rule 30 destination address 192.168.1.10
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol tcp

set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description hairpin443
set service nat rule 2 destination address 203.0.113.1
set service nat rule 2 destination port 443
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

set service nat rule 5000 description hairpin
set service nat rule 5000 destination address 192.168.1.10
set service nat rule 5000 destination port 443
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 protocol tcp
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade

commit ; save

Related Articles


Back to Top

EdgeRouter - Port Forwarding

EdgeRouter - Destination NAT

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!