Readers will learn about the NAT Hairpin for EdgeRouter.
Typically, a NAT Port Forwarding rule is used from the outside network to get to a server on the inside network by using the public address of the router (or hostname). But in cases where the same local server address must be accessed from inside the local network, NAT Hairpin applies.
NAT Hairpin is also know as "NAT inside-to-inside," or, "NAT Loopback," or, "NAT Reflection," and probably some others.
Note: As of version v1.4.0 there is now a port forward wizard in the GUI that makes NAT hairpin much easier (hairping is a check box).
For this example we'll start with the example SOHO configuration, as seen in the the diagram below.
Example SOHO diagram to be used in NAT hairpin configuration.
First we'll add a Destination NAT (i.e. port forward) rule so that port 2222 gets forwarded to 192.168.1.10 on TCP port 22. This is the outside-to-inside NAT request for WAN packets arriving on the public-facing interface, eth2 (NAT Hairpin is later).
Note: The Destination Address (bottom) isn't required if the translated address is the same prior to and after NAT.
Next, we need to add a firewall rule to WAN_IN to allow this flow. One of the most confusing things with adding a firewall rule for destination NAT is that DNAT happens before the firewall, so the firewall rule must match the translated address (and port). For example:
Now when we test our port forward from the outside network, we can see both the firewall packet stats increase as well as the NAT count.
Note: Firewall stats are packet/byte counters while NAT count is according to session.
From the CLI we can also see the active translation:
ubnt@ubnt:~$ show nat translations Pre-NAT Post-NAT Type Prot Timeout 22.214.171.124:2222 192.168.1.10:22 dnat tcp 3321
Now we want to add NAT Hairpin rules. We basically need:
- A copy of the initial DNAT rule modified for the LAN interface. This is the inside-to-inside NAT request for LAN packets arriving on the local interface, eth0.
- A new NAT Masquerade rule for the LAN interface.
With these 2 new NAT rules, we should be able to use the same public address to get back to the internal server. In my example, my public address is 126.96.36.199, so the original flow looks like
192.168.1.11 --> 188.8.131.52 TCP 2222
Then the DNAT rule translates it to:
192.168.1.11 --> 192.168.1.10 TCP 22
Then the SNAT rule translates it to:
192.168.1.1 --> 192.168.1.10 TCP 22
Since the 2 DNAT rules are identical except for the interface, we could delete the 2nd DNAT rule and modify the first from "eth2" to the ethernet wildcard of "eth+" (when other Inbound Interface is selected) as seen below:
The final config for this example can be downloaded from: NAT Hairpin Config