info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

EdgeRouter - Hairpin NAT


Overview


Readers will learn how to configure Hairpin NAT (Network Address Translation) to work alongside Destination NAT.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Hairpin and Destination NAT
  4. Related Articles

FAQ


Back to Top

1. Do I need to manually configure hairpin NAT when using port-forwarding?

No, the port-forwarding wizard includes a checkbox that can automatically configure hairpin NAT for you.

2. Do I need to manually configure hairpin NAT when using destination NAT?

Yes, see the steps below.


Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

In the example, the HTTPS traffic (TCP port 443) from external clients for 203.0.113.1 will be forwarded to the UNMS server at 192.168.1.10 using destination NAT. Hairpin NAT is needed when the internal clients (192.168.1.100) also need to reach the server using the 203.0.113.1 external address.

topology_nat_hairpin_new.png


Hairpin and Destination NAT


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

GUI: Access the Graphical User Interface.

1. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule

Basic tab

Description: https
Action: Accept
Protocol: TCP

205231700.3.png

Destination tab

Destination Port: 443

205231700.4.png

2. Add a Destination NAT rule for TCP port 443. 

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443

205231700.5.png

NOTE: The destination NAT rule above is applied inbound on eth0 (WAN).

3. Add the first hairpin NAT rule using destination NAT and change the inbound interface (this rule is nearly a duplicate of the previous rule).

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: hairpin443
Inbound Interface: eth1
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443

NOTE: The destination NAT rule above is applied inbound on eth1 (LAN).

4. Add the second hairpin NAT rule using source NAT (masquerade).

Firewall / NAT > NAT > +Add Source NAT Rule

Description: hairpin
Outbound Interface: eth1
Translation: Use Masquerade
Protocol: TCP
Source Address: 192.168.1.0/24
Destination Address: 192.168.1.10
Destination Port: 443

NOTE: The source NAT rule above is applied outbound on eth1 (LAN).

The CLI equivalent of this port-forwarding configuration is shown below.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp

set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination

set service nat rule 2 description hairpin443
set service nat rule 2 destination address 203.0.113.1
set service nat rule 2 destination port 443
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

set service nat rule 5011 description hairpin
set service nat rule 5011 destination address 192.168.1.10
set service nat rule 5011 destination port 443
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface eth1
set service nat rule 5011 protocol tcp
set service nat rule 5011 source address 192.168.1.0/24
set service nat rule 5011 type masquerade

commit ; save

Related Articles


Back to Top

EdgeRouter - Port Forwarding

EdgeRouter - Destination NAT

Intro to Networking - How to Establish a Connection Using SSH