Hairpin NAT Issue
-
I have a physical server at home that hosts multiple webservers and am using an er4 as my firewall.
I change the gui port on my er4
configure set service gui https-port 8443 set service gui http-port 8080 commmit saveI also created a firewall rule to allow inbound traffic on port 8443
edit firewall name WAN_LOCAL rule 50 set description "Inbound traffic to Web GUI" set action accept set log disable set protocol tcp_udp set destination port 8443I can access the router on the new ports. I rebooted the firewall to verify it's correctly applied.
I setup port forwarding to my nginx reverse proxy
The webservers are accessible from outside of my network but I still can't access them internally. Hairpin NAT is enabled. Any ideas?
-
Internal DNS is definitely resolving to the correct public IP address?
-
Turn on Rule Stats, plz.
-
@scottalanmiller said in Hairpin NAT Issue:
Internal DNS is definitely resolving to the correct public IP address?
I just sent you screenshots showing that it is in telegram
-
-
Okay, so it is using the rules. That's important to know.
-
Check your web logs, is your web server seeing traffic from the hairpin?
-
@scottalanmiller said in Hairpin NAT Issue:
Check your web logs, is your web server seeing traffic from the hairpin?
-
@wirestyle22 said in Hairpin NAT Issue:
@scottalanmiller said in Hairpin NAT Issue:
Check your web logs, is your web server seeing traffic from the hairpin?
This is, indeed, a quote
-
I'm not going to post the logs due to client identity for friends of mine that use it, but the packets are never reaching the nginx proxy. Router looks okay, but I will be checking my switch when I have a free minute.
-
Use your own NAT rules and don't rely on "magic"
I'll go dig up some examples.
-
Obviously you will need to renumber these rules and adjust IP addresses.
destination address 12.34.56.78= your public IP if you have a dynamic IP from your ISP and use DDNS you can tell it to use the interface address like thisdestination group address-group ADDRv4_eth0# enter config mode. configure# First you will need a firewall rule as there will not be a "magic" one from port forwarding. set firewall name WAN_IN rule 40 description 'Allow HTTPS to Nextcloud' set firewall name WAN_IN rule 40 destination address 192.168.1.100 set firewall name WAN_IN rule 40 destination port 443 set firewall name WAN_IN rule 40 log disable set firewall name WAN_IN rule 40 protocol tcp set firewall name WAN_IN rule 40 state established disable set firewall name WAN_IN rule 40 state invalid disable set firewall name WAN_IN rule 40 state new enable set firewall name WAN_IN rule 40 state related disable# set up the normal destinaiton port forward NAT rule for external traffic. # there is no source rule, because that goes out with the standard masquerade. set service nat rule 20 description 'Inbound HTTPS to Nextcloud' set service nat rule 20 destination address 12.34.56.78 set service nat rule 20 destination port 443 set service nat rule 20 inbound-interface eth0 set service nat rule 20 inside-address address 192.168.1.100 set service nat rule 20 inside-address port 443 set service nat rule 20 log disable set service nat rule 20 protocol tcp set service nat rule 20 type destination# now setup the hairpin port forward, note that it is both a destination and a source rule. set service nat rule 1000 description 'Nextcloud Hairpin' set service nat rule 1000 destination address 12.34.56.78 set service nat rule 1000 destination port 443 set service nat rule 1000 inbound-interface eth1 set service nat rule 1000 inside-address address 192.168.1.100 set service nat rule 1000 inside-address port 443 set service nat rule 1000 log disable set service nat rule 1000 protocol tcp set service nat rule 1000 type destination set service nat rule 5011 description 'Nextcloud Hairpin' set service nat rule 5011 destination address 192.168.1.100 set service nat rule 5011 destination port 443 set service nat rule 5011 log disable set service nat rule 5011 outbound-interface eth1 set service nat rule 5011 protocol tcp set service nat rule 5011 source address 192.168.1.0/24 set service nat rule 5011 type masquerade# nuke all traces of port fowarding, the GUI sometimes leaves bits. delete port-forward # commit without saving. in case you fuck things up, this lets a reboot put it all back. commit # Assuming it works in testing save and exit config mode. save;exit -
@wirestyle22 said in Hairpin NAT Issue:
change the gui port on my er4
You have zero need to do this. In the 30+ routers I have in my UNMS controller, I have never changed that.
-
ran into this
commit [ firewall name WAN_IN ] Firewall config error: 'action' must be defined -
@wirestyle22 said in Hairpin NAT Issue:
ran into this
commit [ firewall name WAN_IN ] Firewall config error: 'action' must be definedYou don't have a default firewall named WAN IN with an action already set up.
If you used different names, then you need to adjust.
-
@JaredBusch said in Hairpin NAT Issue:
@wirestyle22 said in Hairpin NAT Issue:
ran into this
commit [ firewall name WAN_IN ] Firewall config error: 'action' must be definedYou don't have a default firewall named WAN IN with an action already set up.
If you used different names, then you need to adjust.
thanks found it. it was one of the rules not having an action not the name
-
show service nat
show service nat rule 20 { description "Inbound HTTPS to NGINX" destination { address public.ip port 443 } inbound-interface eth0 inside-address { address 192.168.1.204 port 443 } log disable protocol tcp type destination } rule 1000 { description "NGINX Hairpin" destination { address public.ip port 443 } inbound-interface eth1 inside-address { : rule 20 { description "Inbound HTTPS to NGINX" destination { address public.ip port 443 } inbound-interface eth0 inside-address { address 192.168.1.204 port 443 } log disable protocol tcp type destination } rule 1000 { description "NGINX Hairpin" destination { address public.ip port 443 } inbound-interface eth1 inside-address { address 192.168.1.100 port 443 } log disable protocol tcp type destination } rule 5000 { description "maquerade for WAN" log disable outbound-interface eth0 protocol all type masquerade } rule 5011 { description "NGINX Hairpin" destination { address 192.168.1.204 port 443 } log disable outbound-interface eth1 protocol tcp source { address 192.168.1.0/24 } type masquerade } -
show firewall
all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow HTTPS to NGINX" destination { address 192.168.1.204 port 443 } log disable protocol tcp state { established disable invalid disable new enable related disable } } rule 20 { action accept description "Allow established/related" log disable protocol all state { established enable related enable } } rule 30 { action drop description "Drop invalid state" log disable protocol all state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 30 { action accept description "Allow established/related" state { established enable related enable } } rule 40 { action drop description "Drop invalid state" state { invalid enable } } rule 50 { action accept description "Inbound Traffic to WEB GUI" destination { port 8443 } log disable protocol tcp_udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable -
looking through the configuration for why this is still not functioning correctly
