LasLabs Blog

NAT Reflection – Ubiquiti EdgeRouter Lite & Dynamic IP

[[[TOC]]]
= Intro =
NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. NAT reflection is fairly simple to accomplish, but becomes a manual process if you are on a dynamic IP. This tutorial will walk you through creating a NAT hairpin, and will provide a script to update all applicable rules when DHCP refreshes.

__**Note: If you are on ERL version 1.3.0 or greater, a command has been added that drastically simplifies this process. Read [[nat-reflection-ubiquiti-edgerouter-lite-v1-3-0-dynamic-ip|this tutorial]] for more details.**__

= NAT Hairpin =
* Login to EdgeRouter Lite via SSH
* Enter configure mode
{{{
configure
}}}
* Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
{{{
edit service nat rule 1
set description HTTPS
set inside-address address 192.168.69.100
set inside-address port 443
set log disable
set protocol tcp_udp
set type destination
}}}
* Now set the destination settings of this NAT rule. Note that we are using the `eth+` wildcard in order for this rule to be active on all interfaces. Do not worry about modifying the destination address, as this will be dynamically identified with a script later.
{{{
set inbound-interface eth+
set destination address 0.0.0.0
set destination port 443
top
}}}
* Now we need to setup NAT Masquerading for LAN to loop back to LAN
{{{
edit service nat rule 5001
set description Hairpin_MASQ
set destination address 192.168.69.0/24
set source address 192.168.69.0/24
set log disable
set outbound-interface eth0
set protocol tcp_udp
set type masquerade
top
}}}
* Finally, we create a firewall rule to allow the inbound traffic
{{{
edit firewall name WAN_IN rule 443
set description HTTPS
set action accept
set destination port 443
set log disable
set protocol tcp_udp
top
}}}
* Commit and save
{{{
commit
save
}}}
= Dynamic IP Script =
This script will loop through all of your NAT rules looking for rules on the wildcard `eth+` interface (it is working under the assumption that all wildcard interfaces are NAT hairpins).
* Escalate to root and open a new file for the script
{{{
sudo su
vi /config/scripts/dynnat
}}}
* Paste the following into the new file and save it
{{{
#!/bin/vbash
IP=`curl -s icanhazip.com`
source /opt/vyatta/etc/functions/script-template
configure

for RULE_NUM in `show service nat | grep rule | tr -d ‘{‘ | sed ‘s/rule\|\s//g’`;
do
RES=\”`show service nat rule $RULE_NUM`\”
echo $RES
if echo $RES | grep -q ‘+’;
then
set service nat rule $RULE_NUM destination address $IP
fi
done
commit
save
}}}
* Add execution bit and create a hard link in dhclient exit hooks directory. These two commands will need to be rerun if you flash the ERL firmware.
{{{
chmod +x /config/scripts/dynnat
ln /config/scripts/dynnat /etc/dhcp3/dhclient-exit-hooks.d/dynnat
}}}
* Run the script in order to update current IP
{{{
/config/scripts/dynnat /etc/dhcp3/dhclient-exit-hooks.d/dynnat
}}}
=Credits=
[[http://community.ubnt.com/t5/EdgeMAX/HowTo-Hairpin-NAT-for-Dynamic-IP/m-p/471285/highlight/false#M9220]]

Posted

in

by

Dave Lasley

Tags:

,

Comments

8 responses to “NAT Reflection – Ubiquiti EdgeRouter Lite & Dynamic IP”

  1. Michael Avatar
    Michael

    I have tried this it seems like it does not want to work. Been trying to fix this for a long time..

    Reply
    1. dlasley Avatar
      dlasley

      Thanks for reading my blog! I’ve got this system setup and working fine at home using the above configuration, so it’s probably just a Firewall issue. Please paste the outputs from `show service nat`, `show firewall`, and `curl -s icanhazip.com`; I should be able to ascertain the issue from those.

      Reply
      1. Michael Avatar
        Michael

        Just wonder if you have any chat clients, steam, Skype, IRC, mumble. If you what to talk about this ;P

        Reply
  2. Michael Avatar
    Michael

    I redid the set-up again got it working LOVE YOU <3 "Also your guide is better than the one on the forum, the forum one is every were not as simple to fallow " Thanks Again!

    Reply
  3. Miguel Avatar
    Miguel

    So with this script all is going to be with natloopback? Which is what I really need I am new at this so just asking for help

    Best regards.

    Mn

    Please reply so I can comfigure or semd me an email or tell me if you have skype or something so I can discuss this with you.

    Thanks im advance

    Reply
    1. dlasley Avatar
      dlasley

      Hi Miguel,

      Yes, this post is describing how to set up NAT loopback on a Ubiquiti Edge Router. If you are using firmware version 1.3.0 or greater, I recommend that you use this post instead – https://blog.laslabs.com/2013/11/nat-reflection-ubiquiti-edgerouter-lite-v1-3-0-dynamic-ip/

      Thanks for reading my blog!

      Reply
  4. Nate Canfield Avatar
    Nate Canfield

    I have my ERL configured and working. I want to replace a SOHO Netgear router fo are a client but they are running a web server with SQL and every time I replace the Netgear with the Edge router their domain redirect to the router login page instead of the server. I tried setting up a DNS server and pointing the Edge Lite to resolve but to no avail. I know their system as a whole isn’t setup right but my current scope is limited to replacing the router not an overhaul of their system. Any help is much appreciated.

    -Nate

    Reply
  5. Gio Avatar
    Gio

    Thanks, just what i was looking for .

    Reply

Leave a Reply to Michael Cancel reply

Your email address will not be published. Required fields are marked *