NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. This tutorial will walk you through creating a NAT hairpin for a Ubiquiti EdgeRouter Lite running at least version 1.3.0. If you are running an older version, you should use [[nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip||this tutorial]].
[[[TOC]]]
= NAT Hairpin =
* Login to EdgeRouter Lite via SSH
* Enter configure mode
{{{
configure
}}}
* Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
{{{
edit service nat rule 1
set description HTTPS
set inside-address address 192.168.69.100
set inside-address port 443
set log disable
set protocol tcp_udp
set type destination
}}}
* Now set the destination settings of this NAT rule. Note that we are using the `eth+` wildcard in order for this rule to be active on all interfaces. In version 1.3.0, the `destination group address-group` option was added; allowing for easy dynamic NAT reflection. //Note: my external interface is eth2, modify the `ADDRv4_eth2` to accommodate your setup. The aforementioned option matches packets destined to the IPv4 address on interface eth2.//
{{{
set inbound-interface eth+
set destination port 443
set destination group address-group ADDRv4_eth2
top
}}}
* Now we need to setup NAT Masquerading for LAN to loop back to LAN
{{{
edit service nat rule 5001
set description Hairpin_MASQ
set destination address 192.168.69.0/24
set source address 192.168.69.0/24
set log disable
set outbound-interface eth0
set protocol tcp_udp
set type masquerade
top
}}}
* Finally, we create a firewall rule to allow the inbound traffic
{{{
edit firewall name WAN_IN rule 443
set description HTTPS
set action accept
set destination port 443
set log disable
set protocol tcp_udp
top
}}}
* Commit and save
{{{
commit
save
}}}
=Credits=
[[http://community.ubnt.com/t5/EdgeMAX/HowTo-Hairpin-NAT-for-Dynamic-IP/m-p/471285/highlight/false#M9220]]
Leave a Reply