NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. This tutorial will walk you through creating a NAT hairpin for a Ubiquiti EdgeRouter Lite running at least version 1.3.0. If you are running an older version, you should use this tutorial.

Table of Contents [hide]

NAT Hairpin

  • Login to EdgeRouter Lite via SSH
  • Enter configure mode
    configure
  • Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
    edit service nat rule 1 
    set description HTTPS
    set inside-address address 192.168.69.100
    set inside-address port 443
    set log disable
    set protocol tcp_udp
    set type destination
  • Now set the destination settings of this NAT rule. Note that we are using the eth+ wildcard in order for this rule to be active on all interfaces. In version 1.3.0, the destination group address-group option was added; allowing for easy dynamic NAT reflection. Note: my external interface is eth2, modify the ADDRv4_eth2 to accommodate your setup. The aforementioned option matches packets destined to the IPv4 address on interface eth2.
    set inbound-interface eth+
    set destination port 443
    set destination group address-group ADDRv4_eth2
    top
  • Now we need to setup NAT Masquerading for LAN to loop back to LAN
    edit service nat rule 5001
    set description Hairpin_MASQ
    set destination address 192.168.69.0/24
    set source address 192.168.69.0/24
    set log disable
    set outbound-interface eth0
    set protocol tcp_udp
    set type masquerade
    top
  • Finally, we create a firewall rule to allow the inbound traffic
    edit firewall name WAN_IN rule 443
    set description HTTPS
    set action accept
    set destination port 443
    set log disable
    set protocol tcp_udp
    top
  • Commit and save
    commit
    save

Credits

http://community.ubnt.com/t5/EdgeMAX/HowTo-Hairpin-NAT-for-Dynamic-IP/m-p/471285/highlight/false#M9220

2