NAT Reflection – Ubiquiti EdgeRouter Lite (V>=1.3.0) & Dynamic IP
NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. This tutorial will walk you through creating a NAT hairpin for a Ubiquiti EdgeRouter Lite running at least version 1.3.0. If you are running an older version, you should use this tutorial.
Table of Contents [hide]
NAT Hairpin ∞
- Login to EdgeRouter Lite via SSH
- Enter configure mode
configure
- Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
edit service nat rule 1 set description HTTPS set inside-address address 192.168.69.100 set inside-address port 443 set log disable set protocol tcp_udp set type destination
- Now set the destination settings of this NAT rule. Note that we are using the
eth+wildcard in order for this rule to be active on all interfaces. In version 1.3.0, thedestination group address-groupoption was added; allowing for easy dynamic NAT reflection. Note: my external interface is eth2, modify theADDRv4_eth2to accommodate your setup. The aforementioned option matches packets destined to the IPv4 address on interface eth2.set inbound-interface eth+ set destination port 443 set destination group address-group ADDRv4_eth2 top
- Now we need to setup NAT Masquerading for LAN to loop back to LAN
edit service nat rule 5001 set description Hairpin_MASQ set destination address 192.168.69.0/24 set source address 192.168.69.0/24 set log disable set outbound-interface eth0 set protocol tcp_udp set type masquerade top
- Finally, we create a firewall rule to allow the inbound traffic
edit firewall name WAN_IN rule 443 set description HTTPS set action accept set destination port 443 set log disable set protocol tcp_udp top
- Commit and save
commit save
Hi Lasley,
I have EdgeRouter Poe (lite with 5 ports). and I have configured switch0 interface on three ports. If I try to do the configuration with light modification on commit I get:
admin@ubnt# commit
[ service nat rule 1 inbound-interface eth+ ]
NAT configuration warning: interface eth+ does not exist on this system
commands that I executed (i try to setup 80 port forwarding, my internet interface is eth1, switch0 is 192.168.2.0/24, server to run web 192.168.2.10) :
$ configure
edit service nat rule 1
set description HTTP
set inside-address address 192.168.2.10
set inside-address port 80
set log disable
set protocol tcp_udp
set type destination
set inbound-interface eth+
set destination port 80
set destination group address-group ADDRv4_eth1
top
[edit]
edit service nat rule 5001
set description Hairpin_MASQ
set destination address 192.168.2.0/24
set source address 192.168.2.0/24
set log disable
set outbound-interface switch0
set protocol tcp_udp
set type masquerade
top
[edit]
edit firewall name WAN_IN rule 80
set description HTTP
set action accept
set destination port 80
set log disable
set protocol tcp_udp
top
[edit]
commit
also questions: if I finally will be able to setup everything, do I need to create rule 2 and 5002 for each port forwarding?
and, sorry, pressed “enter” before finishing – thank you for the great web site!
That warning is harmless, it was added to help users identify typos. The `+` modifier is a wildcard in the Vyatta subsystem, which will set the NAT rule for all interfaces beginning with `eth` in this instance. In your configuration, however, you can use `eth1`. Port forwarding is already being created with NAT rule 1 and Firewall rule `WAN_IN`. NAT rule 5001 is allowing the internal clients access to the server. For your setup, you will also need a NAT rule 2 that is identical to rule 1, except using `switch0` as the inbound-interface.
wow, thank you for so prompt reply! i have such configuration as below. But it still does not work :(. if i navigate from inside – it automatically redirects to https and router web page. if outside “cannot find page”. If you have time could you pls look below? Also, i miss why do I need rule #1 if I have rule #2? (reading vyatta guide now)
# show service nat rule
rule 1 {
description HTTP
destination {
group {
address-group ADDRv4_eth1
}
port 80
}
inbound-interface eth+
inside-address {
address 192.168.2.10
port 80
}
log disable
protocol tcp_udp
type destination
}
rule 2 {
description HTTP
destination {
group {
address-group ADDRv4_eth1
}
port 80
}
inbound-interface switch0
inside-address {
address 192.168.2.10
port 80
}
log disable
protocol tcp_udp
type destination
}
rule 5001 {
description Hairpin_MASQ
destination {
address 192.168.2.0/24
}
log disable
outbound-interface switch0
protocol tcp_udp
source {
address 192.168.2.0/24
}
type masquerade
}
rule 5010 {
outbound-interface eth1
type masquerade
}
sorry, it works. THANK YOU VERY MUCH for the instructions! Merry Christmas and Happy New Year!
Happy to assist. Merry Christmas and Happy New Year to you also!
Hi,
I got an error when committing: “ADDRv4_eth1 group is not defined”. I have the same configuration as Den (ER5-POE. Internet interface on eth1 and local interface on switch0). So I guess if it works from Den, it should work for me. I must have missed something. I tried to follow your tutorial with no luck. I’m a newbie, I only copy & paste without understanding very well what I’m doing :-( (Of course, I changed eth2 to eth1, eth0 to switch0 and tcp_udp to tcp).
Do I have to setup ADDRv4_eth1 somewhere prior to follow your tutorial?
What version of EdgeOS are you running (`show version` command)? The `destination group address-group ADDRv4_eth*` configuration was added in EdgeOS V 1.3.0; if you are using an older firmware take a look at my older tutorial – https://blog.laslabs.com/2013/06/nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip/ or update to 1.3.0
This is the message I receive:
[ service nat rule 1 destination group address-group ADDRv4_eth1 ]
Group [ADDRv4_eth1] has not been defined
Commit failed
“show version” output:
Version: v1.3.0
Build ID: 4605130
Build on: 10/11/13 17:54
Copyright: 2012-2013 Ubiquiti Networks, Inc.
HW model: EdgeRouter PoE 5-Port
That’s interesting, the address group (ADDRv4_eth1) should be automatically created for the primary IPv4 address of an interface. I just did a test, and this alias exists in my machine even if the interface doesn’t have an IP.
Let’s try using the command’s auto-complete, maybe the alias is named differently in your system. Type the command `set service nat rule 1 destination group address-group` then hit tab twice. You will see a list of available address groups that are exposed for use in your NAT rule. Will you please copy/paste that list to me?
it seems that something is wrong with my router :-(
No list appears when I hit tab.
admin@ubnt:~$ set service nat rule 1 destination group address-group
admin@ubnt:~$ set service nat rule 1 destination group address-group
admin@ubnt:~$ set service nat rule 1 destination group address-group
Honestly the only thing I can think of at this point would be to restore the router to factory defaults (make sure to back up your config first). You could also just perform the steps outlined in my older guide; that procedure will still work on the newer versions, it’s just kind of hacky. Please let me know if you come to a resolution on this issue so that I may update this post and the Ubiquiti knowledgebase.
I will do a factory reset and let you know if it changes something. Just to be sure when I follow your tutorial, I have to use the same config as Den because of my config? (eth1: wan, switch0 : lan). Not sure to understand the part you told him about Rule n°2.
Yup, your config should look basically identical to Den’s. The reason that NAT rule 2 needs to be created in your scenario and not mine is because `switch0` is not included within the `eth+` wildcard, so you need the separate rule to allow your internal clients access to the internal servers. In my situation, NAT rule 1 is able to route both internal and external clients because `eth+` covers all of my interfaces.
Hi dlasley,
It worked. I did a factory reset. I set the router from scratch (I did use the wizard as I did when I upgraded from 1.2.0 to 1.3.0). Now it recognizes “ADDR_v4…”
I’d like to forward other ports. Am I ok if I only add a new NAT rule (#3) and a firewall rule. I don’t have to recreate rule 5001 ?
Do I need NAT rule #1 if only forward ports to switch0?
Great to hear that it worked!
You are correct that there is no need to recreate rule 5001, and that you do do not need rule #1 if you are only forwarding to switch0.
It sounds like you’ve got it down at this point. Thanks for reading my blog!
Just to let you know that if rule #1 is deleted, I can’t access the server from outside my lan.
I have to keep it! Moreover it works without creating a rule #2 which forwards to switch0.
Thanks for providing the update; I haven’t been able to test with those parameters so I was just going off of what seemed likely. This way is much more concise.. I like it.
it is not working for me perhaps I am doing something wrong in my case I have dual wan one on eth1 and the other on eth0 all connections are on eth2,3 nd 4 are acting as a switch in the ip addresses 192.168.3.0 range but when I input every change it does not make nat loopback, when I do restart the router it does but after 1 minute or so I can’t access from the network?
perhaps you can help me out here please?
Best regards,
MN.
and this is my configuration just in case you see something wrong so I have to input different values:
migueln@ubnt:~$ show configuration
**Truncated for legibility**
Hi Miguel,
It looks like you are missing the NAT Masquerading for LAN to loop back to LAN. Something similar to the below:
edit service nat rule 5001
set description Hairpin_MASQ
set destination address 192.168.3.1/24
set source address 192.168.3.1/24
set log disable
set outbound-interface switch0
set protocol tcp_udp
set type masquerade
top
I’m having a bit of trouble deciphering the config because my comments section strips white space, so if I missed the mark, repost the config to http://pastebin.com/ so that the white space is preserved and send me the link.
thanks for answering I had it but deleted because it was not working for me but I inputted 192.168.3.30/24 instead of 192.168.3.1/24 is there a difference?
There’s not really a difference in terms of subnets, but you are specifying an IP vs the actual network. In hindsight, I should have recommended that you use 192.168.3.0/24. When you use 0/24, you are directing traffic to the network vs. 1/24 and 30/24 are directing to clients on that network. Try modifying your NAT rule source and destination to `192.168.3.0/24`. Next step if that doesn’t work would be to try disabling the firewall temporarily just to validate it isn’t getting caught there.
You are a life saver! This finally solved our issue for internal access. Thank you!!!!!!!!!
Thank you!!!!