NAT Reflection – Ubiquiti EdgeRouter Lite (V>=1.3.0) & Dynamic IP

NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. This tutorial will walk you through creating a NAT hairpin for a Ubiquiti EdgeRouter Lite running at least version 1.3.0. If you are running an older version, you should use [[nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip||this tutorial]].

[[[TOC]]]

= NAT Hairpin =
* Login to EdgeRouter Lite via SSH
* Enter configure mode
{{{
configure
}}}
* Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
{{{
edit service nat rule 1
set description HTTPS
set inside-address address 192.168.69.100
set inside-address port 443
set log disable
set protocol tcp_udp
set type destination
}}}
* Now set the destination settings of this NAT rule. Note that we are using the `eth+` wildcard in order for this rule to be active on all interfaces. In version 1.3.0, the `destination group address-group` option was added; allowing for easy dynamic NAT reflection. //Note: my external interface is eth2, modify the `ADDRv4_eth2` to accommodate your setup. The aforementioned option matches packets destined to the IPv4 address on interface eth2.//
{{{
set inbound-interface eth+
set destination port 443
set destination group address-group ADDRv4_eth2
top
}}}
* Now we need to setup NAT Masquerading for LAN to loop back to LAN
{{{
edit service nat rule 5001
set description Hairpin_MASQ
set destination address 192.168.69.0/24
set source address 192.168.69.0/24
set log disable
set outbound-interface eth0
set protocol tcp_udp
set type masquerade
top
}}}
* Finally, we create a firewall rule to allow the inbound traffic
{{{
edit firewall name WAN_IN rule 443
set description HTTPS
set action accept
set destination port 443
set log disable
set protocol tcp_udp
top
}}}
* Commit and save
{{{
commit
save
}}}
=Credits=
[[http://community.ubnt.com/t5/EdgeMAX/HowTo-Hairpin-NAT-for-Dynamic-IP/m-p/471285/highlight/false#M9220]]


Posted

in

by

Tags:

Comments

25 responses to “NAT Reflection – Ubiquiti EdgeRouter Lite (V>=1.3.0) & Dynamic IP”

  1. Den Avatar
    Den

    Hi Lasley,
    I have EdgeRouter Poe (lite with 5 ports). and I have configured switch0 interface on three ports. If I try to do the configuration with light modification on commit I get:

    admin@ubnt# commit
    [ service nat rule 1 inbound-interface eth+ ]
    NAT configuration warning: interface eth+ does not exist on this system

    commands that I executed (i try to setup 80 port forwarding, my internet interface is eth1, switch0 is 192.168.2.0/24, server to run web 192.168.2.10) :

    $ configure
    edit service nat rule 1
    set description HTTP
    set inside-address address 192.168.2.10
    set inside-address port 80
    set log disable
    set protocol tcp_udp
    set type destination
    set inbound-interface eth+
    set destination port 80
    set destination group address-group ADDRv4_eth1
    top
    [edit]
    edit service nat rule 5001
    set description Hairpin_MASQ
    set destination address 192.168.2.0/24
    set source address 192.168.2.0/24
    set log disable
    set outbound-interface switch0
    set protocol tcp_udp
    set type masquerade
    top
    [edit]
    edit firewall name WAN_IN rule 80
    set description HTTP
    set action accept
    set destination port 80
    set log disable
    set protocol tcp_udp
    top
    [edit]
    commit

    also questions: if I finally will be able to setup everything, do I need to create rule 2 and 5002 for each port forwarding?

    1. Den Avatar
      Den

      and, sorry, pressed “enter” before finishing – thank you for the great web site!

    2. dlasley Avatar

      That warning is harmless, it was added to help users identify typos. The `+` modifier is a wildcard in the Vyatta subsystem, which will set the NAT rule for all interfaces beginning with `eth` in this instance. In your configuration, however, you can use `eth1`. Port forwarding is already being created with NAT rule 1 and Firewall rule `WAN_IN`. NAT rule 5001 is allowing the internal clients access to the server. For your setup, you will also need a NAT rule 2 that is identical to rule 1, except using `switch0` as the inbound-interface.

      1. Den Avatar
        Den

        wow, thank you for so prompt reply! i have such configuration as below. But it still does not work :(. if i navigate from inside – it automatically redirects to https and router web page. if outside “cannot find page”. If you have time could you pls look below? Also, i miss why do I need rule #1 if I have rule #2? (reading vyatta guide now)

        # show service nat rule
        rule 1 {
        description HTTP
        destination {
        group {
        address-group ADDRv4_eth1
        }
        port 80
        }
        inbound-interface eth+
        inside-address {
        address 192.168.2.10
        port 80
        }
        log disable
        protocol tcp_udp
        type destination
        }
        rule 2 {
        description HTTP
        destination {
        group {
        address-group ADDRv4_eth1
        }
        port 80
        }
        inbound-interface switch0
        inside-address {
        address 192.168.2.10
        port 80
        }
        log disable
        protocol tcp_udp
        type destination
        }
        rule 5001 {
        description Hairpin_MASQ
        destination {
        address 192.168.2.0/24
        }
        log disable
        outbound-interface switch0
        protocol tcp_udp
        source {
        address 192.168.2.0/24
        }
        type masquerade
        }
        rule 5010 {
        outbound-interface eth1
        type masquerade
        }

        1. Den Avatar
          Den

          sorry, it works. THANK YOU VERY MUCH for the instructions! Merry Christmas and Happy New Year!

          1. dlasley Avatar

            Happy to assist. Merry Christmas and Happy New Year to you also!

  2. zetoune Avatar
    zetoune

    Hi,

    I got an error when committing: “ADDRv4_eth1 group is not defined”. I have the same configuration as Den (ER5-POE. Internet interface on eth1 and local interface on switch0). So I guess if it works from Den, it should work for me. I must have missed something. I tried to follow your tutorial with no luck. I’m a newbie, I only copy & paste without understanding very well what I’m doing :-( (Of course, I changed eth2 to eth1, eth0 to switch0 and tcp_udp to tcp).

    Do I have to setup ADDRv4_eth1 somewhere prior to follow your tutorial?

    1. dlasley Avatar

      What version of EdgeOS are you running (`show version` command)? The `destination group address-group ADDRv4_eth*` configuration was added in EdgeOS V 1.3.0; if you are using an older firmware take a look at my older tutorial – https://blog.laslabs.com/2013/06/nat-reflection-ubiquiti-edgerouter-lite-vyatta-and-dynamic-ip/ or update to 1.3.0

      1. zetoune Avatar
        zetoune

        This is the message I receive:

        [ service nat rule 1 destination group address-group ADDRv4_eth1 ]
        Group [ADDRv4_eth1] has not been defined

        Commit failed

        “show version” output:
        Version: v1.3.0
        Build ID: 4605130
        Build on: 10/11/13 17:54
        Copyright: 2012-2013 Ubiquiti Networks, Inc.
        HW model: EdgeRouter PoE 5-Port

        1. dlasley Avatar

          That’s interesting, the address group (ADDRv4_eth1) should be automatically created for the primary IPv4 address of an interface. I just did a test, and this alias exists in my machine even if the interface doesn’t have an IP.
          Let’s try using the command’s auto-complete, maybe the alias is named differently in your system. Type the command `set service nat rule 1 destination group address-group` then hit tab twice. You will see a list of available address groups that are exposed for use in your NAT rule. Will you please copy/paste that list to me?

  3. zetoune Avatar
    zetoune

    it seems that something is wrong with my router :-(
    No list appears when I hit tab.

    admin@ubnt:~$ set service nat rule 1 destination group address-group

    admin@ubnt:~$ set service nat rule 1 destination group address-group

    admin@ubnt:~$ set service nat rule 1 destination group address-group

    1. dlasley Avatar

      Honestly the only thing I can think of at this point would be to restore the router to factory defaults (make sure to back up your config first). You could also just perform the steps outlined in my older guide; that procedure will still work on the newer versions, it’s just kind of hacky. Please let me know if you come to a resolution on this issue so that I may update this post and the Ubiquiti knowledgebase.

      1. zetoune Avatar
        zetoune

        I will do a factory reset and let you know if it changes something. Just to be sure when I follow your tutorial, I have to use the same config as Den because of my config? (eth1: wan, switch0 : lan). Not sure to understand the part you told him about Rule n°2.

        1. dlasley Avatar

          Yup, your config should look basically identical to Den’s. The reason that NAT rule 2 needs to be created in your scenario and not mine is because `switch0` is not included within the `eth+` wildcard, so you need the separate rule to allow your internal clients access to the internal servers. In my situation, NAT rule 1 is able to route both internal and external clients because `eth+` covers all of my interfaces.

          1. zetoune Avatar
            zetoune

            Hi dlasley,

            It worked. I did a factory reset. I set the router from scratch (I did use the wizard as I did when I upgraded from 1.2.0 to 1.3.0). Now it recognizes “ADDR_v4…”

            I’d like to forward other ports. Am I ok if I only add a new NAT rule (#3) and a firewall rule. I don’t have to recreate rule 5001 ?

            Do I need NAT rule #1 if only forward ports to switch0?

          2. dlasley Avatar

            Great to hear that it worked!

            You are correct that there is no need to recreate rule 5001, and that you do do not need rule #1 if you are only forwarding to switch0.

            It sounds like you’ve got it down at this point. Thanks for reading my blog!

          3. zetoune Avatar
            zetoune

            Just to let you know that if rule #1 is deleted, I can’t access the server from outside my lan.
            I have to keep it! Moreover it works without creating a rule #2 which forwards to switch0.

          4. dlasley Avatar

            Thanks for providing the update; I haven’t been able to test with those parameters so I was just going off of what seemed likely. This way is much more concise.. I like it.

  4. miguel Avatar
    miguel

    it is not working for me perhaps I am doing something wrong in my case I have dual wan one on eth1 and the other on eth0 all connections are on eth2,3 nd 4 are acting as a switch in the ip addresses 192.168.3.0 range but when I input every change it does not make nat loopback, when I do restart the router it does but after 1 minute or so I can’t access from the network?

    perhaps you can help me out here please?

    Best regards,

    MN.

  5. miguel Avatar
    miguel

    and this is my configuration just in case you see something wrong so I have to input different values:

    migueln@ubnt:~$ show configuration
    **Truncated for legibility**

    1. dlasley Avatar

      Hi Miguel,

      It looks like you are missing the NAT Masquerading for LAN to loop back to LAN. Something similar to the below:

      edit service nat rule 5001
      set description Hairpin_MASQ
      set destination address 192.168.3.1/24
      set source address 192.168.3.1/24
      set log disable
      set outbound-interface switch0
      set protocol tcp_udp
      set type masquerade
      top

      I’m having a bit of trouble deciphering the config because my comments section strips white space, so if I missed the mark, repost the config to http://pastebin.com/ so that the white space is preserved and send me the link.

  6. miguel Avatar
    miguel

    thanks for answering I had it but deleted because it was not working for me but I inputted 192.168.3.30/24 instead of 192.168.3.1/24 is there a difference?

    1. dlasley Avatar

      There’s not really a difference in terms of subnets, but you are specifying an IP vs the actual network. In hindsight, I should have recommended that you use 192.168.3.0/24. When you use 0/24, you are directing traffic to the network vs. 1/24 and 30/24 are directing to clients on that network. Try modifying your NAT rule source and destination to `192.168.3.0/24`. Next step if that doesn’t work would be to try disabling the firewall temporarily just to validate it isn’t getting caught there.

  7. Gizmo Avatar
    Gizmo

    You are a life saver! This finally solved our issue for internal access. Thank you!!!!!!!!!

  8. Pyrophoenix Avatar
    Pyrophoenix

    Thank you!!!!

Leave a Reply to dlasley Cancel reply

Your email address will not be published. Required fields are marked *