NAT Loopback/hairpin/reflection allows internal clients to access internal resources using an external IP/hostname. This is useful when you run a server inside of a local network, and would like to access it using your domain name/external IP. This tutorial will walk you through creating a NAT hairpin for a Ubiquiti EdgeRouter Lite running at least version 1.3.0. If you are running an older version, you should use this tutorial.
NAT Hairpin ∞
- Login to EdgeRouter Lite via SSH
- Enter configure mode
- Create NAT rule; the below will forward inbound port 443 to local IP 192.168.69.100 on port 443
edit service nat rule 1 set description HTTPS set inside-address address 192.168.69.100 set inside-address port 443 set log disable set protocol tcp_udp set type destination
- Now set the destination settings of this NAT rule. Note that we are using the
eth+wildcard in order for this rule to be active on all interfaces. In version 1.3.0, the
destination group address-groupoption was added; allowing for easy dynamic NAT reflection. Note: my external interface is eth2, modify the
ADDRv4_eth2to accommodate your setup. The aforementioned option matches packets destined to the IPv4 address on interface eth2.
set inbound-interface eth+ set destination port 443 set destination group address-group ADDRv4_eth2 top
- Now we need to setup NAT Masquerading for LAN to loop back to LAN
edit service nat rule 5001 set description Hairpin_MASQ set destination address 192.168.69.0/24 set source address 192.168.69.0/24 set log disable set outbound-interface eth0 set protocol tcp_udp set type masquerade top
- Finally, we create a firewall rule to allow the inbound traffic
edit firewall name WAN_IN rule 443 set description HTTPS set action accept set destination port 443 set log disable set protocol tcp_udp top
- Commit and save