Reply
Highlighted
New Member
Posts: 3
Registered: ‎08-10-2018
Accepted Solution

Hairpin NAT Issues

I've tried to no avail to get my local webserver forwarded to port 80 on both internal and external network requests.  I've searched though about a dozen different posts going back to 2014.

 

My information:

  • Edgerouter X
  • Firmware version: v 1.10.5.5098943.180622.1555
  • Port 80 is open by my ISP
  • I can access the website via an outside IP (from my phone on LTE, from my work computer)
  • When I try to access the domain I have for it from inside my local network, I get redirected to the edgerouter login screen
  • I've followed the steps on the guide EdgeRouter - Hairpin NAT and still nothing is working
    • That guide is pretty much exactly what I want - both local traffic + internet traffic to be able to hit
    • Apache webserver sitting on a VM with IP 192.168.117.203
    • Local traffic (computer, phone, laptop, iPad), on IP 192.168.117.xFrom inside my network, I cannot access my webserver
    • From outside I am able to access
  • Here is the URL http://test.alphavega.com/ which I've mapped and does work
  • I have a PiHole set up as my DNS server at 192.168.117.17

 

Here is my config (stripped of sensitive info)

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description http
            destination {
                port 80
            }
            log disable
            protocol tcp
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "http (apache)"
            destination {
                port 80
            }
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.117.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description http(main)
        forward-to {
            address 192.168.117.203
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.117.0/24 {
                default-router 192.168.117.1
                dns-server 192.168.117.17
                lease 86400
                start 192.168.117.38 {
                    stop 192.168.117.243
                }
                static-mapping cobra-commander.digiworld {
                    ip-address 192.168.117.7
                }
                static-mapping dusty.digiworld {
                    ip-address 192.168.117.8
                }
                static-mapping living-room.digiworld {
                    ip-address 192.168.117.75
                }
                static-mapping palmon.digiworld {
                    ip-address 192.168.117.203
                }
                static-mapping zartan.digiworld {
                    ip-address 192.168.117.76
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description http(80)
            destination {
                address 69.114.199.84
                port 80
            }
            inbound-interface switch0
            inside-address {
                address 192.168.117.203
                port 80
            }
            log disable
            protocol tcp
            source {
            }
            type destination
        }
        rule 2 {
            description hairpin(80)
            destination {
                address 69.114.199.84
                port 80
            }
            inbound-interface eth2
            inside-address {
                address 192.168.117.203
                port 80
            }
            log disable
            protocol tcp
            source {
            }
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description hairpin
            destination {
                address 69.114.199.84
                port 80
            }
            log disable
            outbound-interface eth2
            protocol tcp
            source {
                address 192.168.117.0/24
                port 80
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name 
    login {
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
}

Accepted Solutions
Senior Member
Posts: 5,250
Registered: ‎01-04-2017
Kudos: 732
Solutions: 262

Re: Hairpin NAT Issues

You have the wrong LAN interface set on the port forward wizard! switch0 would be the correct setting.

View solution in original post


All Replies
Senior Member
Posts: 5,250
Registered: ‎01-04-2017
Kudos: 732
Solutions: 262

Re: Hairpin NAT Issues

You have the wrong LAN interface set on the port forward wizard! switch0 would be the correct setting.
New Member
Posts: 3
Registered: ‎08-10-2018

Re: Hairpin NAT Issues


@smyers119 wrote:
You have the wrong LAN interface set on the port forward wizard! switch0 would be the correct setting.

I thought that I had tried that, and I ended up with no internet access.  I'm at work now but I will try it again tonight when I get home and let you know.  Thanks.

Veteran Member
Posts: 6,878
Registered: ‎03-24-2016
Kudos: 1780
Solutions: 786

Re: Hairpin NAT Issues

Either use port forward tab, or manual rules.

As stated port forward tab should use switch0, not eth2

 

 

Manual NAT rules:  (assuming port forward is removed entirely)

Rule 2 should be on eth0 , this is for outside access

Rule 5011 has 2 flaws:

   destination address should be inside address:  192.168.117.203

   Get rid of source port, it's not equal to 80, but in 1024....65535 range

 

 

 

Member
Posts: 109
Registered: ‎10-02-2015
Kudos: 13
Solutions: 6

Re: Hairpin NAT Issues

[ Edited ]

I would change the router gui port to like 8080.

 

I had similar issue.  When i was on my internal lan and want to connect to my server via FQDN.   The firewall local rule felt i wanted the router gui because of port 80(It hit this rule first before for some reason).  I swap the router gui it to a diffrent port and it solved my issue.

New Member
Posts: 3
Registered: ‎08-10-2018

Re: Hairpin NAT Issues


@smyers119 wrote:
You have the wrong LAN interface set on the port forward wizard! switch0 would be the correct setting.

That was it!  Thanks.  I can't believe it was something so simple.

Reply