06-26-2017 07:28 AM - edited 06-26-2017 07:29 AM
Having issues with hairpin NAT.
[edit port-forward] ubnt@ubnt# show auto-firewall enable hairpin-nat enable lan-interface eth1 lan-interface eth2.11 wan-interface pppoe0 [edit port-forward] ubnt@ubnt#
I am on a device on a switch on eth1, I try to establish an OpenVPN connection (just testing here) to the external interface and it fails.
I see this in the OpenVPN logs:
2017-06-27 00:16:41: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.11.1:1194, expected peer address: [AF_INET]124.xx.xx.xx:1194 (allow this incoming source address/port by removing --remote or adding --float)
where 124.xx.xx.xx is my external IP and 192.168.11.1 is the device on eth1 subnet.
The OpenVPN connection works fine from a device actually on the internet. I can see from the log that it is a NAT issue.
Edge Router Lite running 18.104.22.168
Any help appreciated.
06-26-2017 09:45 AM
I'm not sure what is your problem, hairpin NAT is for reach devices which belong to private networks , behind a router, from devices which are behind the same router as well, pointing the public ip address.... are you trying to reach an OpenVpn server running behind the ER, or is the ER itself which acts as OpenVPN server ?
06-26-2017 04:59 PM
I was trying to access an OpenPVN server unning on the ERL3 from within the network via the external IP. I assumed it would have NAT'd that traffic as well. From what you are saying it sounds like it will only hairpin NAT when there is an existing port forward to a host inside the network ?
06-26-2017 06:52 PM
Correct, hairpin NAT only comes into play when you have a port forward / DNAT rule for some port to a host inside the LAN.
It does not do anything for services running on the router itself.