Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
Emerging Member
Posts: 70
Registered: ‎04-10-2013
Kudos: 6
Solutions: 1

Hairpin NAT not working

[ Edited ]

Having issues with hairpin NAT.

 

My config:

 

[edit port-forward]
ubnt@ubnt# show
 auto-firewall enable
 hairpin-nat enable
 lan-interface eth1
 lan-interface eth2.11
 wan-interface pppoe0
[edit port-forward]
ubnt@ubnt#

I am on a device on a switch on eth1, I try to establish an OpenVPN connection (just testing here) to the external interface and it fails.

 

I see this in the OpenVPN logs:

 

2017-06-27 00:16:41: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.11.1:1194[2], expected peer address: [AF_INET]124.xx.xx.xx:1194 (allow this incoming source address/port by removing --remote or adding --float)

where 124.xx.xx.xx is my external IP and 192.168.11.1 is the device on eth1 subnet.

 

The OpenVPN connection works fine from a device actually on the internet. I can see from the log that it is a NAT issue.

 

Edge Router Lite running 1.9.1.1

 

Any help appreciated.

SuperUser
Posts: 8,845
Registered: ‎01-05-2012
Kudos: 2357
Solutions: 1178

Re: Hairpin NAT not working

I'm not sure what is your problem, hairpin NAT is for reach devices which belong to private networks , behind a router, from devices which are behind the same router as well, pointing the public ip address.... are you trying to reach an OpenVpn server running behind the ER, or is the ER itself which acts as OpenVPN server ?
Cheers,

Emerging Member
Posts: 70
Registered: ‎04-10-2013
Kudos: 6
Solutions: 1

Re: Hairpin NAT not working

I was trying to access an OpenPVN server unning on the ERL3 from within the network via the external IP. I assumed it would have NAT'd that traffic as well. From what you are saying it sounds like it will only hairpin NAT when there is an existing port forward to a host inside the network ?

Highlighted
SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5145
Solutions: 1458

Re: Hairpin NAT not working

Correct, hairpin NAT only comes into play when you have a port forward / DNAT rule for some port to a host inside the LAN.

 

It does not do anything for services running on the router itself.