Reply
New Member
Posts: 27
Registered: ‎03-09-2014
Kudos: 1
Accepted Solution

Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

[ Edited ]

Hi - I've read a number of topics on this, many before the latest firmware was released. I'm pretty new to EdgeOS and not good with the CLI, although I'm learning.

I am able to succesfully forward port 80 and port 3389 traffic from my WAN to internal IP addresses on my LAN using the new port forwarding wizard; however, when I try and access the same services via the LAN using my public address assigned to the WAN, it appears as though the port forwarding rules are not working and the EdgeOS interface attemps to load instead (redircting from port 80 to port 443). 

The research I've done indicates that I need a hairpin rule enabled. I have made sure that my new port fowarding rules using the new firmware have that option enabed, but I still cannot get it to work. Here is a snippet of the configuration from the CLI.

admin@edgerouter# show port-forward 
 auto-firewall enable
 hairpin-nat enable
 lan-interface br0
 rule 1 {
     description HTTP
     forward-to {
         address 192.168.1.103
         port 80
     }
     original-port 80
     protocol tcp_udp
 }
 rule 2 {
     description RDP
     forward-to {
         address 192.168.1.103
         port 3389
     }
     original-port 3389
     protocol tcp_udp
 }
 wan-interface eth0
[edit]

I'm throughally confused. My setup is basically stock, I upgraded to the latest firmware tonight. Can anyone help me figure out what I'm missing so clients on my internal LAN can access services via DNS / External IP?

Thank you,

Erick


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Yeah in both of your setups, there's a hardware switch (or switches) plugged into one of the bridge ports and then devices plugged into the switch(es), so when hairpin NAT involves two of those devices, it will be affected by the hairpin/bridge issue discussed in the thread linked above. One thing to try would be to reboot the router and then run the "ifconfig" command first thing after it boots (before doing any hairpin testing).

Also, as discussed before, if you are already using hardware switch(es) for the LAN anyway, doing software bridging on the router is not recommended since (1) it doesn't provide much (if any) benefit as hardware switch has more ports anyway, and (2) bridging is like doing the switching in software and therefore will have performance impact. So if feasible, you could also try removing the bridge and just connect the switches to one interface and use that as LAN (the other interface could be used for management for example).

View solution in original post


All Replies
Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

 

I have experiencing pretty much the same issue with 1.4. I cannot get to my webserver. 

port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    rule 1 {
        description Something
        forward-to {
            address 10.253.1.20
        }
        original-port 24706
        protocol tcp
    }
    rule 2 {
        description Webserver
        forward-to {
            address 10.253.1.4
        }
        original-port 80
        protocol tcp
    }
    wan-interface eth2
}

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Yeah actually we have discussed similar/same issue before, for example here. Could you confirm whether one of the following applies in your setup:

  • When testing hairpin NAT, is the target device also the client device, i.e., is the router NATing traffic back to the client device itself?
  • Is there a hardware switch connected to one of the bridge ports, and both the client and the target devices in the hairpin NAT test are connected to the same switch (or in the case where there are multiple switches involved, do both of them reach the router on the same bridge port)?

You can also try the "sudo ifconfig br0 promisc" command mentioned in the thread linked above to see if that resolves the issue in your setup.

New Member
Posts: 27
Registered: ‎03-09-2014
Kudos: 1

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Hello,

  • No, the client device is not the target device. I have a seperate server I am forwarding traffic to and cannot access via my desktop or laptop when connected to the same network.
  • Yes, I have a hardware switch plugged into eth1 on the router. The rest of my hardware (client and target) is then plugged into the switch. I have bridged eth1 and eth2 (into br0) but currently eth2 is not in use. eth0 is my WAN port.
  • I ran the command you specified and it does not resolve the issue.

I will re-read the thread you linked to and see if there is anything else there I can try. I may try and wipe the entire thing back to defaults and start over from scratch.

Thanks!
Erick

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)


erickh wrote:

  • No, the client device is not the target device. I have a seperate server I am forwarding traffic to and cannot access via my desktop or laptop when connected to the same network.
  • Yes, I have a hardware switch plugged into eth1 on the router. The rest of my hardware (client and target) is then plugged into the switch. I have bridged eth1 and eth2 (into br0) but currently eth2 is not in use. eth0 is my WAN port.

 

I have pretty much the same setup here on one ERL. Webserver and desktop on swtich B. switch B on switch A. Switch A plugged into eth1 (with eth0 and eth1 as br0).

domain.com wiill not load but 10.x.x.4 will load. The ERL is the DHCP and DNS server in this design.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Yeah in both of your setups, there's a hardware switch (or switches) plugged into one of the bridge ports and then devices plugged into the switch(es), so when hairpin NAT involves two of those devices, it will be affected by the hairpin/bridge issue discussed in the thread linked above. One thing to try would be to reboot the router and then run the "ifconfig" command first thing after it boots (before doing any hairpin testing).

Also, as discussed before, if you are already using hardware switch(es) for the LAN anyway, doing software bridging on the router is not recommended since (1) it doesn't provide much (if any) benefit as hardware switch has more ports anyway, and (2) bridging is like doing the switching in software and therefore will have performance impact. So if feasible, you could also try removing the bridge and just connect the switches to one interface and use that as LAN (the other interface could be used for management for example).

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Telling me not to use a port that I own is not valid. I bridged the LAN because I need that port for a device. I do not have any other open switch ports. So instead you are suggesting I should just go buy a bigger switch? I think I will buy something besides an ERL if that will be the answer.

New Member
Posts: 27
Registered: ‎03-09-2014
Kudos: 1

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

ancheng,

Your suggestion to reboot the router and then immeadiately run the following command before testing the hairpin seems to have did the trick for me.

sudo ifconfig br0 promisc

I noticed in the other thread that it was mentioned I'd need to run it again after a reboot, but can set up a script to automatically take care of that. I may do that, but do you think removing the bridge and using just one port will solve the problem without this workaround? I don't really need the other port (eth2) for anything. If it really is a performance bottleneck, I may as well unbridge and just use one of the other ports.

Thanks for the help. This has been a somewhat frusterating proccess for a newbie like myself Smiley Happy

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Yeah certainly, if the command works then as far as we know it is the same issue as the one that we were able to confirm, so removing the bridge should work too. Yes, as mentioned doing software bridging will have performance impact (may or may not become the bottleneck depending on the actual environment of course).

On the other hand, we certainly do recognize that people may still want to bridge, so we have added a configuration setting so that people who want it can apply "promisc" as part of the configuration (so no need for manual command, scripting, etc.). This will be available in the next release.

 

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

Using the new version 1.4.1 this now works great after setting promiscuous enable.

sorvani@home:~$ configure
[edit]
sorvani@home# set interfaces bridge br0 promiscuous enable
[edit]
sorvani@home# commit
[edit]
sorvani@home# save
Saving configuration to '/config/config.boot'...
Done
[edit]
sorvani@home# exit
exit
sorvani@home:~$ 

 

New Member
Posts: 1
Registered: ‎07-22-2014

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

I ran into a similar issue;  I used the new Setup Wizard "Load Balancing" to initally configure the EdgeRouterPOE. 

eth0 - primary ISP

eth1 - secondary ISP (Failover Only)

eth2-4 - Local

Hairping fails anytime I have the eth1 link enabled; even though external access works fine... Tried the Portforwarding wizard, and manually configuring all the rules, failed in both scenerios.  Works fine if I disable eth1.

eventually gave up on trying to have a failover config; and left eth1 disabled.  Would like to try again, anyone have sugggestions?

B

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)


bmeneses wrote:

I ran into a similar issue;  I used the new Setup Wizard "Load Balancing" to initally configure the EdgeRouterPOE. 

eth0 - primary ISP

eth1 - secondary ISP (Failover Only)

eth2-4 - Local

Hairping fails anytime I have the eth1 link enabled; even though external access works fine... Tried the Portforwarding wizard, and manually configuring all the rules, failed in both scenerios.  Works fine if I disable eth1.

eventually gave up on trying to have a failover config; and left eth1 disabled.  Would like to try again, anyone have sugggestions?


This thread may be relevant - LINK.

EdgeMAX Router Software Development
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

Re: Port Forwarding working externally / Hairpin doesn't work when accessing via LAN (EdgeOS v1.4.0)

@shawns I moved your post to a separate thread since this one is "solved".  See - http://community.ubnt.com/t5/EdgeMAX/Re-Port-Forwarding-working-externally-Hairpin-doesn-t-work-when...

EdgeMAX Router Software Development
Reply