Regular Member
Posts: 351
Registered: ‎02-16-2014
Kudos: 41
Solutions: 7
Accepted Solution

Pulling my HAIR(pin) out!!

I'm trying to just figure out how to get hairpin to work with my firewall rules.  Oddly enough I can get it to work if I'm going from one VLAN to another, but I need to hairpin from eth0 back into eth0.  

 

I have an app that I want to work both internally when on wifi and when external.  I need to point to my WAN IP and I don't want to setup 2 profiles (1 internal 1 external).  So I put in my WAN IP but it gets block.  Can someone help!?!?

 

Thanks!!!!

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            description "Priviate LAN Networks"
            network 192.168.99.0/24
            network 192.168.30.0/24
            network 192.168.40.0/24
            network 192.168.50.0/24
            network 192.168.0.0/24
            network 192.168.2.0/24
            network 192.168.3.0/24
            network 192.168.4.0/24
            network 192.168.5.0/24
            network 192.168.20.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
            }
            modify {
                table main
            }
        }
        rule 100 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name Eth0_In {
        default-action accept
        description "Eth0 to Other LANs"
        rule 10 {
            action accept
            description "Accept VPN Traffic"
            destination {
                address 192.168.99.240-192.168.99.250
            }
            log disable
            protocol all
        }
        rule 40 {
            action drop
            description "Drop Other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                }
            }
        }
    }
    name Eth0_Local {
        default-action accept
        description "Eth0 to Router"
    }
    name VLAN20_In {
        default-action accept
        description "Eth0 to Other LANs"
        rule 1 {
            action drop
            description "Drop Other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                }
            }
        }
    }
    name VLAN20_Local {
        default-action accept
        description "Eth0 to Router"
    }
    name VLAN30_In {
        default-action accept
        description "Eth0 to Other LANs"
        rule 1 {
            action drop
            description "Drop Other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                }
            }
        }
    }
    name VLAN30_Local {
        default-action accept
        description "Eth0 to Other LANs"
    }
    name VLAN40_In {
        default-action accept
        description "Eth0 to Other LANs"
        rule 1 {
            action drop
            description "Drop Other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                }
            }
        }
    }
    name VLAN40_Local {
        default-action accept
        description "Eth0 to Other LANs"
    }
    name VLAN50_In {
        default-action accept
        description "Eth0 to Other LANs"
        rule 1 {
            action drop
            description "Drop Other LANs"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            log disable
            protocol all
            source {
                group {
                }
            }
        }
    }
    name VLAN50_Local {
        default-action accept
        description "Eth0 to Other LANs"
    }
    name WAN_IN {
        default-action drop
        description "WAN to LAN"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description SIP
            destination {
                port 5060
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description 2088
            destination {
                port 2088
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description 8081
            destination {
                port 8081
            }
            log disable
            protocol tcp_udp
        }
        rule 50 {
            action accept
            description 15000-15511
            destination {
                port 15000-15511
            }
            log disable
            protocol tcp_udp
        }
        rule 60 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to Router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow PPTP"
            destination {
                port 1723
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Allow GRE for PPTP"
            log disable
            protocol gre
        }
        rule 40 {
            action accept
            description "Allow IKE L2TP Server"
            destination {
                port 500
            }
            log enable
            protocol udp
        }
        rule 50 {
            action accept
            description "Allow L2TP for L2TP Server"
            destination {
                port 1701
            }
            log enable
            protocol udp
        }
        rule 60 {
            action accept
            description "Allow ESP for L2TP Server"
            log enable
            protocol esp
        }
        rule 70 {
            action accept
            description "Allow NAT-T for L2TP Server"
            destination {
                port 4500
            }
            log enable
            protocol udp
        }
        rule 80 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.99.1/24
        description "Corp LAN"
        duplex auto
        firewall {
            in {
                modify balance
                name Eth0_In
            }
            local {
                name Eth0_Local
            }
        }
        speed auto
        vif 20 {
            address 192.168.20.1/24
            description "VLAN 20"
            firewall {
                in {
                    modify balance
                    name VLAN20_In
                }
                local {
                    name VLAN20_Local
                }
            }
            mtu 1500
        }
        vif 30 {
            address 192.168.30.1/24
            description "VLAN 30"
            firewall {
                in {
                    modify balance
                    name VLAN30_In
                }
                local {
                    name VLAN30_Local
                }
            }
            mtu 1500
        }
        vif 40 {
            address 192.168.40.1/24
            description "VLAN 40"
            firewall {
                in {
                    modify balance
                    name VLAN40_In
                }
                local {
                    name VLAN40_Local
                }
            }
            mtu 1500
        }
        vif 50 {
            address 192.168.50.1/24
            description "VLAN 50"
            firewall {
                in {
                    modify balance
                    name VLAN50_In
                }
                local {
                    name VLAN50_Local
                }
            }
            mtu 1500
        }
    }
    ethernet eth1 {
        address 69.xxx.xxx.xxx/30
        description "Primary WAN"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "Secondary WAN"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth1 {
            route-test {
                count {
                    failure 3
                    success 3
                }
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
        }
        interface eth2 {
            failover-only
        }
        lb-local enable
        lb-local-metric-change disable
        transition-script /config/scripts/failback.sh
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth0
    rule 1 {
        description "SIP"
        forward-to {
            address 192.168.99.4
        }
        original-port 5060
        protocol tcp_udp
    }
    rule 2 {
        description Allworx
        forward-to {
            address 192.168.99.4
        }
        original-port 2088
        protocol tcp_udp
    }
    rule 3 {
        description Allworx
        forward-to {
            address 192.168.99.4
        }
        original-port 8081
        protocol tcp_udp
    }
    rule 4 {
        description Allworx
        forward-to {
            address 192.168.99.4
        }
        original-port 15000-15511
        protocol tcp_udp
    }
    rule 5 {
        description AuthAnvil
        forward-to {
            address 192.168.99.10
        }
        original-port 80
        protocol tcp_udp
    }
    rule 6 {
        description AuthAnvil
        forward-to {
            address 192.168.99.10
        }
        original-port 8080
        protocol tcp_udp
    }
    rule 7 {
        description AuthAnvil
        forward-to {
            address 192.168.99.10
        }
        original-port 1812
        protocol tcp_udp
    }
    wan-interface eth1
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.99.0/24 {
                default-router 192.168.99.1
                dns-server 192.168.99.10
                dns-server 1.1.1.1
                lease 86400
                start 192.168.99.20 {
                    stop 192.168.99.175
                }
                tftp-server-name 192.168.99.4
                unifi-controller 
            }
        }
        shared-network-name VLAN_20 {
            authoritative disable
            subnet 192.168.20.0/24 {
                default-router 192.168.20.1
                dns-server 192.168.20.1
                lease 86400
                start 192.168.20.25 {
                    stop 192.168.20.250
                }
            }
        }
        shared-network-name VLAN_30 {
            authoritative disable
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 192.168.30.1
                lease 86400
                start 192.168.30.25 {
                    stop 192.168.30.250
                }
            }
        }
        shared-network-name VLAN_40 {
            authoritative disable
            subnet 192.168.40.0/24 {
                default-router 192.168.40.1
                dns-server 192.168.40.1
                lease 86400
                start 192.168.40.25 {
                    stop 192.168.40.250
                }
            }
        }
        shared-network-name VLAN_50 {
            authoritative disable
            subnet 192.168.50.0/24 {
                default-router 192.168.50.1
                dns-server 192.168.50.1
                lease 86400
                start 192.168.50.25 {
                    stop 192.168.50.250
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0.20
            listen-on eth0.30
            listen-on eth0.40
            listen-on eth0.50
            listen-on eth0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "SIP eth 1"
            disable
            inbound-interface eth1
            inside-address {
                address 192.168.99.4
                port 5060
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 2 {
            description "SIP eth 2"
            disable
            inbound-interface eth2
            inside-address {
                address 192.168.99.4
                port 5060
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 3 {
            description "2088 eth1"
            disable
            inbound-interface eth1
            inside-address {
                address 192.168.99.4
                port 2088
            }
            log disable
            protocol udp
            type destination
        }
        rule 4 {
            description "8081 eth1"
            disable
            inbound-interface eth1
            inside-address {
                address 192.168.99.4
                port 8081
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5 {
            description "15000-15511 eth1"
            disable
            inbound-interface eth1
            inside-address {
                address 192.168.99.4
                port 15000-15511
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 6 {
            description "15000-15511 eth2"
            disable
            inbound-interface eth2
            inside-address {
                address 192.168.99.4
                port 15000-15511
            }
            log enable
            protocol tcp_udp
            type destination
        }
        rule 7 {
            description "Allworx Reach"
            inbound-interface eth0
            inside-address {
                address 192.168.99.4
                port 5060
            }
            log disable
            protocol tcp_udp
            source {
                address 69.xxx.xxx.xxx
                port 5060
            }
            type destination
        }
        rule 5002 {
            description "Masquerade for Primary WAN"
            log disable
            outbound-interface eth1
            protocol all
            source {
                group {
                }
            }
            type masquerade
        }
        rule 5004 {
            description "Masquerade for WAN 2"
            log disable
            outbound-interface eth2
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection 
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        modules {
            sip {
                disable
            }
        }
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    gateway-address 
    host-name 
    login {
        user dakretail {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 1.1.1.1
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius-server 192.168.99.15 {
                    key ****************
                }
            }
            client-ip-pool {
                start 192.168.99.246
                stop 192.168.99.249
            }
            dns-servers {
                server-1 192.168.99.1
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
                lifetime 3600
            }
            mtu 1492
            outside-address 0.0.0.0
        }
    }
    pptp {
        remote-access {
            authentication {
                mode radius
                radius-server 192.168.99.10 {
                    key ****************
                }
                radius-server 192.168.99.200 {
                    key ****************
                }
            }
            client-ip-pool {
                start 192.168.99.240
                stop 192.168.99.245
            }
            dns-servers {
                server-1 192.168.99.1
            }
            mtu 1492
            outside-address 0.0.0.0
        }
    }
}

Accepted Solutions
SuperUser
Posts: 8,581
Registered: ‎01-05-2012
Kudos: 2262
Solutions: 1144

Re: Pulling my HAIR(pin) out!!

Can you add

Spoiler
configure
set firewall name Eth0_In rule 5 action accept 
set firewall name Eth0_In rule 5 state established enable
set firewall name Eth0_In rule 5 state related enable
commit;save

 

View solution in original post


All Replies
Highlighted
SuperUser
Posts: 8,581
Registered: ‎01-05-2012
Kudos: 2262
Solutions: 1144

Re: Pulling my HAIR(pin) out!!

Try, on the fly

Spoiler
configure
set firewall group address-group MY_HOSTS address 192.168.99.4
set firewall group address-group MY_HOSTS address 192.168.99.10
set firewall name Eth0_In rule 20 action accept 
set firewall name Eth0_In rule 20 destination group address-group MY_HOSTS
commit;save

Cheers,

jonatha

Regular Member
Posts: 701
Registered: ‎01-26-2015
Kudos: 186
Solutions: 65

Re: Pulling my HAIR(pin) out!!

You could as well add a local dns entry that points your public domain to the local IP. This way every device on your local network asking the DNS for "my.own.ddns" will get the local IP of your server instead of the public IP address.

SuperUser
Posts: 8,581
Registered: ‎01-05-2012
Kudos: 2262
Solutions: 1144

Re: Pulling my HAIR(pin) out!!

Yes, but in that case, you have to choose if "my.own.ddns" is resolved to 192.168.99.4 or 192.168.99.10.
Cheers,
jonatha

Regular Member
Posts: 351
Registered: ‎02-16-2014
Kudos: 41
Solutions: 7

Re: Pulling my HAIR(pin) out!!

So I tried the 

configure
set firewall group address-group MY_HOSTS address 192.168.99.4
set firewall group address-group MY_HOSTS address 192.168.99.10
set firewall name Eth0_In rule 20 action accept 
set firewall name Eth0_In rule 20 destination group address-group MY_HOSTS
commit;save

and that didn't work.  Techincally the IP in need to get to is the 99.4.  That is my PBX and when I'm trying to setup the softphone type add and point it to my wan IP I get unable to connect.  If I put in 99.4 it works fine.  

 

With those rules there, when I try to connect using the app on my phone the counters to increase when I try to connect.  But it still fails.  

 

Thoughts??

SuperUser
Posts: 8,581
Registered: ‎01-05-2012
Kudos: 2262
Solutions: 1144

Re: Pulling my HAIR(pin) out!!

Can you add

Spoiler
configure
set firewall name Eth0_In rule 5 action accept 
set firewall name Eth0_In rule 5 state established enable
set firewall name Eth0_In rule 5 state related enable
commit;save

 

Regular Member
Posts: 351
Registered: ‎02-16-2014
Kudos: 41
Solutions: 7

Re: Pulling my HAIR(pin) out!!

Holy crap that did it.  Not sure why I didn't have the rule in there in the first place but THANK YOU!!!!!!