Reply
Regular Member
Posts: 351
Registered: ‎12-18-2016
Kudos: 35
Solutions: 12
Accepted Solution

"NAT Loopback" with NAT

I use Destination NAT and dyndns.org. From outside I can reach at https:// the ER-X, at http:// the HTTP- and at ftp:// the FTP-Server.

From inside https:// and http:// brings me to the ER-X and ftp:// stalls.

 

The activation of hairpin NAT as part of Port Forwarding does not help.

  

Is it possible to activate "NAT Loopback" with a NAT setup?

 

    nat {
        rule 1 {
            description "FTP Server"
            destination {
                port 21
            }
            inbound-interface pppoe0
            inside-address {
                address 10.10.0.21
                port 21
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "HTTP Server"
            destination {
                port 80
            }
            inbound-interface pppoe0
            inside-address {
                address 10.10.0.21
                port 80
            }
            log disable
            protocol tcp
            type destination
        }

 

port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    wan-interface pppoe0
}

Accepted Solutions
SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: "NAT Loopback" with NAT

[ Edited ]

Actually, if you don't set any rule in the port-forward tab, it won't work, currently, from outside you are reaching services thanks to your DNAT rules.

Cheers,

jonatha

Edit..

Writing rules via cli (assuming the network on switch0 is 10.10.0.0/24), something like

Spoiler
configure
set service nat rule 5 type destination
set service nat rule 5 destination group address-group ADDRv4_pppoe0 
set service nat rule 5 source address 10.10.0.0/24
set service nat rule 5 protocol tcp
set service nat rule 5 destination port 21,80
set service nat rule 5 inbound-interface switch0
set service nat rule 5 inside-address address 10.10.0.21
set service nat rule 5030 type masquerade
set service nat rule 5030 source address 10.10.0.0/24
set service nat rule 5030 destination address 10.10.0.21
set service nat rule 5030 destination port 21,80
set service nat rule 5030 outbound-interface switch0
commit;save

 Edit 2... correction

View solution in original post


All Replies
Established Member
Posts: 877
Registered: ‎09-24-2017
Kudos: 174
Solutions: 71

Re: "NAT Loopback" with NAT

[ Edited ]

Try using the port forward wizard. It seems that you've kinda mixed the port forwarding with DNAT rules... use just one.

 

To do this, start by removing the NAT rules you've configured so far.

 

Then, use the port forwarding wizard to define the rules (ports 21 and 80 to your server). Enable both Hairpin NAT and Auto Firewall. Make sure the inerfaces are specified properly (i.e. WAN is pppoe0 and LAN is switch0 unless you've got your server on either a uniquely configured port or a VLAN on the switch -- if you have questions about this part, post your complete sanitized config).

 

Regular Member
Posts: 351
Registered: ‎12-18-2016
Kudos: 35
Solutions: 12

Re: "NAT Loopback" with NAT

Thanks, but I will use Destination NAT and look for a loopback solution for this NAT setup.

The five Port Forwarding lines were only a test, but it does not help.

SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: "NAT Loopback" with NAT

[ Edited ]

Actually, if you don't set any rule in the port-forward tab, it won't work, currently, from outside you are reaching services thanks to your DNAT rules.

Cheers,

jonatha

Edit..

Writing rules via cli (assuming the network on switch0 is 10.10.0.0/24), something like

Spoiler
configure
set service nat rule 5 type destination
set service nat rule 5 destination group address-group ADDRv4_pppoe0 
set service nat rule 5 source address 10.10.0.0/24
set service nat rule 5 protocol tcp
set service nat rule 5 destination port 21,80
set service nat rule 5 inbound-interface switch0
set service nat rule 5 inside-address address 10.10.0.21
set service nat rule 5030 type masquerade
set service nat rule 5030 source address 10.10.0.0/24
set service nat rule 5030 destination address 10.10.0.21
set service nat rule 5030 destination port 21,80
set service nat rule 5030 outbound-interface switch0
commit;save

 Edit 2... correction

Regular Member
Posts: 351
Registered: ‎12-18-2016
Kudos: 35
Solutions: 12

Re: "NAT Loopback" with NAT

Really? I do not understand the Edgemax split in Port Forwarding and NAT.

In all other routers I have used this is one thing, including Loopback and Port change.

SuperUser
Posts: 7,495
Registered: ‎01-05-2012
Kudos: 1976
Solutions: 981

Re: "NAT Loopback" with NAT

Here

Spoiler
PF.JPG

 

Regular Member
Posts: 351
Registered: ‎12-18-2016
Kudos: 35
Solutions: 12

Re: "NAT Loopback" with NAT

Thanks Jonatha, I will test the service nat rules tomorrow. 

New Member
Posts: 1
Registered: ‎02-24-2018

Re: "NAT Loopback" with NAT

[ Edited ]

My experience. I just bought an ER-X SFP yesterday. I think loopback or "hairpin" NAT was not as obvious to configure as it usually has been on other routers. All services are working from the internet and all but http from the LAN. Port 80 will always redirect to the router GUI. It seems buggy to me, since all the other services are ok.

 

Edit: working now. For some reason browsers were redirecting/forcing 443/https, which I did not forward.

 

And about that GUI. The "auto firewall" setting has probably made some rules, but I sure can't see them. In Port Forwarding settings the "LAN interface" setting seems not to be where you are redirecting but where the traffic originates since it works with "switch0", not with my another LAN ("DMZ") which is where the server actually is. This seems buggy, too.

 

Member
Posts: 124
Registered: ‎03-24-2017
Kudos: 38
Solutions: 11

Re: "NAT Loopback" with NAT

Just because an Edgerouter doesn't work like a dlink or tp-link router doesn't mean it's buggy.

You can do much more with an Edgerouter than with the usual SOHO router once you learn how to correctly configure them.

 

Regular Member
Posts: 351
Registered: ‎12-18-2016
Kudos: 35
Solutions: 12

Re: "NAT Loopback" with NAT

@redfive

Thanks Jonatha, your CLI works great.

 

I had to add one more line  because commit told my "tcp" or "udp" but not ""  :

 

set service nat rule 5030 protocol tcp

Reply