Reply
New Member
Posts: 4
Registered: ‎05-31-2017

Hairpin NAT in JSON config

I had a need for multiple WAN IP addresses on my USG Pro so I followed the write-up here. My primary WAN is 133.144.155.105.

 

I then had (still have) a problem of not being able to access the server, 10.0.0.3, via external IP 133.144.155.107 from within my network. Externally, the external IP maps perfectly to the internal server.

 

I followed the article here to setup hairpin NAT in the JSON file. Before following this guide and only using the JSON config from the multiple WAN guide, machines on the local network would get taken to the USG splash page. After following the hairpin NAT guide, internal users no longer get routed to the splash page, but get an ERR_CONNECTION_TIMED_OUT page instead.

 

Basically all I want is for 133.144.155.107 to point to the 10.0.0.3 server, whether being accessed internally or externally.

 

Any help is much appreciated. The guys behind the chat function on the controller have been very helpful but every time my network goes down from a JSON mistake, I get disconnected from them and need to queue up again.

 

Here's my JSON:

 

{
    "interfaces": {
        "ethernet": {
            "eth2": {
                "address": [
                    "133.144.155.105/29",
                    "133.144.155.107/29",
                    "133.144.155.108/29",
                    "133.144.155.109/29",
                    "133.144.155.105/29"
                ]
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "1010": {
                    "description": "Cloud",
                    "destination": {
                        "address": "133.144.155.107",
                        "port": "80,443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.3"
                    },
                    "protocol": "tcp",
                    "type": "destination"
                },
                "1": {
                    "description": "https443",
                    "destination": {
                        "address": "133.144.155.107",
                        "port": "443"
                    },
                    "inbound-interface": "eth2",
                    "inside-address": {
                        "address": "10.0.0.3",
                        "port": "443"
                    },
                    "log": "disable",
                    "protocol": "tcp",
                    "type": "destination"
                },
                "2": {
                    "description": "hairpin443",
                    "destination": {
                        "address": "133.144.155.107",
                        "port": "443"
                    },
                    "inbound-interface": "eth0",
                    "inside-address": {
                        "address": "10.0.0.3",
                        "port": "443"
                    },
                    "protocol": "tcp",
                    "log": "disable",
                    "type": "destination"
                },
                "5011": {
                    "description": "hairpin",
                    "destination": {
                        "address": "10.0.0.3",
                        "port": "443"
                    },
                    "log": "disable",
                    "outbound-interface": "eth0",
                    "protocol": "tcp",
                    "source": {
                        "address": "10.0.0.0/24"
                    },
                    "type": "masquerade"
                }
            }
        }
    },
    "firewall": {
        "name": {
            "WAN_IN": {
                "rule": {
                    "1010": {
                        "action": "accept",
                        "description": "Cloud",
                        "destination": {
                            "address": "10.0.0.3",
                            "port": "80,443"
                        },
                        "protocol": "tcp",
                        "log": "enable"
                    },
                    "21": {
                        "action": "accept",
                        "description": "https",
                        "destination": {
                            "port": "443"
                        },
                        "protocol": "tcp",
                        "log": "disable"
                    }
                }
            }
        }
    }
}
Established Member
Posts: 1,069
Registered: ‎04-07-2013
Kudos: 478
Solutions: 39

Re: Hairpin NAT in JSON config

Why not use split-brain DNS instead of NAT hairpinning?

 

So do this:

 

Internal DNS: server.yourdomain.com --> 10.0.0.3

External DNS: server.yourdomain.com --> 133.144.155.107

 

In my experience, NAT hairpinning should be avoided if possible. 

Highlighted
New Member
Posts: 4
Registered: ‎05-31-2017

Re: Hairpin NAT in JSON config

As a pretty basic level Unifi user, I'm struggling to figure out exactly where the split-brain DNS is set up.

 

I actually just setup a Windows Server for Active Directory and a DNS server. Currently though I believe everything on the network is still using the USG for DNS. 

Reply