Reply
Established Member
Posts: 1,187
Registered: ‎05-28-2016
Kudos: 593
Solutions: 47

USG and NAT/hairpin/Loopback?

[ Edited ]

I have a USG, when i am behined the USG i can't connect to internal devices using their external port mapping address eg https://some.domain.com/Man Tongueort#

 

On consumer routers this is usually solved by enabled CTF (cut through forwarding).

--edit seems CTF is only partially related, what is key is NAT Loopback--- changing title to reflect this.

 

Does anyone know if this is normal USG behaviour?

If so does the USG have a CTF setting?

 

alex

 

--edit-post title changed-

since posting i have discovered something called hairpin that i think is supposed to solve this? it seems to be enabled.  Any suggestions as it is not working

I am not an expert and don't play one on TV.
Don't forget RTFM https://www.ubnt.com/downloads/guides/UniFi/UniFi_Controller_V5_UG.pdf it really is impressive documentation.
Regular Member
Posts: 533
Registered: ‎10-12-2009
Kudos: 171
Solutions: 19

Re: USG and CTF/hairpin/Loopback?

The USG is supposed to supoort hairpin

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Hairpin-in-USG/m-p/1258326#M4396

 

Maybe you need to activate uPNP/NAT-PmP via the config.properties file.


Victor Bottacco
 Apple Consultant

Established Member
Posts: 1,187
Registered: ‎05-28-2016
Kudos: 593
Solutions: 47

Re: USG and CTF/hairpin/Loopback?

[ Edited ]

It does for manual. Not for upnp it seems. This is an issue on the edgemax too, I can dig out the threads going back a year or two if you like?

 

this is the thread, I also opened a support ticket on it and put a suggestion in the feature voting section

 

http://community.ubnt.com/t5/EdgeMAX/Is-Hairpin-not-supported-under-upnp/m-p/1582852#M113119

I am not an expert and don't play one on TV.
Don't forget RTFM https://www.ubnt.com/downloads/guides/UniFi/UniFi_Controller_V5_UG.pdf it really is impressive documentation.
Regular Member
Posts: 533
Registered: ‎10-12-2009
Kudos: 171
Solutions: 19

Re: USG and CTF/hairpin/Loopback?

I didn't realize that it didn't work for uPNP because in my case I have configured a BIND dns server with views, so it translates to different IPs depending from where you query it. This way I don't have the problem of changing the URL.

 

@scyto, if you post here the URL to the voting section of your suggestion we can vote it.


Victor Bottacco
 Apple Consultant

Established Member
Posts: 1,187
Registered: ‎05-28-2016
Kudos: 593
Solutions: 47

Re: USG and CTF/hairpin/Loopback?

[ Edited ]

Sure, here it is.

http://community.ubnt.com/t5/UniFi-Routing-Switching-Feature/USG-Support-for-Cut-Through-Forwarding-...

I am not an expert and don't play one on TV.
Don't forget RTFM https://www.ubnt.com/downloads/guides/UniFi/UniFi_Controller_V5_UG.pdf it really is impressive documentation.
Regular Member
Posts: 533
Registered: ‎10-12-2009
Kudos: 171
Solutions: 19

Re: USG and CTF/hairpin/Loopback?

scyto, when I click on the URL I get a page from thr forums with an error of invalid arguments, can you post the full text of the URL so I can copy and paste it?

 

Thx


Victor Bottacco
 Apple Consultant

Established Member
Posts: 1,187
Registered: ‎05-28-2016
Kudos: 593
Solutions: 47

Re: USG and CTF/hairpin/Loopback?

[ Edited ]

can you try the link in the post above again i think its fixed (works from my browser), i guess that serves me right for trying to edit posts on ipad.

This is the thread i piled on on edgemax. https://community.ubnt.com/t5/EdgeMAX/Is-Hairpin-not-supported-under-upnp/m-p/1561037/highlight/fals... The reply from support was the normal and unsatisfying: Thanks for your response. If the developers consider the new feature then they will change the status of the thread on the community. Unfortunately, we don't have ETA for the same. If you have any other questions, please let us know!
I am not an expert and don't play one on TV.
Don't forget RTFM https://www.ubnt.com/downloads/guides/UniFi/UniFi_Controller_V5_UG.pdf it really is impressive documentation.
Regular Member
Posts: 533
Registered: ‎10-12-2009
Kudos: 171
Solutions: 19

Re: USG and CTF/hairpin/Loopback?

Now it worked. I have just voted… and I hope many others do too.


Victor Bottacco
 Apple Consultant

Established Member
Posts: 1,187
Registered: ‎05-28-2016
Kudos: 593
Solutions: 47

Re: USG and CTF/hairpin/Loopback?

Seems I was wrong about CTF being key part of this, though CTF fixes in the Asus Merlin firmware are NAT Loopback related.

 

it seems Merlin put significant effort into his advanced NAT Loopback with modifications to iptables.  It would be sweet if UBNT could learn from that implementation. 

I am not an expert and don't play one on TV.
Don't forget RTFM https://www.ubnt.com/downloads/guides/UniFi/UniFi_Controller_V5_UG.pdf it really is impressive documentation.
New Member
Posts: 30
Registered: ‎01-30-2016
Kudos: 2

Re: USG and CTF/hairpin/Loopback?

Please forgive me for resurrecting an old thread, and if I misunderstand your issue. It seems to me that the easiest solution is DNS rewrite AKA DNS doctoring. This functionality has been standard for decades on devices performing NAT. Can the USG not do DNS rewrite?

 

Though I've been a network engineer for over 30 years, I'm new to the USG game, and I'm trying to figure out how its NAT is configured and how it works. Me speakee Cisco real good, UBNT-ese not so much. I've been preparing for over a year to replace a Cisco ASA with a USG-4P (the last piece of my network that isn't UniFi), but I'm not getting anywhere fast. That's been okay so far, but the urgency for the USG's greater horsepower and second WAN port is growing. It was in this quest that I stumbled across this thread.

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

Me speakee RouterOS pretty good but struggling with USG-ese as well with respect to hairpin NAT. Not finding a lot of help either

Ubiquiti Employee
Posts: 5,167
Registered: ‎08-08-2016
Kudos: 5636
Solutions: 355

Re: USG and CTF/hairpin/Loopback?


@OPAdmin wrote:

Me speakee RouterOS pretty good but struggling with USG-ese as well with respect to hairpin NAT. Not finding a lot of help either


Not much to it. It's done by default for port forwards, and can't be disabled for USG. Hairpin isn't currently supported with UPnP for USG or EdgeRouter. 

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

so where am I going wrong with this? In RouterOS (Mikrotik RB750UP);

/ip firewall filter

add chain=input dst-address=192.168.1.110 dst-port=802 protocol=tcp src-address=192.168.10.0/24

add chain=input dst-address=192.168.1.110 dst-port=803 protocol=tcp src-address=192.168.20.0/24

add chain=input dst-address=192.168.1.110 dst-port=804 protocol=tcp src-address=192.168.30.0/24

add action=drop chain=input dst-address=192.168.1.0/24 src-address=192.168.10.0/24

add action=drop chain=input dst-address=192.168.1.0/24 src-address=192.168.20.0/24

add action=drop chain=input dst-address=192.168.1.0/24 src-address=192.168.30.0/24

 

/ip firewall nat

add action=masquerade chain=srcnat out-interface=OranaNet_Bridge

add action=netmap chain=dstnat dst-address=138.128.191.146 in-interface=OranaNet_Bridge protocol=tcp to-addresses=192.168.1.110 to-ports=802

add action=netmap chain=dstnat dst-address=138.128.191.146 in-interface=OranaWiFi_Bridge protocol=tcp to-addresses=192.168.1.110 to-ports=802

add action=netmap chain=dstnat dst-address=138.128.191.146 in-interface=SchoolWiFi1_Bridge protocol=tcp to-addresses=192.168.1.110 to-ports=803

add action=netmap chain=dstnat dst-address=138.128.191.146 in-interface=SchoolWiFi2_Bridge protocol=tcp to-addresses=192.168.1.110 to-ports=804

 

 

And in USG-ese (EdgeOS) Ive written;

configure
set service nat rule 2000 description "LAN to Webserver"
set service nat rule 2000 inbound-interface eth1
set service nat rule 2000 destination address 138.128.191.146
set service nat rule 2000 source address 192.168.1.0/24
set service nat rule 2000 inside-address address 192.168.1.110
set service nat rule 2000 inside-address port 802
set service nat rule 2000 log disable
set service nat rule 2000 protocol tcp
set service nat rule 2000 type destination

set service nat rule 2001 description "OranaWiFi to Webserver"
set service nat rule 2001 inbound-interface eth1
set service nat rule 2001 destination address 138.128.191.146
set service nat rule 2001 source address 192.168.10.0/24
set service nat rule 2001 inside-address address 192.168.1.110
set service nat rule 2001 inside-address port 802
set service nat rule 2001 log disable
set service nat rule 2001 protocol tcp
set service nat rule 2001 type destination

set service nat rule 2002 description "SchoolWiFi1 to Webserver"
set service nat rule 2002 inbound-interface eth1
set service nat rule 2002 destination address 138.128.191.146
set service nat rule 2002 source address 192.168.20.0/24
set service nat rule 2002 inside-address address 192.168.1.110
set service nat rule 2002 inside-address port 803
set service nat rule 2002 log disable
set service nat rule 2002 protocol tcp
set service nat rule 2002 type destination

set service nat rule 2003 description "SchoolWiFi2 to Webserver"
set service nat rule 2003 inbound-interface eth1
set service nat rule 2003 destination address 138.128.191.146
set service nat rule 2003 source address 192.168.30.0/24
set service nat rule 2003 inside-address address 192.168.1.110
set service nat rule 2003 inside-address port 804
set service nat rule 2003 log disable
set service nat rule 2003 protocol tcp
set service nat rule 2003 type destination

set service nat rule 5004 description "Masquerade NAT"
set service nat rule 5004 outbound-interface eth0
set service nat rule 5004 type masquerade

commit
save;

 

In the firewall GUI for USG under LAN_IN Ive entered the accept from VLAN destination 192.168.1.110 and reject otherwise

Ubiquiti Employee
Posts: 5,167
Registered: ‎08-08-2016
Kudos: 5636
Solutions: 355

Re: USG and CTF/hairpin/Loopback?

You don't need to do any DNAT for that purpose, just go to Devices in the controller, click the USG, go to its properties panel, Configuration tab. Expand Port Forward there, and add accordingly. 

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

There is no option for destination address - only port - and it shows error if I enter the address "138.128.191.146" of course. How do you mean to enter this?

Clipboard01.jpg
Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

so in boolean terms

if (source=LAN and destination=138.128.191.146) then redirect to 192.168.1.110:802

if (source=VLAN2 and destination=138.128.191.146) then redirect to 192.168.1.110:802

if (source=VLAN3 and destination=138.128.191.146) then redirect to 192.168.1.110:803

if (source=VLAN4 and destination=138.128.191.146) then redirect to 192.168.1.110:804

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

[ Edited ]

So after trying the USG GUI config repeatedly, it seems to me that this interface (as it is called) is for PORT Forwarding and not DESTINATION Forwarding. Or can you show me what Im missing here?

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

Member
Posts: 144
Registered: ‎02-09-2016
Kudos: 24
Solutions: 1

Re: USG and CTF/hairpin/Loopback?

@UBNT-cmb I would love you to show me where and how this can be achieved through Port Forwarding, or otherwise!!!!!

Ubiquiti Employee
Posts: 5,167
Registered: ‎08-08-2016
Kudos: 5636
Solutions: 355

Re: USG and CTF/hairpin/Loopback?

I presume that .146 is your WAN IP, in which case it's just automatic. The Port box isn't for IPs, it's the external port that's being forwarded. 

Reply