EdgeRouter - Hairpin NAT
Overview
Readers will learn how to configure Hairpin NAT (Network Address Translation) to work alongside Destination NAT.
Table of Contents
Frequently Asked Questions (FAQ)
1. Do I need to manually configure Hairpin NAT when using Port Forwarding?
No, the Port Forwarding wizard includes a checkbox that will automatically configure Hairpin NAT. |
2. Do I need to manually configure Hairpin NAT when using Destination NAT?
Yes, see the steps below. |
Configuring Hairpin and Destination NAT
Hairpin NAT allows the internal clients (192.168.1.0/24) to reach the UNMS server using the public IP address assigned to the EdgeRouter.
Follow the steps below to add the Destination NAT and firewall rules to the EdgeRouter:
1. Add a Destination NAT rule for TCP port 443, with eth0 (WAN) set as the Inbound Interface.
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: https443
Inbound Interface: eth0
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443
2. Add a firewall rule that allows the HTTPS traffic to reach the UNMS server.
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule
Description: https
Action: Accept
Protocol: TCP
Destination > Port: 443
Destination > Address: 192.168.1.10
Now the Hairpin NAT rules can be added using both Source and Destination NAT rules.
3. Add the first Hairpin NAT rule using Destination NAT with eth1 (LAN) set as the Inbound Interface.
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: hairpin443
Inbound Interface: eth1
Translation Address: 192.168.1.10
Translation Port: 443
Protocol: TCP
Destination Address: 203.0.113.1
Destination Port: 443
203.0.113.1:443
and translates it to 192.168.1.10:443
.4. Add the second Hairpin NAT rule using Source NAT with eth1 (LAN) set as the Outbound Interface.
Firewall / NAT > NAT > +Add Source NAT Rule
Description: hairpin
Outbound Interface: eth1
Translation: Use Masquerade
Protocol: TCP
Source Address: 192.168.1.0/24
Destination Address: 192.168.1.10
Destination Port: 443
The above configuration can also be set using the CLI:
configure
set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description https
set firewall name WAN_IN rule 30 destination port 443
set firewall name WAN_IN rule 30 destination address 192.168.1.10
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol tcp
set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination
set service nat rule 2 description hairpin443
set service nat rule 2 destination address 203.0.113.1
set service nat rule 2 destination port 443
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 5000 description hairpin
set service nat rule 5000 destination address 192.168.1.10
set service nat rule 5000 destination port 443
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth1
set service nat rule 5000 protocol tcp
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
commit ; save
Related Articles
Intro to Networking - How to Establish a Connection Using SSH