Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: MadGadget on March 18, 2024, 01:52:46 AM

Title: Hairpin NAT help
Post by: MadGadget on March 18, 2024, 01:52:46 AM
Hi all,

Ok so it's really apparent I don't know as much as I thought I did when it comes to networks (which wasn't much anyway). I previously managed to get hairpin NAT work on my old edgerouter but I just can't get to the bottom of what's going on here.

I have 5 static IPs, and run 4 servers behind them, with one remaining ip (x.x.x.186) being for clients on the network. I have successfully configured virtual ips as follows and given them aliases:

Gateway xxx.xxx.xxx.185/29 (general network clients)
xxx.xxx.xxx.187/29       WAN   IP Alias   Static New Websites   
xxx.xxx.xxx.188/29       WAN   IP Alias   Static Mail   
xxx.xxx.xxx.189/29       WAN   IP Alias   Static Websites   
xxx.xxx.xxx.190/29       WAN   IP Alias   Static Nextcloud

I have setup port forwarding as follows:
LAN Loopback WAN    *    *    xxx.xxx.xxx.187 *    192.168.1.13      *    New Websites    
LAN Loopback WAN    *    *    xxx.xxx.xxx.188 *    192.168.1.11   *    Mail Port Forward    
LAN Loopback WAN    *    *    xxx.xxx.xxx.189 *    192.168.1.12   *    Old Web Sites
LAN Loopback WAN    *    *    xxx.xxx.xxx.190 *    192.168.1.6   *    T420 / Nextcloud Server    

I've setup outbound NAT rules as follows:
WAN    192.168.1.13   *    *    *    xxx.xxx.xxx.187    *    NO         
WAN    192.168.1.11   *    *    *    xxx.xxx.xxx.188    *    NO         
WAN    192.168.1.12   *   *    *    xxx.xxx.xxx.189    *    NO         
WAN    192.168.1.6   *    *    *    xxx.xxx.xxx.190    *    NO

All the servers and clients can be seen from the internet and see the correct WAN ip address. I just cannot access them via their domain names internally, but I can via IP.

I tried to follow the instructions here (Method one) https://docs.opnsense.org/manual/how-tos/nat_reflection.html but I clearly just am missing something.

I tried the following for outbound nat for the mail server, following the guide for now on just the mail server.

Interface: LAN
Protocol: Any
Source Address: LAN net
Source Port: Any
Destination Address: 192.168.1.11
Destination Port: Any
Translation/target: LAN address
Description: Hairpin NAT Rule Mailserver

This had no effect, turning off the other outbound nat rules above made the mail server see the wrong WAN address, and also didn't fix anything.

The only last and strange thing is that from one of the network clients and doing a nslookup on the domain name for mail, it cannot resolve it. That to me seems wrong?

Any advice/pointers etc would be helpful, I'm well out of my depth here.
Title: Re: Hairpin NAT help
Post by: Monviech (Cedrik) on March 18, 2024, 06:23:28 AM
I would suggest you use One-To-One NAT for your external to internal IP mapping.

Afterwards its way easier to put the additional port forward and Outbound NAT rules at the right spots, since you won't put the WAN interface into those anymore. With One-to-One NAT, the translation and retaining of source IP address is handled.

https://forum.opnsense.org/index.php?topic=35462.msg173352#msg173352

EDIT: Here's the exact rules from my business firewall:

Rules for IP Mapping:

Interfaces: Virtual IPs: Settings:

Mode: IP Alias
Interface: igb2_WAN2
Network: xx.26.xx.226/32
Description: 1:1 NAT Nextcloud

Firewall: NAT: One-to-One:

Interface: igb2_WAN2
Type: BINAT
External network: xx.26.xx.226
Source: Single host or Network: 172.16.29.61/32
Destination: any
Description: 1:1 NAT Nextcloud
NAT reflection: Use system default

Firewall: Rules: igb2_vlan1U_WAN2

Action: Pass
Interface: igb2_WAN2
Direction: in
TCP/IP Version: IPv4
Protocol: ANY
Source: ANY
Destination: Single host or Network: 172.16.29.61/32
Description: 1:1 NAT Nextcloud

And now the rules for reflection and hairpin nat:

Firewall: NAT: Port Forward

Interface: igb0_LAN
TCP/IP Version: IPv4
Protocol: ANY
Source: ANY
Destination: xx.26.xx.226/32 (IP Alias 1:1 NAT Nextcloud)
Redirect target IP: Single host or Network: 172.16.29.61/32
Description: Reflection NAT Nextcloud
NAT reflection: Use system default

Firewall: NAT: Outbound

Interface: igb0_LAN
TCP/IP Version: IPv4
Protocol: Any
Source address: 172.16.29.61/32
Source port: any
Destination address: 172.16.29.61/32
Destination port: Any
Translation/ target: igb0_LAN_address
Description: Hairpin NAT Nextcloud
Title: Re: Hairpin NAT help
Post by: mimugmail on March 18, 2024, 10:57:23 AM
You need to check if DNS lookup works, if yes, start packet capture on port 25 in LAN, you should see the whole flow from the client and to the server with LAN IP of firewall. If stuck, just paste the capture here
Title: Re: Hairpin NAT help
Post by: MadGadget on March 18, 2024, 11:56:46 AM
Quote from: Monviech on March 18, 2024, 06:23:28 AM
I would suggest you use One-To-One NAT for your external to internal IP mapping.

Afterwards its way easier to put the additional port forward and Outbound NAT rules at the right spots, since you won't put the WAN interface into those any more. With One-to-One NAT, the translation and retaining of source IP address is handled.

I did wonder about this. I will give this a go.
Title: Re: Hairpin NAT help
Post by: MadGadget on March 18, 2024, 11:57:38 AM
Quote from: mimugmail on March 18, 2024, 10:57:23 AM
You need to check if DNS lookup works, if yes, start packet capture on port 25 in LAN, you should see the whole flow from the client and to the server with LAN IP of firewall. If stuck, just paste the capture here

No it doesn't seem to, and I've no idea why?
Text only | Text with Images