1
24.1 Legacy Series / Hairpin NAT help
« on: March 18, 2024, 01:52:46 am »
Hi all,
Ok so it's really apparent I don't know as much as I thought I did when it comes to networks (which wasn't much anyway). I previously managed to get hairpin NAT work on my old edgerouter but I just can't get to the bottom of what's going on here.
I have 5 static IPs, and run 4 servers behind them, with one remaining ip (x.x.x.186) being for clients on the network. I have successfully configured virtual ips as follows and given them aliases:
Gateway xxx.xxx.xxx.185/29 (general network clients)
xxx.xxx.xxx.187/29 WAN IP Alias Static New Websites
xxx.xxx.xxx.188/29 WAN IP Alias Static Mail
xxx.xxx.xxx.189/29 WAN IP Alias Static Websites
xxx.xxx.xxx.190/29 WAN IP Alias Static Nextcloud
I have setup port forwarding as follows:
LAN Loopback WAN * * xxx.xxx.xxx.187 * 192.168.1.13 * New Websites
LAN Loopback WAN * * xxx.xxx.xxx.188 * 192.168.1.11 * Mail Port Forward
LAN Loopback WAN * * xxx.xxx.xxx.189 * 192.168.1.12 * Old Web Sites
LAN Loopback WAN * * xxx.xxx.xxx.190 * 192.168.1.6 * T420 / Nextcloud Server
I've setup outbound NAT rules as follows:
WAN 192.168.1.13 * * * xxx.xxx.xxx.187 * NO
WAN 192.168.1.11 * * * xxx.xxx.xxx.188 * NO
WAN 192.168.1.12 * * * xxx.xxx.xxx.189 * NO
WAN 192.168.1.6 * * * xxx.xxx.xxx.190 * NO
All the servers and clients can be seen from the internet and see the correct WAN ip address. I just cannot access them via their domain names internally, but I can via IP.
I tried to follow the instructions here (Method one) https://docs.opnsense.org/manual/how-tos/nat_reflection.html but I clearly just am missing something.
I tried the following for outbound nat for the mail server, following the guide for now on just the mail server.
Interface: LAN
Protocol: Any
Source Address: LAN net
Source Port: Any
Destination Address: 192.168.1.11
Destination Port: Any
Translation/target: LAN address
Description: Hairpin NAT Rule Mailserver
This had no effect, turning off the other outbound nat rules above made the mail server see the wrong WAN address, and also didn't fix anything.
The only last and strange thing is that from one of the network clients and doing a nslookup on the domain name for mail, it cannot resolve it. That to me seems wrong?
Any advice/pointers etc would be helpful, I'm well out of my depth here.
Ok so it's really apparent I don't know as much as I thought I did when it comes to networks (which wasn't much anyway). I previously managed to get hairpin NAT work on my old edgerouter but I just can't get to the bottom of what's going on here.
I have 5 static IPs, and run 4 servers behind them, with one remaining ip (x.x.x.186) being for clients on the network. I have successfully configured virtual ips as follows and given them aliases:
Gateway xxx.xxx.xxx.185/29 (general network clients)
xxx.xxx.xxx.187/29 WAN IP Alias Static New Websites
xxx.xxx.xxx.188/29 WAN IP Alias Static Mail
xxx.xxx.xxx.189/29 WAN IP Alias Static Websites
xxx.xxx.xxx.190/29 WAN IP Alias Static Nextcloud
I have setup port forwarding as follows:
LAN Loopback WAN * * xxx.xxx.xxx.187 * 192.168.1.13 * New Websites
LAN Loopback WAN * * xxx.xxx.xxx.188 * 192.168.1.11 * Mail Port Forward
LAN Loopback WAN * * xxx.xxx.xxx.189 * 192.168.1.12 * Old Web Sites
LAN Loopback WAN * * xxx.xxx.xxx.190 * 192.168.1.6 * T420 / Nextcloud Server
I've setup outbound NAT rules as follows:
WAN 192.168.1.13 * * * xxx.xxx.xxx.187 * NO
WAN 192.168.1.11 * * * xxx.xxx.xxx.188 * NO
WAN 192.168.1.12 * * * xxx.xxx.xxx.189 * NO
WAN 192.168.1.6 * * * xxx.xxx.xxx.190 * NO
All the servers and clients can be seen from the internet and see the correct WAN ip address. I just cannot access them via their domain names internally, but I can via IP.
I tried to follow the instructions here (Method one) https://docs.opnsense.org/manual/how-tos/nat_reflection.html but I clearly just am missing something.
I tried the following for outbound nat for the mail server, following the guide for now on just the mail server.
Interface: LAN
Protocol: Any
Source Address: LAN net
Source Port: Any
Destination Address: 192.168.1.11
Destination Port: Any
Translation/target: LAN address
Description: Hairpin NAT Rule Mailserver
This had no effect, turning off the other outbound nat rules above made the mail server see the wrong WAN address, and also didn't fix anything.
The only last and strange thing is that from one of the network clients and doing a nslookup on the domain name for mail, it cannot resolve it. That to me seems wrong?
Any advice/pointers etc would be helpful, I'm well out of my depth here.