Messages

1

24.1 Legacy Series / Re: Hairpin NAT help

« on: March 18, 2024, 11:57:38 am »

You need to check if DNS lookup works, if yes, start packet capture on port 25 in LAN, you should see the whole flow from the client and to the server with LAN IP of firewall. If stuck, just paste the capture here

No it doesn't seem to, and I've no idea why?

2

24.1 Legacy Series / Re: Hairpin NAT help

« on: March 18, 2024, 11:56:46 am »

I would suggest you use One-To-One NAT for your external to internal IP mapping.

Afterwards its way easier to put the additional port forward and Outbound NAT rules at the right spots, since you won't put the WAN interface into those any more. With One-to-One NAT, the translation and retaining of source IP address is handled.

I did wonder about this. I will give this a go.

3

24.1 Legacy Series / Hairpin NAT help

« on: March 18, 2024, 01:52:46 am »

Hi all,

Ok so it's really apparent I don't know as much as I thought I did when it comes to networks (which wasn't much anyway). I previously managed to get hairpin NAT work on my old edgerouter but I just can't get to the bottom of what's going on here.

I have 5 static IPs, and run 4 servers behind them, with one remaining ip (x.x.x.186) being for clients on the network. I have successfully configured virtual ips as follows and given them aliases:

Gateway xxx.xxx.xxx.185/29 (general network clients)
xxx.xxx.xxx.187/29       WAN   IP Alias   Static New Websites   
xxx.xxx.xxx.188/29       WAN   IP Alias   Static Mail   
xxx.xxx.xxx.189/29       WAN   IP Alias   Static Websites   
xxx.xxx.xxx.190/29       WAN   IP Alias   Static Nextcloud

I have setup port forwarding as follows:
LAN Loopback WAN    *    *    xxx.xxx.xxx.187 *    192.168.1.13      *    New Websites    
LAN Loopback WAN    *    *    xxx.xxx.xxx.188 *    192.168.1.11   *    Mail Port Forward    
LAN Loopback WAN    *    *    xxx.xxx.xxx.189 *    192.168.1.12   *    Old Web Sites
LAN Loopback WAN    *    *    xxx.xxx.xxx.190 *    192.168.1.6   *    T420 / Nextcloud Server    

I've setup outbound NAT rules as follows:
WAN    192.168.1.13   *    *    *    xxx.xxx.xxx.187    *    NO         
WAN    192.168.1.11   *    *    *    xxx.xxx.xxx.188    *    NO         
WAN    192.168.1.12   *   *    *    xxx.xxx.xxx.189    *    NO         
WAN    192.168.1.6   *    *    *    xxx.xxx.xxx.190    *    NO

All the servers and clients can be seen from the internet and see the correct WAN ip address. I just cannot access them via their domain names internally, but I can via IP.

I tried to follow the instructions here (Method one) https://docs.opnsense.org/manual/how-tos/nat_reflection.html but I clearly just am missing something.

I tried the following for outbound nat for the mail server, following the guide for now on just the mail server.

Interface: LAN
Protocol: Any
Source Address: LAN net
Source Port: Any
Destination Address: 192.168.1.11
Destination Port: Any
Translation/target: LAN address
Description: Hairpin NAT Rule Mailserver

This had no effect, turning off the other outbound nat rules above made the mail server see the wrong WAN address, and also didn't fix anything.

The only last and strange thing is that from one of the network clients and doing a nslookup on the domain name for mail, it cannot resolve it. That to me seems wrong?

Any advice/pointers etc would be helpful, I'm well out of my depth here.