Description:
In certain scenarios it can be necessary, that devices in the local network invoke the IP address of the Internet connection (e.g. via DNS name) and access a server in the local network via portforwarding (Hairpin NAT or NAT reflection).
This article describes how to set up hairpin NAT on a Unified Firewall.
Hairpin NAT only works in stand-alone operation and with a series connection. Hairpin NAT does not work with a layer-3 loop, because the LANCOM router forwards the outgoing packets directly to its WAN interface.
Requirements:
- LANCOM R&S®Unified Firewall as of LCOS FX 10.3
- Scenario with a Unified Firewall in stand-alone operation or with a series connection
- A configured and functional Internet connection on the Unified Firewall
- Internet connection with a fixed public IPv4 address
- Configured and functional port forwarding on the Unified Firewall
- Web browser for configuring the Unified Firewall.
The following browsers are supported:- Google Chrome
- Chromium
- Mozilla Firefox
Scenario:
1) The Unified Firewall is directly connected to the Internet
- The Unified Firewall establishes the Internet connection. It has the public IP address 81.81.81.1. The public IP address is linked with the DNS name server.lancom.de .
- A web server on the local network of the Unified Firewall has the IP address 192.168.1.100 and is reached from the Internet via HTTPS.
- A computer on the local network with the IP address 192.168.1.55 needs to access the web server on the local network using the DNS name server.lancom.de .
2) The router upstream from the Unified Firewall establishes the Internet connection
- A router upstream from the Unified Firewall establishes the Internet connection. It has the public IP address 81.81.81.1. The public IP address is linked with the DNS name server.lancom.de .
- The Unified Firewall and the upstream router are both members of the intermediate network 192.168.0.0/24. In this network, the Unified Firewall has the IP address 192.168.0.254.
- A web server on the local network of the Unified Firewall has the IP address 192.168.1.100 and is reached from the Internet via HTTPS.
- A computer on the local network with the IP address 192.168.1.55 needs to access the web server on the local network using the DNS name server.lancom.de .
Procedure:
The procedure is the same for both scenarios.
1) Setting up the hairpin NAT:
1.1) Open the configuration of the Unified Firewall in a browser.
On the desktop, click the network object (in this example the network INTRANET). In the context menu, select the connection tool and click on the host object for which the port forwarding is set up (in this example the object web server).
1.2) Choose the protocol used by the computer on the local network to access the web server.
1.3) Under Options, click None to make further settings.
1.4) Enter the following parameters:
- Set the NAT / Masquerading to the option left-to-right.
- Activate the option Enable DMZ / Port Forwarding for this service.
- Under External IP address, enter the WAN IP address of the Unified Firewall (in this example the IP address 81.81.81.1).
Absolutely check the object order. It is possible, that the object selected first is not in the first position. In this case the NAT rule has to be changed to right-to-left.
1.5.) Click on Save.
1.6) Finally, implement the changes by clicking Activate.
1.7) This concludes the configuration of the hairpin NAT.
2) Create an exception rule for the protocols HTTP and HTTPS (only required when using the HTTP proxy)
When using the HTTP proxy the outgoing packets are filtered by the proxy, which means that the hairpin NAT does not work. An exception rule must therefore be created so that the data traffic from the local network to the public IPv4 address bypasses the proxy.
This also applies to the mail proxy and the VoIP proxy. However, it would be unusual to perform SIP registration from the local network via port forwarding.
2.1) Click the icon to create a new host object.
2.2) Modify the following parameters and then click Create:
- Name: Enter a descriptive name.
- Connected to: Use the drop-down menu to select the Internet object.
- IP address: Enter the public IPv4 address of your Internet connection. This does not have to be directly on the Unified Firewall; it can also be on an upstream router.
2.3) Click the network object on the desktop (in this example INTRANET), select the connection tool and click the host object created in step 2.2.
2.4) Add the protocols HTTP and HTTPS.
2.5) For the protocols HTTP and HTTPS, click the “arrow” icon so that the arrow for each one points to the right.
2.6) For HTTP and HTTPS under Options, click None for each one to adjust further settings.
2.7) For HTTP and HTTPS, set NAT / Masquerading for each one to the option left-to-right and click OK.
2.8) Click Create to create the firewall rules.
2.9) Finally, implement the changes on the United Firewall by clicking Activate.