January 15, 2015 · networking

A few words about NAT hairpinning

NAT hairpinning is a very useful thing if you have something service (ssh, http, etc) behind router but don't want specify local address when you are inside local network. So, usually SNAT (or masquerading in some cases) works like this:

Good article about hairpinning (and images located below too) from MikroTik wiki is here

In a nutshell, all requests comes through router and he can manipulate with client (2.2.2.2) and server (192.168.1.2) dst and src addresses. And in this case connection is established.

But when you try connect to 1.1.1.1 from 192.168.1.10:

Response from server goes directly from 192.168.1.2 to 192.168.1.10 and connection is dropped. Because initial connection was made to 1.1.1.1, not to 192.168.1.2.

And to fix this funny issue, we need just one srcnat (or masquerade, which maybe more easy to setup) rule:

All requests from local network to webserver that comes through router must be NAT-ed

(sure, in normal situations requests between two local hosts will go directly to each other using L2 OSI model)

In this case, router will send request to web-server from his local-network interface, and after he receives response - replace web-server src address (192.168.1.2) to 1.1.1.1 and dst address from 192.168.1.1 to 192.168.1.10

From MikroTik Wiki: 

/ip firewall nat 
add chain=srcnat src-address=192.168.1.0/24 \  
dst-address=192.168.1.2 protocol=tcp dst-port=80 \  
out-interface=LAN action=masquerade

or if you prefer WebFig:

and as action, set it to masquerade or srcnat to router local-ip:

That's all for now :)

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus