Enabling NAT reflection

Hey, just wanted to write here about using NAT reflection on my OpenWRT box (x86, 23.05.2).

It has taken me ages to get it working and just wanted to share what I finally found out to get it working.

My use case is that I want to access the same URLs that are behind a reverse proxy on my LAN from inside as well as outside the LAN. For this you can use NAT reflection (sometimes I think called loopback or hairpin as well).

The documentation shows you need to add a couple of options to your firewall config:

option reflection_src 'internal' and option reflection '1' - a full config looks like this:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https on server'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.xx.xx'
        option dest_port '443'
        option reflection_src 'internal'
        option reflection '1'

What is not mentioned anywhere on the documentation (https://openwrt.org/docs/guide-user/firewall/firewall_configuration) is that for it to work (at least in my case) you need promiscuous mode to be enabled on the br-lan interface.

Eg edit your /etc/config/network contains option promisc '1' for example my br-lan config looks like this:

config device                                                                                                                                                                                                         
    option name 'br-lan'                                                                                                                                   
    option type 'bridge'                                                                                                                                                                                                                                                                                                
    list ports 'eth0'                                                                                                                                                                                                                                                                                                   
    option acceptlocal '1'                                                                                                                                                                                                                                                                                              
    option promisc '1'                                                                                                                                                                                                                                                                                           

Anyway, just leaving this here in case anyone else ends up banging their head against the wall for a couple of days XD

Odd, I've never had to enable that to work. Also there's a few threads on this topic, I've never seen that mentioned before.

Cool.

Driver is buggy if you need promisc (capture packets not destined at its IP addresses) to handle unicast packets.
What is in ethtool -i eth0 for the record?

option reflection_src 'internal'

external

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Https 443'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '10.1.0.91'
        option dest_port '443'
        option reflection_src 'external'

The same behaviour was mentioned here

and here

and here as well.

I run OpenWrt 23.05.3 in a LXC on Proxmox, but there it does not help to enable the promiscuous mode for the br-lan interface.

I just found out that it helps to assign eth0 directly to the LAN interface and to remove the br-lan bridge.
Now is the nat-reflection/hairpinning working with my OpenWRT LXC.