Hairpin nat broken not working properly

Installing and Using OpenWrt
1

hi,
i changed the router of the provider today, after that router is my router running openwrt and nat... i am also using home-assistant remote connect; everything worked fine until i changed the providers router.

here https://companion.home-assistant.io/docs/troubleshooting/networking/ they says hairpin nat has to be enabled; so i did it by unticking Rebind protection.

Still i cant access my hass using domain name within the local network even it works from hosts outside my network.

means hairpin nat in dnsmasq on openwrt is broken?
Thanks

2

Some routers do not support hairpin. In the case of your upstream router (from the ISP), it may not be an option exposed to the user (I know that the Bell Home Hub 3000 doesn't have the capability)

3

@psherman does it mean both routers must support it?

I thought the providers router doesnt matter; important is the one - mine - where i run openwrt and my dns server.

what is solution then? how can i access these hosts from local network? thanks

4

in that post [SOLVED] CGN and hairpins (avoid local traffic going to ISP and back) / NAT reflection - #6 by imaginator they said use

firewall.@redirect[21].reflection='1'

but it doesnt work for me either. :frowning:

@imaginator did u set that reflection 1 on main router? or router behin ISP provider router?

5

Where is the host that is requesting the resource? In other words, which router is that host connected to (the ISP router or the OpenWrt router)?

6

@psherman
i have ISP provider router (running NAS) to which i have connected via eth my router (to its wan) ; my router is running openwrt and NAS, dhcp server etc. All the hosts are then connected to my router via eth or wifi.

So basically the host that is trying to access domain which has one port-forward on ISP router, other on My router is connected to My router.

thanks

7

I'm still confused.

Can you draw a network diagram. Please show where the requesting host is located, as well as the target host.

8

@psherman
https://imgur.com/a/l09c5q9

client is trying to access homeassistant via public url https://xxz.org

both client and homeassistant have IP addresses of local LAN iface ie 10.0.5.x

thx

9

You may be able to by setting the addresses in the dns server configuration on your Openwrt router. Specifically, the "addresses" field allows you to set a list of domains to force to an IP address.
the entry would be something like /xyz.org/10.0.5.x where x is the IP of the host that is serving the resource.

1 Like
10

@psherman
not sure what do u mean ... what option we are talking about? If i go to DHCP and DNS via luci, server settetings i have general/ resolv and hosts files/ tftp settings/ advanced settings/ stratic leases ...
which one you are pointing to? thanks

11

LuCI > Network > DHCP & DNS > "Addresses" field (below DNS fowrardings)

12

there is no such a field... \

image
image1125×584 42.8 KB

also i am not sure, as everything worked before i changed isp router;;; so the issue has to be in the isp router not openwrt... as nothing was touched in openwrt settings..

I also tried to untick rebind protection but didnt help.

13

what version of OpenWrt are you using? And on what device?

14

maybe i should use Domain whitelist? section

Model

Linksys WRT1900AC

Architecture

ARMv7 Processor rev 2 (v7l)

Firmware Version

OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363

15

I would recommend upgrading to 21.02.1.

1 Like
16

Actually the correct place to add the hostname is Network/Hostnames
Although, if the homeassistant is getting its settings by dhcp, you could enable the dns option for the static lease entry, so that the hostname will be automatically added when HA is connected.

1 Like
17

Ummmmm...isn't "Hairpin NAT" an analogous term for the OpenWrt term "NAT Loopback"???

Using this firewall rule as an e.g. - it allows access to an HTTP server using its public IP or global hostname (which should resolve to its Public IP) from LAN:

Rebind protection means someone setup a LAN IP in the global DNS...that may be likely; but usually NOT the case - because this can cause security issues if not really needed.

The most common use case would probably be for routers connected to networks with Private IP address and internal DNS servers giving out Private IPs of Private servers (i.e. no Public Internet).

18

@trendy that doesnt work...
i set hostname same as public url ... ip of hass but it doesnt work.

19

dont understand that much ... what u want to achieve with that also whats src_ip and dest_ip in that case
my config is as

firewall.@redirect[21]=redirect
firewall.@redirect[21].dest_port='8123'
firewall.@redirect[21].src='wan'
firewall.@redirect[21].name='hass'
firewall.@redirect[21].target='DNAT'
firewall.@redirect[21].dest_ip='10.0.1.104'
firewall.@redirect[21].dest='lan'
firewall.@redirect[21].proto='tcp'
firewall.@redirect[21].src_dport='8123'
firewall.@redirect[21].reflection='1'

also as i mentioned all worked fine, i replaced isp router; added exactly same ip forward rule and now its not working ...

20

Well..I don't see how the OpenWrt is even involved.

I was confused about the re-add if the OpenWrt was untouched, my apologies.