Hairpin nat broken not working properly

there is no such a field... \

also i am not sure, as everything worked before i changed isp router;;; so the issue has to be in the isp router not openwrt... as nothing was touched in openwrt settings..

I also tried to untick rebind protection but didnt help.

what version of OpenWrt are you using? And on what device?

maybe i should use Domain whitelist? section


Linksys WRT1900AC


ARMv7 Processor rev 2 (v7l)

Firmware Version

OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363

I would recommend upgrading to 21.02.1.

1 Like

Actually the correct place to add the hostname is Network/Hostnames
Although, if the homeassistant is getting its settings by dhcp, you could enable the dns option for the static lease entry, so that the hostname will be automatically added when HA is connected.

1 Like

Ummmmm...isn't "Hairpin NAT" an analogous term for the OpenWrt term "NAT Loopback"???

Using this firewall rule as an e.g. - it allows access to an HTTP server using its public IP or global hostname (which should resolve to its Public IP) from LAN:

Rebind protection means someone setup a LAN IP in the global DNS...that may be likely; but usually NOT the case - because this can cause security issues if not really needed.

The most common use case would probably be for routers connected to networks with Private IP address and internal DNS servers giving out Private IPs of Private servers (i.e. no Public Internet).

@trendy that doesnt work...
i set hostname same as public url ... ip of hass but it doesnt work.

dont understand that much ... what u want to achieve with that also whats src_ip and dest_ip in that case
my config is as


also as i mentioned all worked fine, i replaced isp router; added exactly same ip forward rule and now its not working ...

Well..I don't see how the OpenWrt is even involved.

I was confused about the re-add if the OpenWrt was untouched, my apologies.

i dont understand whats the issue at all ,, all these posts are incomplete / no final solution just broken pieces of information.

so basically there is no solution for a case that was fully working? As it doesnt work apparently something is broken.

Its primitive port forwarding; works for other services but yes i cant access my hass from local network. as mentioned in above posts they are clearly saying that hairpin nat has to be enabled ...

Hairpin NAT

At this point of setting up we need to check one capability of your router: Hairpin NAT (otherwise known as NAT reflection or NAT loopback). What this means is the ability of your router to mirror a request from its inside (LAN) interface to its outside (WAN) address back to an internal IP address (in this case, your Home Assistant), thus reflecting or hairpinning the traffic. It's easy to check if this works: Just open a browser on your phone or PC while connected to your home network and opening - if it works, you have hairpin NAT working and can go on to the next section. Most current routers will support NAT hairpinning out of the box, there are however some routers (especially if you got your router from your ISP) that do not have this ability or have it disabled. If this is the case, you need to check if you can enable it on your router or, if you can't, you will need to set up Split Brain DNS.

I thought I said that you should check the device that was actually touched when the problem occurred - the ISP router. If you want to troubleshoot the OpenWrt needlessly, my apologies, I didn't understand you may be exhausting options with the device that was working.

My bad and apologies for interrupting, as I see you have a similar rule.

@lleachii what do u want to check ... its one ip forward rule....

ok, basically it doesnt work because openwrt is broken

If you haven't provided that information from the new ISP router...but that's not related to OpenWrt. I would verify that not that you have this new ISP that you actually have public IP address. can say it only works for the single IP you set (e.g. you setup a personal webserver on your desktop, and test from the desktop)...but sure, call it "broken".

As I noted:

This works exactly as people desire (I assume those calling it a bug need the developers to identify exactly what each person else wishes to redirect - besides the IP itself, without creating a security hole).

@lleachii sorry i dont understand any sentense you wrote.

And i will repeat it again

  1. i can access my local IP from internet without problem using dynamic dns alias (https://xxx.xy)
  2. using the same dynamic dns alias (https://xxx.xy) from local network DOESNT WORK.
  2. verify this Public IP matches IP on new ISP router

Did you add the rule?

Where is (Network and zone)?

omg ... what are u trying here is nonsense.

  1. as i can ACCESS my local ip from Internet it means that dns record correctly matches my isp router IP and isp router correctly port forwarding it to local IP

repeating again i cant just access it from within local computer.

I understand, please answer.

104 is exactly there as on the image provided. On the same lan as local pc trying to access it.

the rule you are pasting is Incorrect, whats the point of srp ip as subnet ...

Is it possible to do an inbound test for another machine?

This would be to see if the loopback works on the port in question.