Hairpin nat broken not working properly

there is no point to adding Messed rules;
it should work using Hairpin NAT not with some kind of mess ...

Again:

  • I explained you should check the ISP router, but you asked me for settings n the OpenWrt

Perhaps I should leave this conversation, I apologize for bothering. I hope you find a solution.

Perhaps they have the same IP range on the WAN and LAN (of the OpenWrt)? :thinking:

Are both 10.0.1.0/24?

(that's all I can think of - they cant be numbered identically)

there is nothing to check on ISP router; what do u want me to check? asking to check something that u cant define?
ISP router has only ip forward rules... so as i can access that local ip from outside internet it means that forward rule is correcT! i cant access that local ip using domain name from local computers.

there is even option in my original port forwarding>

which apparently is broken/ or does nothing at all.

no
they dont have same IP range on wan and lan what nonsense is that.

wan is 192.168x
lan is 10.0.1x

yes u just messed up things/ thread ...

OK, I explained that - again it should work for 10.0.1.104 only (it's the ISP's not OpenWrt - that's what you changed) - and explained you how to test (using a machine with 10.0.1.104/32), but I guess you don't wish to do so. :+1:

I hope you find a solution.

e.g. you cannot test "loopback" from 10.0.1.105...etc. - it [should] work from 10.0.1.104

i replaced router X with router Z ; and replicated same forward rule from X to Z .

I dont understand what u want/how to test. its not i dont wish, u are talking about some test.

apart of that i dont understand from where comes your assumption that someone asking here for a help is MASTER of openwrt/iptables/ etc.

Was this RULE in the OpenWrt?

No, not at all. Apologies if you got that from my writing.

I assume you mean the one pasted above, correct?

Alot of people mess this up believe it or not.

no it wasnt openwrt, its isp router ;
there is no point to discuss on that; as the behavior i am expecting has to be described / isolated ie maybe there is zero connection with ISP router, maybe there is connection as asked before maybe both routers has to support HAIRPIN NAT. the rule was simple as all these stupid isp boxes are dumb

and i am going to sleep because u even asking me questions like i am total idiot or in other case assuming that i am networking master.

1 Like

Thank you for this information! I asked for it many posts ago! :smiley:

Why is there as port mismatch?

If this is a port range, where is the matching OpenWrt rule?

But that seem OK.

the port mismatch is not important ; 8222 is port thats listening on isp router wan and even wan and lan are same ie 8123 it doesnt work...

there is no port range, its port X to port Y

openwrt rule was pasted multiple times

firewall.@redirect[21]=redirect
firewall.@redirect[21].dest_port='8123'
firewall.@redirect[21].src='wan'
firewall.@redirect[21].name='hass'
firewall.@redirect[21].target='DNAT'
firewall.@redirect[21].dest_ip='10.0.1.104'
firewall.@redirect[21].proto='tcp'
firewall.@redirect[21].src_dport='8123'
firewall.@redirect[21].dest='lan'
1 Like

the issue is simply defined / was defined.

ip 10.0.1.104 can be accessed from outside internet using domain name and port forwards without any problem
but that ip cant be accessed using domain name from local network 10.0.1.0/24

1 Like

The problem here is simple... the solution, maybe not.

As I said in the very first response -- the new ISP router doesn't appear to support NAT loopback/hairpin NAT. Basically, when packets from inside hit the public IP, the router doesn't allow the reflection. Packets from your LAN (OpenWrt router's LAN) go upstream to the ISP router before they will get reflected back. Since that ISP router doesn't allow reflection, the packets will not come back.

A possible solution here would be to intercept the domain as I mentioned here. I am not 100% certain it will work, but basically you need to make sure that the public IP is not routed out of the OpenWrt router.

1 Like

I agree with @psherman

  • running tcpdump on the OpenWrt would prove the packets don't come back
  • this identifies the only device changed as the issue - the ISP router

Unrelated to OpenWrt.

1 Like

@psherman
yes thats what was missing here, ie both routers have to support nat hairpin and that "crap" provided by vodafone tg3442DE apparently doesnt support it.

but still i have no idea where do u want to set that / how do u want to set that as i dont have field addresses...
"You may be able to by setting the addresses in the dns server configuration on your Openwrt router. Specifically, the "addresses" field allows you to set a list of domains to force to an IP address.
the entry would be something like /xyz.org/10.0.5.x where x is the IP of the host that is serving the resource."

I said earlier that you should upgrade to 21.02.1. You will have that field if you upgrade. Alternatively, you might be able to get this to work by setting the local domain of your router in the DNS configuration and possibly also the hostname from there.

Also, to be clear... nothing discussed in this entire thread suggests any kind of bug in OpenWrt. The problem sits squarely in the Vodafone router. The goal here is to figure out a workaround solution in OpenWrt.... if it doesn't work, that does not mean that there is a bug, it just means that either it is not possible or we have not identified the correct workaround method.

@pshrman
i have to try to upgrade openwrt then ... the alternative you mentioned is still not clear... what domain where in dns configuration.

I think the only solution is Reverse proxy.

Yes, you are right, the issue is apparently not bug, but so far no workaround worked. It seems that hairpin has to be supported by both routers, which is not valid as isp router apparently doesnt support it.

thanks

In your Openwrt router all you have to do is to edit the dnsmasq.conf file and add a line at the very bottom of the file address=/yourdomain/your_lan_address like this: address=/awesomenetworks.com/192.168.1.121.
Then restart the dnsmasq with /etc/init.d/dnsmasq restart

This will redirect the lan dns requests to awesomenetworks.com to the host 192.168.1.121.

No neet to touch the ISP router.

BTW: The hairpin NAT is widely used in MIkrotik Router OS devices. You may look in Router OS manual if you want to set it up anyway, but it will be not necessary if you set up dnsmasq.conf file and restart the service in your Openwrt router. In other words you either set up Openwrt or the hairpin nat in ISP router. There is no need to do both at the same time.

2 Likes

@kukulo
thanks, it does work!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.