[SOLVED] CGN and hairpins (avoid local traffic going to ISP and back) / NAT reflection

I'm trying to avoid connections to from the LAN hairpin-ing to the Public IP and then back into my network.

What's the "right way" to connect to services on the WAN interface when the ISP is assigning a 100.64.0.0/10 / CGNAT to my openwrt router? The CGNAT address is 1:1 mapped onto a public IP somewhere in the ISPs network. DDNS is set for the public IP.

For example accessing my local Plex server (plex only knows my public IP) means traffic goes out to the ISP and them back into my home network.

One recommendation was to also map the DDNS/Public IP to an interface on the router. So my questions is really what's the right way to reference services on my router without the traffic going out to the ISP and back again?

1 Like
  • Do not use public IP-address inside LAN, rebind DNS-record if required.
  • Filter outgoing forwarded traffic.
1 Like

I discovered the DNAT target includes a "reflection=1" option which keeps traffic on the network and works rather well for most services:

https://github.com/imaginator/home-network/blob/master/w16gw.settings#L679-L690

However I still see wireguard traffic exiting the network, returning (to terminate on the openwrt box) even though I've added the following:

https://github.com/imaginator/home-network/blob/master/w16gw.settings#L692-L704

(10.7.11.5 is the openwrt router that these rules run on).

Any ideas on what I'm doing wrong here?

1 Like

I configured the local DNS server to answer with local addresses to requests for the public domain names.

1 Like
  • How do you know this to be true?
  • And if it is true, why do they not issue your interface a Public IP?

You need to know that Public IP...but FYI, then the ISP's router will be doing the hairpinning.

Ask Telecolumbus/Pyur. I'm just a customer with a nose for real IPs.

  • Again...how do you know the 1-to-1 NAT statement about the ISP to be true?
  • Are the persons who responded in that thread an ISP official?
  • Better yet, why do I need to ask? (you're the one seeking assistance here)

We need to know this in order to answer your original question about how to address the WAN port without the CGN IP.

CGN, usually goes into a NAT pool of IPs - to multiplex the ~64,000 ports avalable per IP.

@lleachii with all due respect, I'm using the ISP for a few years and can access services from outside. The question isn't whether they run CGNAT or not or how it's mapped (fyi it's 1:1).

The issue was about hairpinning/NAT loopback. As I mentioned in the post, this is solved using the uci set firewall.@redirect[-1].reflection=1 config option which is a really elegant solution to broken ISPs.

1 Like

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

Another option might be to assign the public IP to your loopback interface on the router

ip addr add x.y.z.q dev lo

Then when requests come in from the LAN for that IP the router will know it owns that IP and just respond to it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.