Testing WAN Services from Isolated Guest VLAN: Need help with nftables TTL/HL rule

jonesi100 · November 30, 2025, 8:59pm

I'm trying to validate my router's services (like WireGuard, Twingate, and published ports) from my isolated GUEST VLAN (br-lan.200). I need to simulate a real external internet connection so I can test the full NAT translation path. I'm struggling with speed and keeping a reliable connection when hotspotting to my phone. Plus is hard!!!

I think its called Full NAT Loopback (or External Simulation), which means forcing traffic from the GUEST VLAN client inside my network to be processed by the router's WAN interface before being routed back in.

I think standard shortcut for this is NAT Hairpinning (or Local Loopback), where the router sees the request for its own public address and routes the traffic laterally within the internal network. What I'm hoping to do is to route traffic to follow the full NAT path to test my services accurately.

Can anyone help who may have done this before?

ubus call system board
{
	"kernel": "6.6.110",
	"hostname": "R6SOpenWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "FriendlyElec NanoPi R6S",
	"board_name": "friendlyarm,nanopi-r6s",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.4",
		"revision": "r28959-29397011cc",
		"target": "rockchip/armv8",
		"description": "OpenWrt 24.10.4 r28959-29397011cc",
		"builddate": "1760891865"
	}
}

brada4 · November 30, 2025, 9:53pm

I understand you want to permit some services between internal networks?

jonesi100 · December 1, 2025, 3:40pm

Not quite - I have an isolated GUESTVLAN on the OpenWRT server using DSA. I also have LAN and WAN. I want to know if it is possible to avoid hairpinning from GUST direct to LAN, instead going out and back in through WAN. That way my WAN rules and VPN etc can be tested fully

krazeh · December 1, 2025, 3:51pm

What exactly are you wanting to test? You're always going to be better off trying with a proper external connection if possible. Checking that port forwards (or similar) are working shouldn't need a particularly speedy connection.

jonesi100 · December 1, 2025, 6:03pm

Anything published on the external WAN interface - particularly published ports and external VPN Access. If you google the terms its a well known technique called the TTL hack or avoiding hairpinning

brada4 · December 1, 2025, 6:14pm

You mean this to beat isp tethering limitation?

_bernd · December 1, 2025, 6:21pm

Communication 101: then please provide the search query, or at best a proper deep link to a resource.

At least hairpinning nat has nothing to do with ttl manipulation.

I am also unable to gasp what you want to do or want to achieve.