Page MenuHomeVyOS Platform

Hairpin NAT Not Functioning Correctly
Closed, InvalidPublicBUG

Description

I followed the official documentation to create a hairpin NAT and created a hairpin NAT rule.

If setup according to the example, the destination NAT rule will be applied when the destination port matches the port stated in the NAT rule. Including the traffics which are suppose to go out to the internet.
Some people seems to be using a workaround, by setting the destination address of the same NAT rule to the WAN IP address.
This causes a problem. If the WAN IP address is obtained from a DHCP server, the rule will be broken after an IP address change.

Details

Difficulty level
Unknown (require assessment)
Version
1.3.0-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

Unknown Object (User) added a subscriber: Unknown Object (User).Oct 17 2021, 6:08 AM

Tested on VyOS 1.3.0-epa1

The NAT is configured according to the documentation:
Hairpin NAT/NAT Reflection

It works as it should.
My lab config below (border router with NAT)
External address on interface eth2. Internal service address 172.24.33.33 port 22 on LAN interface eth0
Internal service accessible via external address of eth2 from Internet and from LAN

set nat destination rule 100 description 'Regular destination NAT from external'
set nat destination rule 100 destination port '22'
set nat destination rule 100 inbound-interface eth2
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '172.24.33.33'

set nat destination rule 110 description 'NAT Reflection: INSIDE'
set nat destination rule 110 destination port '22'
set nat destination rule 110 inbound-interface 'eth3'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '172.24.33.33'

set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address '172.24.0.0/16'
set nat source rule 110 outbound-interface 'eth3'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '172.24.0.0/16'
set nat source rule 110 translation address 'masquerade'
Unknown Object (User) added a comment.Oct 17 2021, 12:31 PM

WAN interface is eth2. It set to DHCP
LAN interface is eth3. It set to static address

vyos@VyOS-R3# run sh config comm | grep dhcp
set interfaces ethernet eth2 address 'dhcp'

vyos@VyOS-R3# run sh inter
eth2             192.168.0.20/24                   u/u
eth3             172.24.133.3/24                   u/u

To change the address of WAN interface (eth2) I disable/enable it.
The address changes. => I have to use the new address of eth2 to access the internal service

syncer edited projects, added Rejected; removed VyOS 1.3 Equuleus.

Have you confirmed that you can access an external service(i.e. in the 192.168.0.20/24 network) hosted on port 22, and it is not being redirected to 172.24.33.33:22 after applying the rules above?

Unknown Object (User) added a comment.Oct 19 2021, 12:59 AM

Of course, external services with the same port is not available
This is what you should expect from NAT rules (110)
Works exactly as configured

I think this should be re-opened. The solution that is documented does not follow the spirit of hairpin NAT, which is that traffic on port N not actually destined to the inside target should not be redirected.

Could VyOS provide an option for destination address that tracks the IP address set on a given interface?
(EDIT) Looks like this type of request was made back in 2020 but still has not been addressed: https://phabricator.vyos.net/T2196