Home Network Community > Deco > NAT loopback / hairpin NAT
< Deco

NAT loopback / hairpin NAT

NAT loopback / hairpin NAT

NAT loopback / hairpin NAT
NAT loopback / hairpin NAT
2025-12-26 20:05:34 - last edited 3 weeks ago
Model: Deco M5  
Hardware Version:
Firmware Version: 1.9.1

I need some help to possibly find a new correct TP-Link router model. Describing my current problem with Deco M5 below.

 

I have a local mesh network and home automation server (Pi5, Node-Red) which I'm accessing both from locally and externally. To have a better security than just NAT and userId /password, I have now built a reverse proxy in the same Docker as the server. Proxy also implements SSL traffic. My wish is that accessing the server externally (only port 443 is open) I need to give userID and password for the proxy, but accessing the server via proxy internally (still using the same domain name xyz.tplinkdns.com) the credentials would not be asked. That should be possible by configuring the proxy so that it identifies the ip-range coming internally and bypassses the security. I didn't succeed on this conf and I have understood that it is because of the way M5 does the NAT. I.e. the proxy thinks all traffic, even internal queries, are coming from external wan and therefore allways requires credentials. Also I considereed to use Pi-hole in raspberry but that requires M5 to accept local adress as the DNS server, which it doesn't. Alternatively the DHCP server should be removed from Deco and let PI-hole act as DHCP server. No sucess as DHCP server cannot be removed from M5. 

(I should mention that the proxy and the server are in same docker network and server has no exposed local IP so I cannot just access it by it's local ip. Only via the proxy.)

 

So, I'm stuck. Even if my M5 mesh nework has been good enough for me until now, I suppose I need a mode advanced Deco model as the router. But there I would be happy to receive some help. What Deco model would be suitable for my needs? So, notrequiring much more but a bit more advance options to configure the router.  I know there are other type of routers but in this case I like to see first if some Deco model could offer what I need. Even better if I could reuse my current three M5 as the mesh units either via LAN port or wifi. For many IoT solutions a 2,4GHz wifi is also needed and preferable with separate SSID's for 2,4 and 5GHz networks. 

 

Thanks in advance.

Pete

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:NAT loopback / hairpin NAT-Solution
2026-01-06 09:47:07 - last edited 3 weeks ago

Pete56 wrote

I have a local mesh network and home automation server (Pi5, Node-Red) which I'm accessing both from locally and externally. To have a better security than just NAT and userId /password, I have now built a reverse proxy in the same Docker as the server. Proxy also implements SSL traffic. My wish is that accessing the server externally (only port 443 is open) I need to give userID and password for the proxy, but accessing the server via proxy internally (still using the same domain name xyz.tplinkdns.com) the credentials would not be asked. That should be possible by configuring the proxy so that it identifies the ip-range coming internally and bypassses the security.

  @Pete56 

Hi, thank you very much for the feedback.

As far as I know, the DHCP server configurations on all Deco models are almost the same, and TP-Link routers apply a similar NAT Loopback process. If Deco M5 didn't work, neither did other models.

 

Sorry for the inconvenience.

Best regards.

 

Check What's Currently Going on With DecoDeco Wi-Fi Heatmap ready for Test!Deco X50/X55_V1.3_1.3.1 Introduced Channel Selection, WiFi Access Control and WireGuard VPNDeco BE65_V2_1.3.0 Added DoH & DoT, Speed Limit and Internet Backup Try to leave a Message if urgent help is required.
Recommended Solution
  1  
  1  
#3
Options
4 Reply
Re:NAT loopback / hairpin NAT
2025-12-30 03:17:36
Need help with the Deco app, setup, Ethernet backhaul, network switch or rolling back firmware? Router or AP mode? https://community.tp-link.com/us/home/forum/topic/699816?page=1
  0  
  0  
#2
Options
Re:NAT loopback / hairpin NAT-Solution
2026-01-06 09:47:07 - last edited 3 weeks ago

Pete56 wrote

I have a local mesh network and home automation server (Pi5, Node-Red) which I'm accessing both from locally and externally. To have a better security than just NAT and userId /password, I have now built a reverse proxy in the same Docker as the server. Proxy also implements SSL traffic. My wish is that accessing the server externally (only port 443 is open) I need to give userID and password for the proxy, but accessing the server via proxy internally (still using the same domain name xyz.tplinkdns.com) the credentials would not be asked. That should be possible by configuring the proxy so that it identifies the ip-range coming internally and bypassses the security.

  @Pete56 

Hi, thank you very much for the feedback.

As far as I know, the DHCP server configurations on all Deco models are almost the same, and TP-Link routers apply a similar NAT Loopback process. If Deco M5 didn't work, neither did other models.

 

Sorry for the inconvenience.

Best regards.

 

Check What's Currently Going on With DecoDeco Wi-Fi Heatmap ready for Test!Deco X50/X55_V1.3_1.3.1 Introduced Channel Selection, WiFi Access Control and WireGuard VPNDeco BE65_V2_1.3.0 Added DoH & DoT, Speed Limit and Internet Backup Try to leave a Message if urgent help is required.
Recommended Solution
  1  
  1  
#3
Options
Re:NAT loopback / hairpin NAT
2 weeks ago

from other users and TP-Link staff. Just a couple of tips that might help while you’re working through solutions:

  • When posting in the business forum, include detailed model numbers, firmware versions, and screenshots of any error messages you’re seeing. That tends to get faster and more accurate responses from both the community and TP-Link moderators.
  • If your issue is time-sensitive or you’re not getting replies here, TP-Link also offers official support channels — including phone, live chat, and email — that might help you get direct support from the technical team for your specific hardware or setup.
  • Another thing I’ve noticed is that a lot of networking issues (especially with business products) can come down to mismatched firmware or misconfigured VLANs / routing, so double-checking those basics can save a lot of troubleshooting time.

Hope you get it sorted soon — and if you do find a working solution that others could benefit from, please update your thread here so folks can learn from it too! 👍

  0  
  0  
#4
Options
Re:NAT loopback / hairpin NAT
2 weeks ago

Thank you  @David-TP 

 

I have bought a new router  Archer BE3600 which has a bit more advanced settings possibilities. When it comes to hairpin/NAT, it is like you suggested - it behaves the same as my old Deco M5. It means that I cannot redirect the domain name locally as the router only shows it comes from the internet. As an example, I cannot have different rule for password checking when using services internally or externally. 

 

But I have to accept the solution by now, so marking this as completed.

 

Thanks

  1  
  1  
#5
Options

Information

Helpful: 0

Views: 526

Replies: 4

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.