Virtual-Server and One-to-one NAT failures and hairpin/loopback issues

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Virtual-Server and One-to-one NAT failures and hairpin/loopback issues

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Virtual-Server and One-to-one NAT failures and hairpin/loopback issues
Virtual-Server and One-to-one NAT failures and hairpin/loopback issues
2022-09-02 07:46:42 - last edited 2022-09-02 08:10:19
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: v1.2.1

I have experimented quite a bit with both features. I have 13 static IPs from my ISP. They work just fine outside ER7206 (WAN) side.

I started with firmware 1.2.1


Reading through all the firmware patches since 1.0 it is clear there have been ongoing "issues" with support for 1:1 NAT and Virtual-Servers along with related issues of SNAT/Hairpin/Loopback support.

My solution path was a complicated sequence starting with FAILURE just doing the simple instructions for configuring 1:1 NAT.

The I decided to allocate a second WAN port and assigned it one of my 13 IP addresses. I then configured a Virtual-Server and the Firewall traversal rule to allow external traffic to that WAN->LAN Virtual-Server mapping.

BUT, it didn't work at all. UNTIL I also turned on Load-Balancing. At which point it worked from an external WAN address, but the hairpin/loopback failed for a LAN address trying to reach it.

So then I downgraded to firmware 1.1.1 as a last-known-good firmware. While that did NOT fix the Virtual-Server hairpin/loopback for a LAN address to reach the Virtual-Server WAN address+port, it did enable the 1:1 NAT to start working and in doing so the 1:1 NAT hairpin/loopback started working.

So then I re-upgraded to firmware 1.2.1 and the 1:1 NAT kept working. The Virtual-Server still worked for a WAN to server request, but not a hairpin/loopback of a LAN to server request. At which point, my machine WAN IP changed to the 1:1 NAT IP (reinforcing the voodoo recipe requirement of enabling LOAD BALANCING etc)

All in all this is quite "flakey" compared to a WATCHGUARD or ZYXEL or older Linksys LRT224. Those systems have more explicit control and clarity with regard to loopback, SNAT etc for these situations.

Most of all this is often not made very clear.
a) for exposing all ports via a WAN IP use 1:1 NAT, for exposing explicit ports via a WAN IP use virtual-server (iff the hairpin/loopback works for you; combine with multiple WAN ports as appropriate if 1:1 NAT is NOT working for you)
b) enable multi-wan routing by turning on load-balancing
c) enable traffic through firewall policy by creating rules (whether you have DMZ enabled or not)
d) understand the MAGIC of when your device will support loopback/hairpin/SNAT behavior
*) I also recommend naming the IP/GROUP names using "LAN_OCTET" like LAN_200 so you can understand them clearly through the various ER7206 configs.

When I couldn't make anything work, I tried using TWO WAN PORTS and assigned them different static WAN IPs from my ISP allocated pool. That is kind of like 1:1 NAT and it is what clued me in and also caused me to do things that must have updated internal tables in the ER7206 and possibly RARP/ARP tables in related ISP equipment.

Best of luck getting it to work for you.

As far as I am concerned it is UNRELIABLE and TP-LINK really needs to add some explicit button/option to turn on SNAT/Hairpin/Loopback as well as add information to the routing table area to tell you when/if you have forgotten to configure things so AT LEAST one port is allowed through.

----
 

Helpful Links

  • https://httpstatus.io test externally
  • https://www.nslookup.io dns mapping/caching verification
  • https: // www.whatsmyip . org useful to verify ER7206 WAN mapping
  1      
  1      
#1
Options