How to setup NAT Hairpin/Loopback on ER605?
How to setup NAT Hairpin/Loopback on ER605?
I'm a happy user of ER605. I would like to understand though, how to configure correctly the following network setup, especially how to enable hairpin/loopback NAT (found in many posts that it works automatically, I'm used to explicit rules such as iptables or mikrotik).
So, here's my network:
My network - comments:
- WAN has static public IP 85.123.123.123
- LAN has 2 machines
- WWW-server runs the Apache on 192.168.0.50:443
- Laptop is a typical MacOS
- There is port forwarding configured from WAN:41414 to 192.168.0.50:443
- Firewall allowing inbound traffic only to the port 41414 which is forwarded to WWW-server
How I configured that on ER605?
- Preferences -> Service Type
- Added HTTPS: TCP, Source Port = 0-65535; Destination Port = 443-443
- Transmission -> NAT -> Virtual Servers
- Added HTTPS-forward: Interface=WAN, External Port=41414, Internal Port=443, Internal Server IP=192.168.0.50, Proto=TCP
- Firewall two rules:
- HTTPS: Policy=Allow, ServiceType=HTTPS, Direction=WAN[IN], Source=IPGroup_ANY, Destination=IPGroup_LAN
- FIREWALL: Policy=Block, ServiceType=All, Direction=WAN[IN], Source=IPGroup_ANY, Destination=IPGroup_ANY
Above works pretty well, meaning: I allow only particular traffic with port forwarding, blocking anything else coming to WAN from outside. LAN to Internet is unblocked. And if I connect from the internet to the 85.123.123.123:41414, I can see my homepage served from WWW-server.
Now the problem is, I'd like to access the WWW-server using exactly the same method as above, but from inside the LAN, so Laptop:192.168.0.123. When I do it, it doesn't work (browser waits for the connection until timeout). So how come the hairpin/loopack NAT is added automatically, or how to do it correctly?
I tried to experiment with one-to-one NAT with setting Original IP:192.168.0.50 to Translated IP:85.123.123.123 with DMZ Forwarding enabled and it seemed to work, but when I try to traceroute any address in the internet (i.e. 8.8.8.8) from inside the LAN it hangs on 192.168.0.1.
I'm a bit lost how to set it up correctly, and unfortunately it's not described anywhere. I was referring to:
- https://community.tp-link.com/en/home/stories/detail/1726 (could be extended with answers to my questions above)
- https://community.tp-link.com/en/business/forum/topic/579936
- https://community.tp-link.com/en/business/forum/topic/271056
I'm happy to provide any more details and do some additional tests if you connect me with some technical expert.
Thank you!
Maciej
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
But interestingly sometimes it works, sometimes it don't.
For me now it's not working, but 3 hours back, all was fine.
I have no clue.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 6812
Replies: 11