How to setup NAT Hairpin/Loopback on ER605?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

How to setup NAT Hairpin/Loopback on ER605?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How to setup NAT Hairpin/Loopback on ER605?
How to setup NAT Hairpin/Loopback on ER605?
2023-04-01 23:00:56 - last edited 2023-08-15 09:01:57
Tags: #NAT
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

I'm a happy user of ER605. I would like to understand though, how to configure correctly the following network setup, especially how to enable hairpin/loopback NAT (found in many posts that it works automatically, I'm used to explicit rules such as iptables or mikrotik).

 

So, here's my network:

My network - comments:

  • WAN has static public IP 85.123.123.123
  • LAN has 2 machines
    • WWW-server runs the Apache on 192.168.0.50:443
    • Laptop is a typical MacOS
  • There is port forwarding configured from WAN:41414 to 192.168.0.50:443
  • Firewall allowing inbound traffic only to the port 41414 which is forwarded to WWW-server

 

How I configured that on ER605?

  • Preferences -> Service Type
    • Added HTTPS: TCP, Source Port = 0-65535; Destination Port = 443-443
  • Transmission -> NAT -> Virtual Servers
    • Added HTTPS-forward: Interface=WAN, External Port=41414, Internal Port=443, Internal Server IP=192.168.0.50, Proto=TCP
  • Firewall two rules:
    • HTTPS: Policy=Allow, ServiceType=HTTPS, Direction=WAN[IN], Source=IPGroup_ANY, Destination=IPGroup_LAN
    • FIREWALL: Policy=Block, ServiceType=All, Direction=WAN[IN], Source=IPGroup_ANY, Destination=IPGroup_ANY

 

Above works pretty well, meaning: I allow only particular traffic with port forwarding, blocking anything else coming to WAN from outside. LAN to Internet is unblocked. And if I connect from the internet to the 85.123.123.123:41414, I can see my homepage served from WWW-server.

 

Now the problem is, I'd like to access the WWW-server using exactly the same method as above, but from inside the LAN, so Laptop:192.168.0.123. When I do it, it doesn't work (browser waits for the connection until timeout). So how come the hairpin/loopack NAT is added automatically, or how to do it correctly?

 

I tried to experiment with one-to-one NAT with setting Original IP:192.168.0.50 to Translated IP:85.123.123.123 with DMZ Forwarding enabled and it seemed to work, but when I try to traceroute any address in the internet (i.e. 8.8.8.8) from inside the LAN it hangs on 192.168.0.1.

 

I'm a bit lost how to set it up correctly, and unfortunately it's not described anywhere. I was referring to:

  • https://community.tp-link.com/en/home/stories/detail/1726 (could be extended with answers to my questions above)
  • https://community.tp-link.com/en/business/forum/topic/579936
  • https://community.tp-link.com/en/business/forum/topic/271056

 

I'm happy to provide any more details and do some additional tests if you connect me with some technical expert.

 

 

Thank you!

Maciej

 

  1      
  1      
#1
Options
11 Reply
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-02 16:53:11

  @consmast 

 

Two thoughts for you.

 

1. why not dispose of all those FW rules and simply set your DMZ to a non-existing IP on your LAN?  Let's say that's 192.168.0.254...any traffic not having a port-forward defined on the ER605 will then be forwarded to a device for which there is no ARP so basically a blackhole.  I don't even bother with this in my setup, I'd rather just drop the traffic at the WAN interface.

 

2. if you want to play around with FW rules, then maybe you need to add the 41414 port to this definition:

 

  • Added HTTPS: TCP, Source Port = 0-65535; Destination Port = 443,41414

 

I know the auto NAT loopback works for me, in fact, I use my Dynamic DNS name both externally and internally, ie somedomain_com:8080 works both on my LAN and from the Internet, which super nice (thanks TPLink!).  I have no specific FW rules setup, just specific port forwards for services and servers.

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#2
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-02 21:29:07

  @d0ugmac1 thank you for quick reaction!

 

Ad 1. I'm afraid I don't understand your idea. Let me rephrase:

- instead of FW rules I should set one NAT-DMZ to non-existing host

- should I do it within NAT->One-To-One NAT, or NAT-DMZ settings?

- port forwarding should be set as I have it

 

Ad 2. Somehow I cannot make NAT loopback working on my side, I had to set-up dnsmasq server for local net names resolving

- Did you set anything specific for the NAT loopback, in particular do you configure your router with web interface or Omada Controller (SW or HW)?

- How is somedomain_com:8080 resolved (to which IP) inside LAN vs. from Internet?

 

Could you please help me out? Thank you in advance!

 

 

Greetings,

Maciej

  0  
  0  
#3
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-02 22:32:13

  @consmast 

 

1. NAT-DMZ or set nothing nothing at all.  Should have same effect from outside.  From what I could see, the rules you set up added no additional benefit.

 

2. somedomain_com is resolved by external DNS (remember I said I have a dynamic DNS setup for my WAN IP?).  That means a local client resolves and gets the public IP of the ER605 WAN.  Then when it requests that ip, ie somedomain_com becomes 1,2,3,4 or whatever, then the 'magic loopback' of the ER605 works.  I generally keep the public WAN port the same as the private LAN port of the server I want to hit, but this shouldn't make a difference in this case.

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#4
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-03 00:00:11
Hmm, then I need to start from scratch. What I would definitely like to achieve is to block all possible traffic from the outside other than forwarder port (41414->443). How to set it up so that Loopback NAT works? And bonus question: can you distinguish on the Web configuration which options set DST-NAT and which ones set SRC-NAT and which one set the Masquerade? If possible I could even setup the Zoom call with you. I'd like then to summarize my setup and solution, I saw many people asking about the same. Thanks! Maciej
  0  
  0  
#5
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-03 02:17:57

  @consmast 

 

By definition, ie because the ER605 is a pure NAT router, any port NOT forwarded is in fact blocked from accessing the LAN.  You can control how the router itself responds to external things like pings or accesses to its own exposed ports on its WAN (like its web UI) via separate settings on the router.

 

IMHO, the settings you are playing with are more useful for blocking users' access to parts of the web, than blocking hackers to your users.

 

You can prove this to yourself by portscanning your public IP (I believe there are sites that will do this for you and give a report of all ports that respond).

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-04-03 12:53:29

  @d0ugmac1 ok, this completely changes my view on that router. Let me experiment a bit, and I'll come back to confirm. Anyhow, if I get stuck, would you be able to setup a quick zoom call and support me?

  0  
  0  
#7
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-07-25 18:50:13 - last edited 2023-07-25 18:51:08

  @consmast 

@d0ugmac1  

Hi guys,

 

sorry for bringing the topic up again, but I changed my old TP-Link WLAN Router with a new ER605 v2 managed by Omada Software Controller.

Firmware is 2.1.2 from the Router.

My setup is as follows

 

[modem] - DMZ to Router IP - [er605 router] NAT to Synology NAS on 443- [TL-SG2218] - [Synology NAS]

 

When accessing my HTTPS domains via Internet all is working as expected, like with my old TL1043-ND WLAN Router.

The services are hosted on the Synology NAS within out network.

BUT when accessing the https from internal its not working anymore. The services are not reachable.

If I switch back the old router its instantly working again.

 

I have read there a couple of threads with the same issues, but this this seems to be solved with a firmware from month ago. 

What did I missed in my configuration to get that back working? 

Thanks a lot for any help,

Mark
 

  0  
  0  
#8
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-08-14 12:10:00

  @Compumark hi!

 

I've solved my issue by installing DNS internally, to resolve the domain names to LAN IPs. I must say I haven't had enough time to go through @d0ugmac1 recommended setup once again, but I will do it in couple of days. For me it's still a bit hard to understand how this router work by default, simply because I got used to configuring FW with netfilter, where all the rules I could see explicitely. Somehow I'm the terminal boy, not the WebUI ;-)

 

@d0ugmac1 are you still available to help?

  0  
  0  
#9
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-08-14 14:38:53
I am still out here, summer hours though :)
<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#10
Options
Re:How to setup NAT Hairpin/Loopback on ER605?
2023-08-14 15:01:33

  @consmast 

I tried also all possible settings. I ended up in a factory reset of the router. Configured it without Omada fist and there the loppback was suddenly working. 

So I adopted it back in omada and left the settings from thr router - and its still working until now.

 

  2  
  2  
#11
Options