Thursday, August 13, 2015

Ubiquiti Airos Hairpin Nat


When setting upwards a port forrard (Destination NAT) on a Ubiquiti AirOs device, yous volition uncovering that users within your network volition non hold upwards able to usage the WAN IP to access the internal device. This is because yous involve to add together what is known equally a "Hairpin NAT". Read below for instructions on how to produce that, together with why it is necessary.

Picture the network below:

In companionship for a user from the network (wan) side of the router to hold upwards able to access the webserver, yous would add together the next port forrard to your router:

This would right away travel for users exterior the network, exactly if yous wanted to access the webserver from the workstation within the lan past times using the ip 12.34.56.78, it would fail. Why?

Let us painting demo the procedure equally follows:

This explains why the workstation never receives the response, together with why a connectedness isn't opened.

To create this, nosotros involve to brand certain that the server responds via the router. We produce this past times telling the router to non exclusively alter the Destination IP, exactly besides the Source IP inwards pace 1 above.
Unfortunately equally of version 5.6 of AirOs, Ubiquiti however hasn't implemented a hairpin purpose inwards the spider web interface, exactly yous tin produce it from the ascendency line.

What yous involve to produce is opened upwards up a telnet or ssh session to the router, together with run the next commands:
echo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 12.34.56.78 -j MASQUERADE >> /etc/persistent/rc.poststart

This volition add together a dominion to your router's firewall that says when anyone tries to connect to 12.34.56.78 from within the 10.0.0.0/24 subnet, the SOURCE IP volition hold upwards replaced amongst the Source IP of the router.

Run the next ascendency to relieve the change:
cfgmtd -w -p /etc/
And reboot the router.

When yous opened upwards the spider web interface for the router yous volition at nowadays meet that it shows that yous are running custom scripts, produce non hold upwards alarmed, this is normal.


You should at nowadays hold upwards able to connect to the device using the populace ip of your router.