EdgeRouter ER4 - getting masquerade or hairpin working

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › EdgeRouter ER4 - getting masquerade or hairpin working

paul151

309 posts

Ultimate Geek

Trusted

#315286 30-Jun-2024 12:23

Hi there.

Could use the wisdom of the forum to guide me as to how best to get things working.

I'm running an EdgeRouter ER-4 and have a static IPv4 and IPv6 with Quic and my internet connection works OK.

eth0 is the port to the ONT and eth1 is used for 192.168.1.254/24

Also worth knowing is the home wifi is run off a Google Nest setup and so the Nest router is connected to the home LAN via ethernet and has a 192.168.1.x address but it's own address is 192.168.86.1 the wifi devices are all 192.168.86.x

I've started to host a few services at home using docker containers which include a few servers and a reverse Ngnix proxy listening to 80 and 443. From outside the house there are no issues reaching them via their domain names etc. but inside the home I just hit the EdgeRouter login screen.

Not sure if that extra bit of my wireless setup impacts on how much more I need to do to get everything working internally (or not)? Either way at present cabled LAN devices on 192.168.1.x range hit the router login screen when I plug in a domain name with my static IP... and on wifi devices I get 'can't open page'

I've been trying to understand how I should configure either masquerade or hairpin to address this but am lost.

I've attached a couple of screen grabs which show you how I have the masquerade enabled but it does not seem to work. This was (prior to changing ISP (from memory) working I think. I have tried setting the outbound interface from pppoe0 to eth0 but it does not change my efforts internally to reach the servers.

I do not have hairpin enabled via GUI and when I have tried it also didn't seem to do anything but I'm not really clear if it's an either/or setup and what I am doing there :)

Thanks for any/all advice.

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

mentalinc

3229 posts

Uber Geek

Trusted

#3254746 30-Jun-2024 15:11

How are you wanting to access the internally hosted services?

I assume you have dns and your own domain somewhere?

service1.paul151.com

service2.paul151.com

Are you planning to hit them via ngnix like this?

paul151.com/service1

paul151.com/service2

In short, do you want direct access internally, or via ngnix always?

First option - host dns server internally with the internal

service1.paul151.com 192.168.1.xxx

You also look to have some double NAT going on, which isn't going to be helping matters.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

paul151

309 posts

Ultimate Geek

Trusted

#3254768 30-Jun-2024 15:36

>> How are you wanting to access the internally hosted services?

I'd like to be able to enter the same domain name I use outside my home LAN and hit the same hosted services I can reach from outside the house.

>> I assume you have dns and your own domain somewhere? service1.paul151.com service2.paul151.com

Yes I have DNS records set up for various domain name but the A record for each all point to the same static IPv4 address I have at home where stuff is hosted.

>> Are you planning to hit them via ngnix like this? paul151.com/service1 paul151.com/service2

It's more like www.thisdomain.nz and www.thatdomain.nz and yes I'd like to access them via ngnix but using the domain name.

At the moment I can use my browser and point it to the LAN IP and port of the docker host system I want to reach and get to it that way but it's not ideal.

I can also add a record like www.thisdomain.nz in my Windows Host file and point that to the 192.168.1.x address of the docker host system and that works also.

>> In short, do you want direct access internally, or via ngnix always?

I think (based on what I have shared in this reply with you) that I can access the hosted servers via ngnix directly if I state the IP and port I am trying to reach on the docker host system that's running nginx proxy manager...

But what I'm after is to be able to pop in the domain name and have that work with my LAN with nginx proxy manager.

>> First option - host dns server internally with the internal service1.paul151.com 192.168.1.xxx

Hoping to avoid this and thought? that using some option of masquerade or hairpin may solve the issue I am facing.

>> You also look to have some double NAT going on, which isn't going to be helping matters.

Yes wondering how the double NAT going on with wifi may impact things. But figure if I can get a web browser on my home LAN working first that would be a good first step.

Thanks for your reply and appreciate the help / thoughts :)

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

Spyware

3762 posts

Uber Geek

Lifetime subscriber

#3254781 30-Jun-2024 16:02

Firewall / NAT > NAT > +Add Source NAT Rule

Description: hairpin
Outbound Interface: eth1
Translation: Use Masquerade
Protocol: TCP
Source Address: 192.168.1.0/24
Destination Address: 192.168.1.10
Destination Port: 443

Assumption: nginx is on 192.168.1.10:443

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

paul151

309 posts

Ultimate Geek

Trusted

#3254802 30-Jun-2024 16:47

Spyware:

Firewall / NAT > NAT > +Add Source NAT Rule

Description: hairpin
Outbound Interface: eth1
Translation: Use Masquerade
Protocol: TCP
Source Address: 192.168.1.0/24
Destination Address: 192.168.1.10
Destination Port: 443

Assumption: nginx is on 192.168.1.10:443

Thank you. It has not worked, but do I need to remove that first entry pointed at pppoe0 as well? Wondering is that may be causing the issue?

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

Spyware

3762 posts

Uber Geek

Lifetime subscriber

#3254864 30-Jun-2024 17:26

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: hairpin443
Inbound Interface: eth1
Translation Address: 192.168.1.10 
Translation Port: 443
Protocol: TCP
Destination Address: public IP
Destination Port: 443

paul151

309 posts

Ultimate Geek

Trusted

#3254893 30-Jun-2024 18:35

Spyware:

Firewall / NAT > NAT > +Add Destination NAT Rule

Description: hairpin443
Inbound Interface: eth1
Translation Address: 192.168.1.10 
Translation Port: 443
Protocol: TCP
Destination Address: public IP
Destination Port: 443

Thank you that helped and got things working on the LAN and also for the WiFi, it's working for 99% of all the domains I am plugging in.

In one case I have a service currently not running with an HTTPS setup... so when I pop that domain name in the browser it redirect to the HTTPS address and fails to load.

Would I need another set of rules for port 80 as well?

Quic "Sprinter" UFB - Ref (free setup): R338237EFDIUJ

Agency BBS | fsxNet | Agency News | Total FM

michaelmurfy

meow
13243 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3256134 3-Jul-2024 23:53

paul151: Would I need another set of rules for port 80 as well?

Sure do!

But also check out Cloudflare Zero Trust Tunnel if it is just web content. As I know you run a BBS this part won't work but at-least your web stuff both inside and out (and be behind a CDN).

I just personally run my own internal DNS server and point everything towards a nginx box internally. External stuff goes via Zero Trust if it is self hosted.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

nztim

3815 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#3256148 4-Jul-2024 08:39

michaelmurfy:

I just personally run my own internal DNS server and point everything towards a nginx box internally.

This is the best way of doing it, having hairpin rules leads to a messy configuration which in future becomes hard to maintain.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Ge0rge

2052 posts

Uber Geek

Trusted

Lifetime subscriber

#3256490 5-Jul-2024 07:27

michaelmurfy:
I just personally run my own internal DNS server and point everything towards a nginx box internally. External stuff goes via Zero Trust if it is self hosted.

What do you use to do the DNS internally? I have nginx running but have a hairpin on a mikrotik that I'd like to remove.

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#3256501 5-Jul-2024 08:27

Ge0rge:
michaelmurfy:
I just personally run my own internal DNS server and point everything towards a nginx box internally. External stuff goes via Zero Trust if it is self hosted.

What do you use to do the DNS internally? I have nginx running but have a hairpin on a mikrotik that I'd like to remove.

The MikroTik can do DNS pretty well & then thee always is the Pihole option.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

mentalinc

3229 posts

Uber Geek

Trusted

#3256514 5-Jul-2024 08:40

I use my Pihole, built out the /etc/host file to my liking

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX