Feature #2989
Hairpin nat
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
While split-dns is far better, hairpin nat is a wrong but practical solution, sometimes.
For some background see:
http://shorewall.net/FAQ.htm#faq2
Related issues
Associated revisions
port forward: add hairpin nat support. Refs #2989
Web UI: add hairpin NAT interface. Refs #2989
History
#1 Updated by Filippo Carletti over 6 years ago
- File hairpin_nat.tar.gz added
At the moment, hairpin nat could be implemented on all port forwards with 3 custom templates:
1. interfaces
- $OUT .= "loc\t".$i->key."\tnosmurfs";
+ $OUT .= "loc\t".$i->key."\tnosmurfs,routeback";
2. rules (see attachment)
3. masq (see attachment)
#2 Updated by Filippo Carletti over 6 years ago
Implementing a gui, we could let the user select if the nat could also be valid from inside.
#3 Updated by Giacomo Sanchietti over 6 years ago
- Target version set to ~FUTURE
#4 Updated by Filippo Carletti over 6 years ago
We can add a master switch that, if enabled, treats all port forwards as "reflective". The switch should go in the Configure -> Firewall rules page.
#5 Updated by Filippo Carletti over 6 years ago
- Related to Enhancement #3083: firewall: routeback on all interfaces added
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Target version changed from ~FUTURE to v6.6
- % Done changed from 0 to 20
Also create a "Configure" button inside the "Port forward" page to enable the hairpin NAT for all configured port forwards.
#7 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#8 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#9 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.4.0-1.2.gd42ef41.ns6.noarch.rpm
- Create a port forward
- Enable hairpin nat
- Try to access the port forward from green zone
#10 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
After enabling hairpin nat, my port forwards work when I access from the lan.
#11 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-2.5.0-1.ns6.noarch.rpm