Hello Everyone, Im having a heck of a time getting Hairpin Nat to work as expected.
My Setup is Using an ER-Pro with eth7 (SFP) connected to my 24 port EdgeSwitch as a trunk line for internet.
I have an Exchange Server in vlan2 with an Exchange Edge Server in vlan3.
Auto port forwarding works and im able to send and receive mail when connected from outside the network, but internaly it just wont connect.
Here is my config.
ubnt@ubnt:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
group {
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 11.22.333.444/28 <—— Removed for security
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 172.16.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
address 10.10.10.1/30
description Trunk
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth7
rule 1 {
description ExchangeOwa
forward-to {
address 192.168.1.222
port 443
}
original-port 443
protocol tcp
}
rule 2 {
description EdgeSmtp
forward-to {
address 192.168.3.10
port 25
}
original-port 25
protocol tcp
}
wan-interface eth0
}
protocols {
static {
route 192.168.1.0/24 {
next-hop 10.10.10.2 {
}
}
route 192.168.3.0/24 {
next-hop 10.10.10.2 {
}
}
route 192.168.4.0/24 {
next-hop 10.10.10.2 {
}
}
route 192.168.5.0/24 {
next-hop 10.10.10.2 {
}
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
}
}
gui {
http-port 80
https-port 4443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 11.22.333.444 <——————— Removed for security
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password **********************************************************
}
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Detroit
}
ubnt@ubnt:~$