Hi all,
I've been reading through articles in the knowledgebase such as "EdgeMAX - NAT Hairpin (Nat Inside-to-Inside / Loopback / Reflection)" and things Ive found with Google but I can't find anything that matches exactly what I want to do and what I've attempted has left my router in an endesirable state (thankfully there's a 'revert' command!)
The article above and a few others talk about NAT translation for the hairpin such that the external connection port forwards 2222 to 22. This isn't what I want to acheive - this is my set up.
I have the domain abc.net registered and use a dynamic DNS service to point abc.net and www.abc.net to my dynamic IP. My internal network is 8 VLANs split as 192.168.vlan_id.0/24
I have a number of internal services that I access internally as (for example) www.abc.org. Initially this was straightfoward because I'd just set a server alias in Apache and the server would respond to www.abc.org and www.abc.net
So next I decided to add HTTPS to my servers. This breaks the org/net model so I built a NGinX proxy server on a VM at 192.168.4.10. HTTPS requests coming in from the outside world have a NAT rule to forward 443 to 192.168.4.10 which in turn handles the SSL and proxies the relevant internal server. That works fine from the outside world but going to www.abc.org now gives a certificate error.
So I thought hairpin NAT was the solution - but it doesn't seem to be. Or it is the solution and something is missing from the instructions.
I haven't got a config to post because what I did had the undesirable effect of making my router's web interface externally visible which I definitiely don't want. That is, if I now go to https://www.abc.org OR https://www.abc.net from internal or external addresses I get the router's log in page. As soon as I remove the DNAT rules that I've tried the problem goes away (but this means we're back to the original problem of cert errors from the internal network.)
The thing that the guides I'm reading *seem* to imply (the one I mentioned at the top does it with the 2222 > 22 mapping) is that you can't use 443 for hairpin NAT as the router uses it so you'll have to use a different port on your internal address. Which just seems silly and makes me think that I am just missing something. But I can't see what it is. What I would like to achieve is:
Internal computer requests https://www.abc.net
Router says "Hang on! You're request for www.abc.net seems to be for the same address as the address assigned (dynamically) on eth0! That means you actually want 192.168.4.10:443 - let me send your packets there"
What I seem to get is
Internal computer requests https://www.abc.net
Router says "Hang on! That's me! And I have something to serve on 443 regardless of what these DNAT rules say. Here's my logon page."
If anyone knows of a guide that doesn't involve redirecting a port to a different port then that will probably have all the answers I need. I just don't seem to be able to find it. And I'm happy to post my config but at the moment it's back to a working basic because of the whole logon page thing.
Thanks in advance
Steve