How to enable hairpin NAT for entire network?

Hi,

I understand what you are trying to achieve. Why not try setting up each device in the DNS on the XG? I have not tried multiple devices.

Ian

That doesn't solve the problem of port translation.

I want to go to mydomain.com:1554 and it translate to 10.0.0.5:554 or going to mydomain.com:1555 translate to 10.0.0.6:554

With port forwarding this works great from outside my network but our software has these external IP's and ports hard set, so it breaks when trying to access internally. I've never had this problem before with other firewalls. Hairpin nat has always been a toggle on a network level.

That doesn't solve the problem of port translation.

I want to go to mydomain.com:1554 and it translate to 10.0.0.5:554 or going to mydomain.com:1555 translate to 10.0.0.6:554

With port forwarding this works great from outside my network but our software has these external IP's and ports hard set, so it breaks when trying to access internally. I've never had this problem before with other firewalls. Hairpin nat has always been a toggle on a network level.

This should work with XG.

https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback

You need to specify as Zone WAN/LAN and XG should loopback the WAN IP to the DNAT. 

https://community.sophos.com/products/xg-firewall/f/network-and-routing/73615/how-do-you-create-a-loopback-hairpin-nat-to-an-interface-ip

I've read the article you linked - every hairpin post I read here seems to refer back to that same thread.

However, it's very hard to follow as there seems to be multiple "solutions" referenced in the same thread and they all require a rule for each LAN IP device. We have dozens of devices on the network and really just need one rule to enable reflective NAT on the entire LAN subnet. Further, the solutions mentioned on that thread don't seem to be in-line with the selections I'm seeing on V17? This shouldn't be that difficult. 

As far as i understand, XG does this by default, if you simply enable LAN (or ANY) in Source of a DNAT. 

Ok.. what goes in the destination and "forward to" sections??

Can you please explain to me, what you try to archive? 

Because as far as i understand, this should be self explained. 

You will simply put WAN / LAN into Source.

Destination will be your WAN IP Interface. Service in Destination your WAN Port (1234 for example). 

And Forward to will be your internal Client with Service 5678 for example.

And if some other client in LAN tries to reach your XG WAN IP with 1234, it will be forwarded to your other internal Client with service 5678.

And this is a NAT loop back. 

Please read my initial post again. I know how to do port forwarding. That works great.

We have dozens of internal devices that already have port forwarding rules set up and external access works. Your telling me I need to create a separate hairpin NAT rule for EACH of these devices as well? That seems terribly inefficient.

Surely there is a way to do ONE rule for the ENTIRE LAN subnet?

Lets say I have 5 devices (192.168.1.10 - 192.168.1.15) with each port forwarded to port 80 (external ports 8080 - 8085)

So if I go to mydomain.com:8080 or mydomain.com:8081 from outside the network, I can access these devices since they translate to 192.168.1.10:80 and 192.168.1.11:80

If I'm on my internal network and go to mydomain.com:8080 or mydomain.com:8081 I need to access these just like I was outside the network but I would like ONE rule to provide NAT reflection. 

Never mind. I just realized you can simply adjust the port forwarding rule to allow hairpin nat so you don't need two rules

Just change the source from WAN to Any and enable rewrite source address to MASQ. I knew creating two rules for this was silly, especially when you have over 25 internal servers you need to create rules for. 

Be aware that using MASQUERADE for this will prevent you from seeing WHO was accessing something, in the event of any kind of log audit/review. All traffic will show FROM the sophos