This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to enable hairpin NAT for entire network?

I've just started using Sophos XG and am coming from primarily a Ubiquiti shop. With edgerouter devices, hairpin nat was a simple check box and ALL services internally could be accessed locally or by their WAN:port

I have dozens of cameras that all have port forwarding and NAT translations and would love if I can access those devices internally by using the same WAN public IP and port number

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 6 years ago

Hi,

I understand what you are trying to achieve. Why not try setting up each device in the DNS on the XG? I have not tried multiple devices.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 6 years ago in reply to rfcat_vk

That doesn't solve the problem of port translation.

I want to go to mydomain.com:1554 and it translate to 10.0.0.5:554 or going to mydomain.com:1555 translate to 10.0.0.6:554

With port forwarding this works great from outside my network but our software has these external IP's and ports hard set, so it breaks when trying to access internally. I've never had this problem before with other firewalls. Hairpin nat has always been a toggle on a network level.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Matthew Bradley

This should work with XG.

https://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback

You need to specify as Zone WAN/LAN and XG should loopback the WAN IP to the DNAT.

https://community.sophos.com/products/xg-firewall/f/network-and-routing/73615/how-do-you-create-a-loopback-hairpin-nat-to-an-interface-ip
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 6 years ago in reply to LuCar Toni

I've read the article you linked - every hairpin post I read here seems to refer back to that same thread.

However, it's very hard to follow as there seems to be multiple "solutions" referenced in the same thread and they all require a rule for each LAN IP device. We have dozens of devices on the network and really just need one rule to enable reflective NAT on the entire LAN subnet. Further, the solutions mentioned on that thread don't seem to be in-line with the selections I'm seeing on V17? This shouldn't be that difficult.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Matthew Bradley

As far as i understand, XG does this by default, if you simply enable LAN (or ANY) in Source of a DNAT.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 6 years ago in reply to LuCar Toni

Ok.. what goes in the destination and "forward to" sections??
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Matthew Bradley

Can you please explain to me, what you try to archive?

Because as far as i understand, this should be self explained.

You will simply put WAN / LAN into Source.

Destination will be your WAN IP Interface. Service in Destination your WAN Port (1234 for example).

And Forward to will be your internal Client with Service 5678 for example.

And if some other client in LAN tries to reach your XG WAN IP with 1234, it will be forwarded to your other internal Client with service 5678.

And this is a NAT loop back.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 6 years ago in reply to LuCar Toni

Please read my initial post again. I know how to do port forwarding. That works great.

We have dozens of internal devices that already have port forwarding rules set up and external access works. Your telling me I need to create a separate hairpin NAT rule for EACH of these devices as well? That seems terribly inefficient.

Surely there is a way to do ONE rule for the ENTIRE LAN subnet?

Lets say I have 5 devices (192.168.1.10 - 192.168.1.15) with each port forwarded to port 80 (external ports 8080 - 8085)

So if I go to mydomain.com:8080 or mydomain.com:8081 from outside the network, I can access these devices since they translate to 192.168.1.10:80 and 192.168.1.11:80

If I'm on my internal network and go to mydomain.com:8080 or mydomain.com:8081 I need to access these just like I was outside the network but I would like ONE rule to provide NAT reflection.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Matthew Bradley over 6 years ago in reply to LuCar Toni

Please read my initial post again. I know how to do port forwarding. That works great.

We have dozens of internal devices that already have port forwarding rules set up and external access works. Your telling me I need to create a separate hairpin NAT rule for EACH of these devices as well? That seems terribly inefficient.

Surely there is a way to do ONE rule for the ENTIRE LAN subnet?

Lets say I have 5 devices (192.168.1.10 - 192.168.1.15) with each port forwarded to port 80 (external ports 8080 - 8085)

So if I go to mydomain.com:8080 or mydomain.com:8081 from outside the network, I can access these devices since they translate to 192.168.1.10:80 and 192.168.1.11:80

If I'm on my internal network and go to mydomain.com:8080 or mydomain.com:8081 I need to access these just like I was outside the network but I would like ONE rule to provide NAT reflection.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Matthew Bradley over 6 years ago in reply to Matthew Bradley

Never mind. I just realized you can simply adjust the port forwarding rule to allow hairpin nat so you don't need two rules

Just change the source from WAN to Any and enable rewrite source address to MASQ. I knew creating two rules for this was silly, especially when you have over 25 internal servers you need to create rules for.
Cancel
Vote Up 0 Vote Down

Cancel
0 Zac Hill over 5 years ago in reply to Matthew Bradley

Be aware that using MASQUERADE for this will prevent you from seeing WHO was accessing something, in the event of any kind of log audit/review. All traffic will show FROM the sophos
Cancel
Vote Up 0 Vote Down

Cancel