Router to do NAT hairpinning

Hello there,

Very technical question but directly related to my HA setup.

As many of you, my HA is on a RPi (could be another machine) in my LAN.
I’ve created a address, equivalent to a duckdns one.
Everything is fine, certificate is renewed automatically, HA is reachable from the outside.

From the inside of my LAN, it was an issue as the hostname doesn’t match the certificate name.
But it was fine just using the external url all the time.

This is called NAT hairpinning.
What is NAT hairpinnging you’ll ask?

Basically, you’re going out of your LAN to re-enter it directly.
My ISP is providing their customer with 2 types of box, one, rebranded from Sagem doesn’t allow hairpinning. The other one, rebranded from Technicolor is fine with hairpinning.

Fortunately, a technician from my ISP understood my requirements and saved a technicolor box for me.

But here comes the question (longest intro ever):

My ISP is planning to cut copper internet and move my house on fiber.
For that, they will replace my beloved technicolor box by a sagem fiber one.
Is there a router that can “catch” the call and perform the loopback before the internet box (or it will fail) ?

Maybe this

Opnsense and pfsense can do this. You can buy off the shelf hardware or install on your own hardware

Both allow you to override dns with your own entries so is resolves to an internal IP

You may be able to do dns overides with pihole but in haven’t checked.

1 Like

FWIW, I found this post for (an older) ASUS router running Merlin firmware:

Basically it advises to add an entry to the router’s hosts file that directs your server’s external address ( to an internal IP address (192.168.x.x).

1 Like

you could also implement the nginx addon, which takes care of it

1 Like

I’m using HA Core, no addon.
I can look to install nginx on my RPi thou, I’ll have a look as well.

I’ll have a look, my concern is always the same with everything that I’ve tried before having the technicolor box : the HA is presenting a certificate with but the address was rewritten as 192.168.x.x and the browser is complaining that it is not safe, I have to click on “more info”, “continue”, “accept” and do that again and again every couple of days.

As relying on my ISP to do the DHCP was a bad idea (many blocked options), I’ve always told myself that I’ll buy a good router to have full control on my infrastructure.

So now I’m scared to do a bad choice and realise it was not “the one” after doing days of configuration.

Most any of the open source firmware projects will do loopback.

1 Like

Install pihole, and let pihole do the DHCP.

Without going to Internet and back? Because this is the part that is forbidden by the ISP box.

On, I’ll put

It will do a DNS query to get the public IP of, which is my router.
And access my router on its public IP, it will do the port forwarding to my HA machine

But it is the public IP given by the DNS query therefor it is a re-entry, forbidden.

Maybe my network teacher in the 90’s was right, I don’t understand nothing from his book.

I’ve PiHole (best decision ever made) but I can’t configure it as DHCP Server because the ISP Box is refusing to delegate this role to something else. The option doesn’t exist on the technicolor and is grayed out on the sagem.

When I had Proximus and their f*cking Bbox3, I had a second router behind the bbox3 that setup a second PPOE-session, Bbox3 was only used for TV, Internet through the second router, and pihole managing the DHCP. But I switched to EDPNET, no more Bbox3.

This is my situation, BBox3 by Proximus, so a router doing the PPOE will do the job ?!

reprint the SSL cert and add the lan IP address in the alternate names field.

I have a Mikrotik router and use its hairpin mechanism.
Here an explanation how MT uses hairpin

Yes, it will

1 Like

According to, (I don’t have a bbox3 anymore, so I can’t check)

It is indeed the NAT writing/rewriting that I’m looking for.
Maybe I can apply that to other routers as well.
Now I have too many answer, I’ll need a few days to compute everything.

And I don’t know as they say that they will replace my Technicolor BBox3 with the fiber version of the BBox3 (and it is still named bbox3 instead of naming it bbox4 or bbox fiber, stoopid)

This is mine

Yes, in a traditional situation where the public IP is the external interface of the router. The traffic is redirected back to the internal IP following your normal port redirection rules. The checkbox to enable loopback can be a per rule option, or a global option depending on the product.


Is pi hole not already acting as the internal dns?

It is, but if it redirects to, the packet coming back is stamped with with an attached certificate of which trigger the browser red warning of a man in the middle attack.