Router to do NAT hairpinning

123 · October 19, 2023, 12:48am

FWIW, my ISP provides FTTH using this wireless router:

I have had it for several years and recently decided to replace it in order to get better reporting and control.

I bought a used ASUS RT-AC86U but the key ingredient was a media converter for converting the incoming fiber optic line (pull the GPON out of the ISP’s router and into converter) to Gigabit Ethernet (plus some important configuration information because the ISP uses PPPoE and VLANs). I found instructions online and perhaps others have done something similar for your ISP (assuming your ISP allows replacing their equipment).

exx · October 19, 2023, 2:22am

Instead of looking for a piece of equipment to do this, you should look to solve the problem correctly.

There’s a reason fewer and fewer devices support this; that’s because it’s BAD.

Olivier1974 · October 19, 2023, 6:59am

Tell me how to access my HA from internet AND my LAN in HTTPS with a valid certificate without NAT loopback and without using the external address all the time (to match address and certificate’s values) if

Olivier1974 · October 19, 2023, 7:05am

You can but in case of problem, then, they don’t care to fix it. They perform remote tests and detect that it is no longer their equipment …

Cr4z33 · October 19, 2023, 10:03am

Being skilled enough and getting finally fiber I would go the professional way either by building a custom router with OPNsense / pfSense or getting an alternative router running these softwares.

Most of this hardware has both SFP and RJ45 ports.

That way not only you will be able to use NAT hairpinning, but also A TON of other stuff.

aceindy · October 19, 2023, 10:49am

What I did before I got my hairpinning working:

Olivier1974 · October 19, 2023, 11:08am

That’s what I’m aiming for.
Too many years of ISP restrictions.

No way to backup/restore a config when they change the box.
Options disabled
No control on IP range and/or vlan

So, I was looking for OpenWRT but this might be an “old” fashion
In you opinion, I should focus on Opnsense as mentionned by @tmjpugh as well.

123 · October 19, 2023, 11:47am

Same with my ISP.

In the event of a problem, the ISP’s equipment must be restored. If the problem persists, then one can contact the ISP.

FWIW, one of the reasons I replaced the ISP’s wireless router is because whenever they pushed a firmware update the procedure would sometimes factory-reset the device and lose my configuration. It didn’t happen often but it was very disruptive when it did.

Olivier1974 · October 19, 2023, 11:52am

Tell me about that, this is the same for me.
And to backup/restore the configuration, you have to connect with a different user, that they do not provide. Even techies do not have the credentials for Admin and Expert, amazing.

jerrm · October 19, 2023, 1:39pm

The cert shouldn’t be tied to an ip at all.

Olivier1974 · October 19, 2023, 2:20pm

It is not even possible, let’s encrypt will only deliver a certificate for a valid public suffix (TLD).
I’m a computer scientist since 1997. I forgot a lot about my network classes as I’m now a full-time programmer for 25+ years but that, I know.

It is a certificate for myha.synology.me (fake address, don’t try it). I already said it earlier.
As a synology NAS owner, I’ve a free DDNS and the update of the public IP is done by DSM.

And at the end, it is the cause of my troubles: my internal server is replying to my internal client by saying that it is the external name, which is bothering the client without a proper reverse proxy/NAT loopback packet rewriting.

exx · October 19, 2023, 2:25pm

DNS server.

Olivier1974 · October 19, 2023, 2:38pm

That doesn’t work.

My PC, desktop-olivier, IP: 192.168.1.1 is calling https://myha.synology.me
I’ve setup a DNS in windows 10, it is going to my PiHole machine, PiHole is configured to answer 192.168.1.2 (my HA machine) to that specific DNS requests.

Therefore, my PC is connecting 192.168.1.2 in https and receive a “Hello, I’m 192.168.1.2 and my certificate is myha.synology.me, what can I do for you?”.

Browser error, man in the middle attack, someone is trying to spoof the myha.synology.me server, but it is 192.168.1.2, that’s malicious, please acknowledge if you want to continue to this severly untrusted server that is trying to scam you and steal your data.

Need to “really” go to the external address, and my ISP box is taking care of nat and reverse nat (that will change when it is replaced) or I have to setup a piece of software/hardware that will do the reverse proxy/NAT loopback IPO my ISP box.

If you know another possibility to rewrite the IP packet tell me.

I’m reading a lot about the nginx configuration, I could setup an nginx server on my PiHole machine.

But I’d definitly prefer to have everything on a capable router, able to do what my ISP box is doing, that is so much easier, I’ll continue to access the external URL all the time, the router will route to the internal machine and rewrite the packets for me.

jerrm · October 19, 2023, 3:17pm

None of that should be necessary with proper internal dns. I’ve never had a problem with it (100s of certs/servers/etc).

Olivier1974 · October 19, 2023, 3:25pm

Ok, but my DNS is my PiHole machine.
In I’ve put all my internal machines plus the myha.synology.me

And the client is not happy at all by the presented HTTPS certificate.

Olivier1974 · October 19, 2023, 3:45pm

One step further, I did a nginx config to rewrite what I thoiught was needed, I can access the login page, but the 2FA is killing my effort. I’m mad! I get the code window, I put the code, then this url
https://myha.synology.me/lovelace?auth_callback=1&code=… is giving this result

nginx config

server {
    listen 443 ssl;
    server_name myha.synology.me;

    ssl_certificate /etc/letsencrypt/live/myha.synology.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myha.synology.me/privkey.pem;

    location / {
        proxy_pass https://192.168.1.2:8123;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        # Disable buffering
        proxy_buffering off;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }
}

francisp · October 19, 2023, 3:47pm

Forgot the websockets.

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app hatest;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://10.0.0.52:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Olivier1974 · October 19, 2023, 3:50pm

You just saved my life!
I’ll mark your post as solution but not without a huge thank you to @123, @jerrm, @aceindy for a software solution and @complex1 because I’ll probably go for a Mikrotik router as my hardware solution with a lot of readings to do thanks to @123 again.

Thank you everyone for your support in my NAT journey.

jerrm · October 19, 2023, 4:08pm

Trying to keep things vanilla and reproducible, I just tested the duckdns addon letsencrypt certs on three different HA installs at three different locations/LANs, across at least four browsers, linux and windows.

A local dns fixup worked with all, no browser complaints, just as expected.

I don’t know why the dns option doesn’t work for you. Something else is going on.

exx · October 19, 2023, 6:47pm

I have no idea where you’ve gone wrong, but I assure you that it does, in fact, work. I’ve seen me do it.