Router to do NAT hairpinning

I use only hairpinning for my Nextcloud. But do this by dns rewrite in AdguardHome. I would not/you should not attache HA directly to the internet. In my opinion. Better configure an VPN, from where you can reach the local network.

It shouldn’t be an issue.

Internal HA = x.x.x.10
Internal client = x.x.x.20

Internal client asks dns for “ha.mydomain.com
Pi Hole configured to answer “x.x.x.10” for ha.mydomain.com
Client connects to x.x.x.10

There is no https packet redirection at all.

I’m assuming Pi Hole can redirect a specific dns query. I’d be shocked if it won’t. If not, you may have to dig into dnsmasq.

1 Like

Local domains in pihole, redirecting to my nginx

1 Like

Again, not sure about Pi Hole specifically.

But…

Try adding “myha.synology.me” to the internal domain list and point to the approriate IP.

1 Like


But when going to
https://…
Then,
Cert Hostname DOES NOT VERIFY
EDIT: My bad, you’re not redirecting to IP of HA but nginx

1 Like

FWIW, my ISP provides FTTH using this wireless router:

I have had it for several years and recently decided to replace it in order to get better reporting and control.

I bought a used ASUS RT-AC86U but the key ingredient was a media converter for converting the incoming fiber optic line (pull the GPON out of the ISP’s router and into converter) to Gigabit Ethernet (plus some important configuration information because the ISP uses PPPoE and VLANs). I found instructions online and perhaps others have done something similar for your ISP (assuming your ISP allows replacing their equipment).

1 Like

Instead of looking for a piece of equipment to do this, you should look to solve the problem correctly.

There’s a reason fewer and fewer devices support this; that’s because it’s BAD.

Tell me how to access my HA from internet AND my LAN in HTTPS with a valid certificate without NAT loopback and without using the external address all the time (to match address and certificate’s values) if

You can but in case of problem, then, they don’t care to fix it. They perform remote tests and detect that it is no longer their equipment …

Being skilled enough and getting finally fiber I would go the professional way either by building a custom router with OPNsense / pfSense or getting an alternative router running these softwares.

Most of this hardware has both SFP and RJ45 ports.

That way not only you will be able to use NAT hairpinning, but also A TON of other stuff.

What I did before I got my hairpinning working:

That’s what I’m aiming for.
Too many years of ISP restrictions.

  • No way to backup/restore a config when they change the box.
  • Options disabled
  • No control on IP range and/or vlan

So, I was looking for OpenWRT but this might be an “old” fashion
In you opinion, I should focus on Opnsense as mentionned by @tmjpugh as well.

Same with my ISP.

In the event of a problem, the ISP’s equipment must be restored. If the problem persists, then one can contact the ISP.


FWIW, one of the reasons I replaced the ISP’s wireless router is because whenever they pushed a firmware update the procedure would sometimes factory-reset the device and lose my configuration. It didn’t happen often but it was very disruptive when it did.

Tell me about that, this is the same for me.
And to backup/restore the configuration, you have to connect with a different user, that they do not provide. Even techies do not have the credentials for Admin and Expert, amazing.

image

The cert shouldn’t be tied to an ip at all.

It is not even possible, let’s encrypt will only deliver a certificate for a valid public suffix (TLD).
I’m a computer scientist since 1997. I forgot a lot about my network classes as I’m now a full-time programmer for 25+ years but that, I know.

It is a certificate for myha.synology.me (fake address, don’t try it). I already said it earlier.
As a synology NAS owner, I’ve a free DDNS and the update of the public IP is done by DSM.

And at the end, it is the cause of my troubles: my internal server is replying to my internal client by saying that it is the external name, which is bothering the client without a proper reverse proxy/NAT loopback packet rewriting.

DNS server.

That doesn’t work.

My PC, desktop-olivier, IP: 192.168.1.1 is calling https://myha.synology.me
I’ve setup a DNS in windows 10, it is going to my PiHole machine, PiHole is configured to answer 192.168.1.2 (my HA machine) to that specific DNS requests.

Therefore, my PC is connecting 192.168.1.2 in https and receive a “Hello, I’m 192.168.1.2 and my certificate is myha.synology.me, what can I do for you?”.

Browser error, man in the middle attack, someone is trying to spoof the myha.synology.me server, but it is 192.168.1.2, that’s malicious, please acknowledge if you want to continue to this severly untrusted server that is trying to scam you and steal your data.

Need to “really” go to the external address, and my ISP box is taking care of nat and reverse nat (that will change when it is replaced) or I have to setup a piece of software/hardware that will do the reverse proxy/NAT loopback IPO my ISP box.

If you know another possibility to rewrite the IP packet tell me.

I’m reading a lot about the nginx configuration, I could setup an nginx server on my PiHole machine.

But I’d definitly prefer to have everything on a capable router, able to do what my ISP box is doing, that is so much easier, I’ll continue to access the external URL all the time, the router will route to the internal machine and rewrite the packets for me.

None of that should be necessary with proper internal dns. I’ve never had a problem with it (100s of certs/servers/etc).

Ok, but my DNS is my PiHole machine.
In image I’ve put all my internal machines plus the myha.synology.me

And the client is not happy at all by the presented HTTPS certificate.