Solved Hairpin NAT Not Working Following Upgrade to 12.2-p6

D

Deviant0ne

I was using pure NAT for NAT reflection/hairpinning in my pf.conf file on my firewall but following the recent update to 12.2-p6 from 12.2-p5, hairpin NAT stopped working. This was the configuration I was using until this morning:

Code: 
rdr on $All_NAT_IF proto { tcp udp } from any to ($wan_if) port 443 -> <httpsrv>

To get hairpin NAT working again, I ended up needing to configure xinetd + nc to act as a helper proxy (much like pfSense).

I did see that pf.ko was updated in 12.2-p6 but from what I can find, the issue that was being addressed was for net.pf.request_maxcount. Is anyone else having issues?
 
Note that you can't "bounce" packets out the same interface they came in on.
 
Code: 
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.
From pf.conf(5).
 
It must have just been a fluke that my hairpin NAT rules were working in the first place, I will continue to use the xinetd + nc proxy method.
 
One way to solve this I more or less found by accident (but in hind-sight made sense), I have net/haproxy running on the firewall host. I use it so I can redirect to different websites running on my home network on a single IP address. Because this is a proxy, connections coming from inside the network actually work too.
 
You must log in or register to reply here.
Back
Top