cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jhouse
New Contributor

Hairpin Prevention

Jump to solution

Hi,

I have a NetVanta 3430 with NAT rules to forward appropriate traffic from the Public interface to our webserver which hosts the company website.

The company president has our website as his homepage, so if he comes into the office and fires up his browser, his machine tries to access the site using the DNS cache... basically tries to access the public interface from the private network.

Is there something I can do on the NetVanta that would force traffic that originates from our LAN and is bound for our webserver's public IP to use the webserver's LAN IP instead?

Thanks,

James

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Hairpin Prevention

Jump to solution

James,

Thanks for posting your question on the forum.

Unfortunately, the AOS firewall does not allow public port forwards to be accessed from the private side using the public IP/domain name (aka Hairpinning). The reason for this is that the SYN from the host LAN PC is directed at the public IP of the server. Since it is on a different subnet, the packet goes to the default gateway (AOS router) and the firewall takes the packet and NATs it appropriately to the server. However, when the server responds back with a SYN-ACK, it sees the destination address is on the same subnet and simply responds back via MAC address. This means the response never goes back through the router/firewall. This results in the PC seeing a SYN-ACK from an unsolicited address since it's sourced from the private address of the server instead of the public address that the SYN was originally sent to. The PC drops the traffic and the process repeats.

There are a couple of solutions available to get around this issue:

1. The easiest solution is to point local devices to an internal DNS server. In your internal DNS server, you will need to add a static host entry that points the hostname to the internal IP address of the server.

2. If you do not have an internal DNS server, the AOS device can act as a proxy DNS server. You would need to point local devices to the AOS device as their DNS server. Then enable DNS proxy and configure the public DNS servers on the AOS device. Finally, add a static entry in the AOS device's host table that points the hostname to the internal IP address of the server. This can be done in the GUI by navigating to System -> Hostname/DNS. The command to add a host entry in the CLI is ip host <name of host> <private IP address>.

3. Another solution is to put the server on a different subnet and configure a destination NAT in the Private policy that matches any traffic going to the public IP address or hostname on the specified port. You will want to make sure that this rule is placed above the NAT rule you have setup for internet access.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

View solution in original post

1 Reply
Anonymous
Not applicable

Re: Hairpin Prevention

Jump to solution

James,

Thanks for posting your question on the forum.

Unfortunately, the AOS firewall does not allow public port forwards to be accessed from the private side using the public IP/domain name (aka Hairpinning). The reason for this is that the SYN from the host LAN PC is directed at the public IP of the server. Since it is on a different subnet, the packet goes to the default gateway (AOS router) and the firewall takes the packet and NATs it appropriately to the server. However, when the server responds back with a SYN-ACK, it sees the destination address is on the same subnet and simply responds back via MAC address. This means the response never goes back through the router/firewall. This results in the PC seeing a SYN-ACK from an unsolicited address since it's sourced from the private address of the server instead of the public address that the SYN was originally sent to. The PC drops the traffic and the process repeats.

There are a couple of solutions available to get around this issue:

1. The easiest solution is to point local devices to an internal DNS server. In your internal DNS server, you will need to add a static host entry that points the hostname to the internal IP address of the server.

2. If you do not have an internal DNS server, the AOS device can act as a proxy DNS server. You would need to point local devices to the AOS device as their DNS server. Then enable DNS proxy and configure the public DNS servers on the AOS device. Finally, add a static entry in the AOS device's host table that points the hostname to the internal IP address of the server. This can be done in the GUI by navigating to System -> Hostname/DNS. The command to add a host entry in the CLI is ip host <name of host> <private IP address>.

3. Another solution is to put the server on a different subnet and configure a destination NAT in the Private policy that matches any traffic going to the public IP address or hostname on the specified port. You will want to make sure that this rule is placed above the NAT rule you have setup for internet access.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor