Is there a way to disable hairpinning (NAT loopback) on Balance routers?
So it looks like this is not possible. I’d suggest Peplink to add this feature to the to do list as, under some circumstances/firewall rules, it would be helpful.
We are using a goddamned app by Panasonic which requires hairpinning to be disabled and this is driving us nuts
Run a network capture that gets the harpin activity, what is the source IP is it the same as the WAN IP or is it the LAN subnet / range? can you create a firewall rule to block by source IP?
I could create firewall rules to block access to the WAN IP, which unfortunately is dynamic and requires DDNS stuff to be caught. Can’t use that in firewall rules
Martin, you deserve a gold medal from Peplink, you really are a MVP!
Interesting. On a wireshark capture the source IP of harpinned traffic is the LAN IP. However on my balance one I can find no way to use the firewall to block that hairpinned traffic (maybe its not going near the firewall at all?).
@sitloongs any ideas?
You’re very kind.
Don’t need a medal, but I’d happily accept some free hardware to help me provide support if you having any kicking about to spare Team Peplink
Tell me more about Team Peplink. How does this works?
Did you try blocking traffic by destination?
it was just me asking the Peplink team for free kit It hasn’t worked yet (give it time)
On my balance one I couldn’t get any type of firewall rule to log (either allow or deny) with a destination of ANY IP to the right port I was using to test with.
Hahaha! I am sure you will get there!
Yes, maybe @sitloongs can help here on all the issues, including sending a free kit to a MVP like you
May i know you have multiple VLAN defined for your Balance Router ? Port forwarding/NAT mapping for your server is in other VLAN comparing to the Panasonic app connected network ?
@sitloongs this is the scenario:
- Peplink Balance One using 5 WANs
- Core LAN + 4 VLANs - Hardphones and PBX are connected to VLAN 400
- Softphones are connected to the SIP server either through Staff VLAN, or through the Internet:
- VLAN 400 is outbound-forced to WAN 2 (required by Panasonic to use same WAN as the SIP server’s public IP address)
- SIP-ALG is disabled
- Application blocking setup as:
- required port mappings are apparently configured correctly (notice that RTP is forwarded to the DSP card, which uses a dedicated IP address 172.16.4.11)
It’s a rather complicated architecture, and the issue with this app is that it will attempt to connect to the PBX using remote Internet connection and LAN connection at the same time to see which one is faster/working and this screws app things, because the router is allowing hairpinning.
To avoid this and block Internet connection attempts when in LAN, as the Balance One Hairpinning/NAT Loopback cannot be excluded, I have created a custom service forwarding hoping it would fix the issue
however this would not fix the issue, because there are many other ports which are being used and not all functionality is guaranteed (randomly no voice audio)
In the end, I have created an A record in our local Windows DNS server which points to 0.0.0.0 defeating app connection through the Internet, when in LAN. It is a bulky workaround, I guess that some filter to block hairpinning would give more flexibility to the Balance series…
Yes, this is the workaround/solution to avoid LAN client resolve the public IP to access the LAN application via Hairpinning NAT.
This is not suppose to be used and helping for the issue.
I will further discuss with Engineering team for the possible improvement. In my history of support cases , all customer or partner requesting to have hairpin NAT/Nat loopback more than blocking it. This is the first time i heard the request to stop/block the hairpin NAT/Nat loopback .
I see your point. It is also the first time for me to deal with such a bulky app. People at Panasonic are not eager to help at all, since they say that the issue is on the router end, as the app works with other router brands and models, which supposedly allow blocking hairpinning if required.
This could be a new feature which could help in such extreme cases…
Do you tried before set a A record for gw1.x.x.xx.x. resolve as 172.16.4.10 (Local IP) ? You can do that in the Window DNS server or at the Local DNS records in the Balance device to avoid the devices resolve the public WAN IP ? This will make sure LAN devices resolve the LAN server IP 172.16.4.10 to avoid the NAT.
Someone from your team actually opened a ticket for this, let’s discuss this via support ticket.