Hairpin NAT on the Edge Gateway

Hairpin NAT can be used to access a host behind a NAT while also being behind that same NAT.

This guide covers configuring Hairpin NAT on the Edge Gateway through the VMware Cloud Director interface.

Let's look at an example of configuring external IP address access from Workstation to Web Server, where Workstation and Web Server are behind the same NAT. Web traffic between Workstation and Web Server will be routed through the Edge Gateway. The diagram below shows the 4 stages of packet transfer.

How it works

Stage 1: Workstation sends a packet from its local address 192.168.255.2 to the Edge Gateway external address 176.53.180.81;

Stage 2: Edge Gateway replaces Workstation's SrcIP source address 192.168.255.2 with the Edge Gateway address 192.168.2.1, and the DstIP Web Server destination address with the Web Server address 192.168.255.10;

Stage 3: The Web Server, having received a packet from the Edge Gateway 192.168.2.1 address, sends a response to the Edge Gateway 192.168.2.1 address;

Stage 4: The Edge Gateway uses Connection Tracker to replace the addresses replaced in Stage 2 with the original addresses, and sends a response from the Web Server to the Workstation.

Configuring the Firewall on the Edge Gateway

An example of configuring Firewall rules in the screenshot below.

Rule #3 is used to access the Web Server from the Workstation.

Rule #4 is used to access the Web Server from the Internet.

Configuring NAT on the Edge Gateway

An example of NAT configuration is shown in the screenshot below.

NAT rules applied on to the Edge Gateway Uplink interface, used to access the Web Server from the Internet and access from the Web Server and Workstation to the Internet:

 

196609 - SNAT - for access to the Internet from machines on the local network;

196610 - DNAT - 80/tcp port forwarding from the Internet;

196611 - DNAT - forwarding 443/tcp port from the Internet;

Rules applied on the local Edge Gateway interface used for Hairpin NAT:

 

196612 - SNAT - Workstation address spoofing to Edge Gateway address in the local network (between Stage 1 and Stage 2);

196613 - DNAT - substitution external IP to Web Server address (between Stage 1 and Stage 2) for http traffic (80/tcp);

196614 - DNAT - substitution of external IP to Web Server address (between stages 1 and 2) for https traffic (443/tcp);

In the Applied on the column for "Hairpin rules", you should specify the local Edge Gateway interface.

Another port forwarding

You can also make Hairpin NAT for other ports/protocols by creating additional DNAT rules similar to those for HTTP and HTTPS.

 

 

Have you tried Cloud4U cloud services? Not yet?

Go to the Main Website

Try for free

  • NAT, Hairpin NAT, Cloud, Director
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Diagnosing Network Connections on an EDGE Virtual Router (Part 1)

Sometimes you may have problems configuring the virtual router when port forwarding is not...

Diagnostics of network connections on a virtual EDGE router (Part 2)

In this article, we will consider the possibility of capturing network packets on EDGE with its...

Load balancing with advanced edge

A load balancer built into the advanced edge accepts UDP, TCP, HTTP, HTTPS requests and...

Network configuration of VMware infrastructure (NAT, DHCP, Firewall, Static Routing, VPN)

Network configuration of VMware infrastructure (NAT, DHCP, Firewall, Static Routing, VPN)....

Edge Load Balancing by URI

Edge Load Balancer is actually a HAProxy and supports different ways of balancing traffic between...