Hairpin NAT can be used to access a host behind a NAT while also being behind that same NAT.
This guide covers configuring Hairpin NAT on the Edge Gateway through the VMware Cloud Director interface.
Let's look at an example of configuring external IP address access from Workstation to Web Server, where Workstation and Web Server are behind the same NAT. Web traffic between Workstation and Web Server will be routed through the Edge Gateway. The diagram below shows the 4 stages of packet transfer.
How it works
Stage 1: Workstation sends a packet from its local address 192.168.255.2 to the Edge Gateway external address 176.53.180.81;
Stage 2: Edge Gateway replaces Workstation's SrcIP source address 192.168.255.2 with the Edge Gateway address 192.168.2.1, and the DstIP Web Server destination address with the Web Server address 192.168.255.10;
Stage 3: The Web Server, having received a packet from the Edge Gateway 192.168.2.1 address, sends a response to the Edge Gateway 192.168.2.1 address;
Stage 4: The Edge Gateway uses Connection Tracker to replace the addresses replaced in Stage 2 with the original addresses, and sends a response from the Web Server to the Workstation.
Configuring the Firewall on the Edge Gateway
An example of configuring Firewall rules in the screenshot below.
Rule #3 is used to access the Web Server from the Workstation.
Rule #4 is used to access the Web Server from the Internet.
Configuring NAT on the Edge Gateway
An example of NAT configuration is shown in the screenshot below.
NAT rules applied on to the Edge Gateway Uplink interface, used to access the Web Server from the Internet and access from the Web Server and Workstation to the Internet:
196609 - SNAT - for access to the Internet from machines on the local network;
196610 - DNAT - 80/tcp port forwarding from the Internet;
196611 - DNAT - forwarding 443/tcp port from the Internet;
Rules applied on the local Edge Gateway interface used for Hairpin NAT:
196612 - SNAT - Workstation address spoofing to Edge Gateway address in the local network (between Stage 1 and Stage 2);
196613 - DNAT - substitution external IP to Web Server address (between Stage 1 and Stage 2) for http traffic (80/tcp);
196614 - DNAT - substitution of external IP to Web Server address (between stages 1 and 2) for https traffic (443/tcp);
In the Applied on the column for "Hairpin rules", you should specify the local Edge Gateway interface.
Another port forwarding
You can also make Hairpin NAT for other ports/protocols by creating additional DNAT rules similar to those for HTTP and HTTPS.
