Hairpin NAT can be used to access a host behind a NAT while being behind the same NAT.
This guide covers configuring hairpin NAT on the edge gateway through the VMware Cloud Director interface.
Let's look at an example of configuring external IP address access from a workstation to a web server, where the workstation and web server are behind the same NAT. The web traffic between the workstation and the web server is routed through the Edge Gateway. The diagram below shows the 4 stages of packet transmission.
How it works
Stage 1: Workstation sends a packet from its local address 192.168.255.2 to the Edge Gateway's external address 176.53.180.81;
Stage 2: The Edge Gateway replaces the Workstation's SrcIP source address 192.168.255.2 with the Edge Gateway's address 192.168.2.1, and the Web Server's DstIP destination address with the Web Server's address 192.168.255.10;
Stage 3: The web server, having received a packet from the edge gateway address 192.168.2.1, sends a reply to the edge gateway address 192.168.2.1;
Stage 4: The Edge Gateway uses Connection Tracker to replace the addresses swapped in stage 2 with the original addresses, and sends a response from the web server to the workstation.
Configuring the firewall on the edge gateway
An example of configuring firewall rules is shown in the screenshot below.
Rule #3 is used to access the web server from the workstation.
Rule #4 is used to access the Web Server from the Internet.
Configuring NAT on the Edge Gateway
An example of NAT configuration is shown in the screenshot below.
NAT rules applied on the Edge Gateway uplink interface used to access the web server from the Internet and to access the Internet from the web server and workstation:
196609 - SNAT - for accessing the Internet from machines on the local network;
196610 - DNAT - 80/tcp port forwarding from the Internet;
196611 - DNAT - 443/tcp port forwarding from the Internet;
Rules applied on the local edge gateway interface used for hairpin NAT:
196612 - SNAT - spoof workstation address to edge gateway address on local network (between stage 1 and stage 2);
196613 - DNAT - external IP substitution to web server address (between stage 1 and stage 2) for http (80/tcp) traffic;
196614 - DNAT - external IP to web server address substitution (between level 1 and level 2) for https (443/tcp) traffic;
In the Applied column for Hairpin Rules, you should specify the local Edge Gateway interface.
Other port forwarding
You can also create hairpin NAT for other ports/protocols by creating additional DNAT rules, similar to those for HTTP and HTTPS.
