概览
读者将会学习到如何配置 Hairpin NAT 与 Destination NAT 联动使用。
适用于安装有最新 EdgeOS 固件的所有 EdgeRouter 型号。 使用者需要了解命令行(CLI)配置和基础的网络知识。 更多信息可以查看 相关文章。
本次测试使用的型号是:
目录
FAQ
1.当我使用端口转发功能时需要开启 hairpin NAT 功能吗?
不需要,因为在使用 端口转发 向导配置时,有一个复选框已经将 hairpin NAT 功能下发出来了。
2.当我使用 destination NAT 功能时需要开启 hairpin NAT 功能吗?
需要,具体步骤请仔细阅读下文。
网络图解
下图为本次测试的拓扑图,主要接口如下:
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
我们将会通过应用 Hairpin NAT 功能实现,内网 192.168.1.0/24 网段内的终端,能够通过路由器外网地址(203.0.113.1:443)来访问 UISP 服务器。
Hairpin 和 Destination NAT
1.添加一个允许 HTTPS 流量去往 UISP 服务器的防火墙策略。(可选)
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule
Description: https //规则注释
Action: Accept //作为接收
Protocol: TCP //协议类型
Destination > Port: 443 //目标端口
Destination > Address: 192.168.1.10 //目标地址
2.添加一个转换 TCP port 443 的 Destination NAT 。
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: https443 //规则注释
Inbound Interface: eth0 //入站接口
Translation Address: 192.168.1.10 //转化地址
Translation Port: 443 //转化端口
Protocol: TCP //协议类型
Destination Address: 203.0.113.1 //目标地址
Destination Port: 443 //目标端口
3.根据上面的目的 NAT 添加第一个 Hairpin NAT 规则 (这条规则几乎是上面的副本,也是目的 NAT )。
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: hairpin443 //规则注释
Inbound Interface: eth1 //入站接口
Translation Address: 192.168.1.10 //转化地址
Translation Port: 443 //转化端口
Protocol: TCP //协议类型
Destination Address: 203.0.113.1 //目标地址
Destination Port: 443 //目标端口
- 创建一个源 NAT 作为第二个 Hairpin NAT (伪装)。
Firewall / NAT > NAT > +Add Source NAT Rule
Description: hairpin //规则注释
Outbound Interface: eth1 //出站接口
Translation: Use Masquerade //转化类型
Protocol: TCP //协议类型
Source Address: 192.168.1.0/24 //源 IP 地址段
Destination Address: 192.168.1.10 //目标地址
Destination Port: 443 //目标端口
使用向导配置 port-forwarding 功能,你可以在 CLI 界面看到生成的等效命令。
configure
set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp
set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination
set service nat rule 2 description hairpin443
set service nat rule 2 destination address 203.0.113.1
set service nat rule 2 destination port 443
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 5011 description hairpin
set service nat rule 5011 destination address 192.168.1.10
set service nat rule 5011 destination port 443
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface eth1
set service nat rule 5011 protocol tcp
set service nat rule 5011 source address 192.168.1.0/24
set service nat rule 5011 type masquerade
commit ; save