# Hairpin NAT Issue - Internal Access to Public IP **Date**: 2026-01-21 **Issue**: Connection timeout when accessing public IP (76.53.10.36) from internal network (192.168.11.4) --- ## Problem Testing from internal network (192.168.11.4) to public IP (76.53.10.36) results in timeout: - `curl https://explorer.d-bis.org` → Timeout - `curl http://76.53.10.36` → Timeout **This is a "Hairpin NAT" or "NAT Loopback" issue.** --- ## What is Hairpin NAT? Hairpin NAT allows internal devices to access services using the public IP address. Without it: - ✅ External access works (internet → public IP → internal) - ❌ Internal access to public IP fails (internal → public IP → internal) --- ## Current Situation ### Testing from Internal Network (192.168.11.4) - ❌ `curl http://76.53.10.36` → Timeout - ❌ `curl https://explorer.d-bis.org` → Timeout ### Expected Behavior - ✅ External access should work (from internet) - ⚠️ Internal access to public IP may not work (hairpin NAT) --- ## Solutions ### Option 1: Use Internal IP Directly (Recommended for Internal Testing) Instead of using the public IP from internal network, use the internal IP: ```bash # Use internal IP directly curl http://192.168.11.166 -H "Host: explorer.d-bis.org" curl https://192.168.11.166 -H "Host: explorer.d-bis.org" -k # Or use the domain with internal DNS # (if internal DNS points to 192.168.11.166) curl http://explorer.d-bis.org ``` ### Option 2: Enable Hairpin NAT in UDM Pro UDM Pro may need hairpin NAT enabled: 1. **Check UDM Pro Settings** - Look for "Hairpin NAT" or "NAT Loopback" option - Enable if available 2. **Or Add NAT Reflection Rule** - Some routers need explicit NAT reflection rules - May require advanced configuration ### Option 3: Test from External Network The real test is external access: ```bash # Test from external network (not 192.168.11.x) # Use mobile hotspot, VPN, or different network curl -v http://explorer.d-bis.org curl -v https://explorer.d-bis.org ``` --- ## Verification Steps ### 1. Check if Port Forwarding Rules Are Active ```bash ssh OQmQuS@192.168.11.1 sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36" ``` **Should show:** ``` DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80 DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443 ``` ### 2. Test Internal Access to NPMplus Directly ```bash # From internal network (192.168.11.4) curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org" curl -v https://192.168.11.166 -H "Host: explorer.d-bis.org" -k ``` **If this works**: NPMplus is working, issue is hairpin NAT ### 3. Test External Access **This is the real test** - from outside the network: - Use mobile hotspot - Use VPN - Use different network - Ask someone external to test ```bash curl -v http://explorer.d-bis.org curl -v https://explorer.d-bis.org ``` --- ## Current Status Based on your test output: - ❌ Internal access to public IP: **NOT WORKING** (hairpin NAT issue) - ❓ External access: **UNKNOWN** (needs testing from external network) - ✅ Internal access to NPMplus directly: **SHOULD WORK** (needs verification) --- ## Next Steps 1. **Verify Port Forwarding Rules Are Active** - Check NAT table via SSH - Ensure rules are not paused 2. **Test Internal Access to NPMplus Directly** ```bash curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org" ``` 3. **Test External Access** (Most Important) - Test from external network - This is the real test for public access 4. **If External Access Works** - ✅ Problem solved! - Internal access to public IP is a separate issue (hairpin NAT) --- ## Summary **Internal access to public IP timing out is expected if hairpin NAT is not enabled.** **The real test is external access from the internet.** If external access works, the explorer is functional - internal access to public IP is a separate configuration issue. --- **Status**: ⚠️ **TEST EXTERNAL ACCESS - Internal timeout may be expected**