explorer-monorepo/HAIRPIN_NAT_ISSUE.md

# Hairpin NAT Issue - Internal Access to Public IP

**Date**: 2026-01-21  
**Issue**: Connection timeout when accessing public IP (76.53.10.36) from internal network (192.168.11.4)

---

## Problem

Testing from internal network (192.168.11.4) to public IP (76.53.10.36) results in timeout:
- `curl https://explorer.d-bis.org` → Timeout
- `curl http://76.53.10.36` → Timeout

**This is a "Hairpin NAT" or "NAT Loopback" issue.**

---

## What is Hairpin NAT?

Hairpin NAT allows internal devices to access services using the public IP address. Without it:
- ✅ External access works (internet → public IP → internal)
- ❌ Internal access to public IP fails (internal → public IP → internal)

---

## Current Situation

### Testing from Internal Network (192.168.11.4)
- ❌ `curl http://76.53.10.36` → Timeout
- ❌ `curl https://explorer.d-bis.org` → Timeout

### Expected Behavior
- ✅ External access should work (from internet)
- ⚠️ Internal access to public IP may not work (hairpin NAT)

---

## Solutions

### Option 1: Use Internal IP Directly (Recommended for Internal Testing)

Instead of using the public IP from internal network, use the internal IP:

```bash
# Use internal IP directly
curl http://192.168.11.166 -H "Host: explorer.d-bis.org"
curl https://192.168.11.166 -H "Host: explorer.d-bis.org" -k

# Or use the domain with internal DNS
# (if internal DNS points to 192.168.11.166)
curl http://explorer.d-bis.org
```

### Option 2: Enable Hairpin NAT in UDM Pro

UDM Pro may need hairpin NAT enabled:

1. **Check UDM Pro Settings**
   - Look for "Hairpin NAT" or "NAT Loopback" option
   - Enable if available

2. **Or Add NAT Reflection Rule**
   - Some routers need explicit NAT reflection rules
   - May require advanced configuration

### Option 3: Test from External Network

The real test is external access:

```bash
# Test from external network (not 192.168.11.x)
# Use mobile hotspot, VPN, or different network
curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org
```

---

## Verification Steps

### 1. Check if Port Forwarding Rules Are Active

```bash
ssh OQmQuS@192.168.11.1
sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36"
```

**Should show:**
```
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:80  to:192.168.11.166:80
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:443 to:192.168.11.166:443
```

### 2. Test Internal Access to NPMplus Directly

```bash
# From internal network (192.168.11.4)
curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org"
curl -v https://192.168.11.166 -H "Host: explorer.d-bis.org" -k
```

**If this works**: NPMplus is working, issue is hairpin NAT

### 3. Test External Access

**This is the real test** - from outside the network:
- Use mobile hotspot
- Use VPN
- Use different network
- Ask someone external to test

```bash
curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org
```

---

## Current Status

Based on your test output:
- ❌ Internal access to public IP: **NOT WORKING** (hairpin NAT issue)
- ❓ External access: **UNKNOWN** (needs testing from external network)
- ✅ Internal access to NPMplus directly: **SHOULD WORK** (needs verification)

---

## Next Steps

1. **Verify Port Forwarding Rules Are Active**
   - Check NAT table via SSH
   - Ensure rules are not paused

2. **Test Internal Access to NPMplus Directly**
   ```bash
   curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org"
   ```

3. **Test External Access** (Most Important)
   - Test from external network
   - This is the real test for public access

4. **If External Access Works**
   - ✅ Problem solved!
   - Internal access to public IP is a separate issue (hairpin NAT)

---

## Summary

**Internal access to public IP timing out is expected if hairpin NAT is not enabled.**

**The real test is external access from the internet.**

If external access works, the explorer is functional - internal access to public IP is a separate configuration issue.

---

**Status**: ⚠️ **TEST EXTERNAL ACCESS - Internal timeout may be expected**