Files

defiQUG 903c03c65b Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-10 11:32:49 -08:00

4.0 KiB

Raw Blame History

Hairpin NAT Issue - Internal Access to Public IP

Date: 2026-01-21
Issue: Connection timeout when accessing public IP (76.53.10.36) from internal network (192.168.11.4)

Problem

Testing from internal network (192.168.11.4) to public IP (76.53.10.36) results in timeout:

curl https://explorer.d-bis.org → Timeout
curl http://76.53.10.36 → Timeout

This is a "Hairpin NAT" or "NAT Loopback" issue.

What is Hairpin NAT?

Hairpin NAT allows internal devices to access services using the public IP address. Without it:

✅ External access works (internet → public IP → internal)
❌ Internal access to public IP fails (internal → public IP → internal)

Current Situation

Testing from Internal Network (192.168.11.4)

❌ curl http://76.53.10.36 → Timeout
❌ curl https://explorer.d-bis.org → Timeout

Expected Behavior

✅ External access should work (from internet)
⚠️ Internal access to public IP may not work (hairpin NAT)

Solutions

Option 1: Use Internal IP Directly (Recommended for Internal Testing)

Instead of using the public IP from internal network, use the internal IP:

# Use internal IP directly
curl http://192.168.11.166 -H "Host: explorer.d-bis.org"
curl https://192.168.11.166 -H "Host: explorer.d-bis.org" -k

# Or use the domain with internal DNS
# (if internal DNS points to 192.168.11.166)
curl http://explorer.d-bis.org

Option 2: Enable Hairpin NAT in UDM Pro

UDM Pro may need hairpin NAT enabled:

Check UDM Pro Settings
- Look for "Hairpin NAT" or "NAT Loopback" option
- Enable if available
Or Add NAT Reflection Rule
- Some routers need explicit NAT reflection rules
- May require advanced configuration

Option 3: Test from External Network

The real test is external access:

# Test from external network (not 192.168.11.x)
# Use mobile hotspot, VPN, or different network
curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org

Verification Steps

1. Check if Port Forwarding Rules Are Active

ssh OQmQuS@192.168.11.1
sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36"

Should show:

DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:80  to:192.168.11.166:80
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:443 to:192.168.11.166:443

2. Test Internal Access to NPMplus Directly

# From internal network (192.168.11.4)
curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org"
curl -v https://192.168.11.166 -H "Host: explorer.d-bis.org" -k

If this works: NPMplus is working, issue is hairpin NAT

3. Test External Access

This is the real test - from outside the network:

Use mobile hotspot
Use VPN
Use different network
Ask someone external to test

curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org

Current Status

Based on your test output:

❌ Internal access to public IP: NOT WORKING (hairpin NAT issue)
❓ External access: UNKNOWN (needs testing from external network)
✅ Internal access to NPMplus directly: SHOULD WORK (needs verification)

Next Steps

Verify Port Forwarding Rules Are Active
- Check NAT table via SSH
- Ensure rules are not paused

Test Internal Access to NPMplus Directly

curl -v http://192.168.11.166 -H "Host: explorer.d-bis.org"

Test External Access (Most Important)
- Test from external network
- This is the real test for public access
If External Access Works
- ✅ Problem solved!
- Internal access to public IP is a separate issue (hairpin NAT)

Summary

Internal access to public IP timing out is expected if hairpin NAT is not enabled.

The real test is external access from the internet.

If external access works, the explorer is functional - internal access to public IP is a separate configuration issue.

Status: ⚠️ TEST EXTERNAL ACCESS - Internal timeout may be expected

4.0 KiB Raw Blame History