回到頂部
概覽
讀者將會學習到如何配置 Hairpin NAT 與 Destination NAT 聯動使用。
適用於安裝有最新 EdgeOS 固件的所有 EdgeRouter 型號。 使用者需要了解命令行(CLI)配置和基礎的網路知識。 更多資訊可以查看 相關文章。
本次測試使用的型號是:
目錄
FAQ
1.當我使用端口轉發功能時需要開啟 hairpin NAT 功能嗎?
不需要,因為在使用 端口轉發 嚮導配置時,有一個複選框已經將 hairpin NAT 功能下發出來了。
2.當我使用 destination NAT 功能時需要開啟 hairpin NAT 功能嗎?
需要,具體步驟請仔細閱讀下文。
網路圖解
下圖為本次測試的拓撲圖,主要接口如下:
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
我們將會通過應用 Hairpin NAT 功能實現,內網 192.168.1.0/24 網段內的終端,能夠通過路由器外網地址(203.0.113.1:443)來訪問 UISP 伺服器。
Hairpin 和 Destination NAT
1.添加一個允許 HTTPS 流量去往 UISP 伺服器的防火牆策略。(可選)
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule
Description: https //規則註釋
Action: Accept //作為接收
Protocol: TCP //協議類型
Destination > Port: 443 //目標端口
Destination > Address: 192.168.1.10 //目標地址
2.添加一個轉換 TCP port 443 的 Destination NAT 。
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: https443 //規則註釋
Inbound Interface: eth0 //入站接口
Translation Address: 192.168.1.10 //轉化地址
Translation Port: 443 //轉化端口
Protocol: TCP //協議類型
Destination Address: 203.0.113.1 //目標地址
Destination Port: 443 //目標端口
3.根據上面的目的 NAT 添加第一個 Hairpin NAT 規則 (這條規則幾乎是上面的副本,也是目的 NAT )。
Firewall / NAT > NAT > +Add Destination NAT Rule
Description: hairpin443 //規則註釋
Inbound Interface: eth1 //入站接口
Translation Address: 192.168.1.10 //轉化地址
Translation Port: 443 //轉化端口
Protocol: TCP //協議類型
Destination Address: 203.0.113.1 //目標地址
Destination Port: 443 //目標端口
- 創建一個源 NAT 作為第二個 Hairpin NAT (偽裝)。
Firewall / NAT > NAT > +Add Source NAT Rule
Description: hairpin //規則註釋
Outbound Interface: eth1 //出站接口
Translation: Use Masquerade //轉化類型
Protocol: TCP //協議類型
Source Address: 192.168.1.0/24 //源 IP 地址段
Destination Address: 192.168.1.10 //目標地址
Destination Port: 443 //目標端口
使用嚮導配置 port-forwarding 功能,你可以在 CLI 界面看到生成的等效命令。
configure
set firewall name WAN_IN rule 21 action accept
set firewall name WAN_IN rule 21 description https
set firewall name WAN_IN rule 21 destination port 443
set firewall name WAN_IN rule 21 log disable
set firewall name WAN_IN rule 21 protocol tcp
set service nat rule 1 description https443
set service nat rule 1 destination address 203.0.113.1
set service nat rule 1 destination port 443
set service nat rule 1 inbound-interface eth0
set service nat rule 1 inside-address address 192.168.1.10
set service nat rule 1 inside-address port 443
set service nat rule 1 log disable
set service nat rule 1 protocol tcp
set service nat rule 1 type destination
set service nat rule 2 description hairpin443
set service nat rule 2 destination address 203.0.113.1
set service nat rule 2 destination port 443
set service nat rule 2 inbound-interface eth1
set service nat rule 2 inside-address address 192.168.1.10
set service nat rule 2 inside-address port 443
set service nat rule 2 log disable
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 5011 description hairpin
set service nat rule 5011 destination address 192.168.1.10
set service nat rule 5011 destination port 443
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface eth1
set service nat rule 5011 protocol tcp
set service nat rule 5011 source address 192.168.1.0/24
set service nat rule 5011 type masquerade
commit ; save