- the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
- the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.
- the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.
The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.
To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.
이 부분보면 알겠지만 192.168.1.10 가 1.1.1.1로 접속했지만 수신하는건 192.168.1.2이라서 접속이 안된다는 의미인데 그럼 192.168.10을 1.1.1.2 로 srcnat 시켜서
외부 포트 간의 연결이 되면 해결되지 않나요? 굳이 hairpin 같은 복잡한 설정이 필요한지 의문이 듭니다.
bigmaster´ÔÀÌ Á¦½ÃÇϽŠ¹æ¹ýµµ hairpin°ú °°´Ù°í º¸½Ã¸é µË´Ï´Ù. ±×·¯³ª ½±°Ô ¾òÀ» ¼ö ¾ø´Â °øÀÎ IP ÁÖ¼Ò(1.1.1.2)¸¦ Ãß°¡·Î »ç¿ëÇϱ⠶§¹®¿¡ ¾È ÁÁÀº °Å°í¿ä.