¹Ø¿¡ hairpin nat º¸°í Áú¹®µå¸³´Ï´Ù.

bigmaster   
   Á¶È¸ 11896   Ãßõ 1    

 

  1.  the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
  2.  the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.
  3.  the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.

The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish. 

To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service. 


이 부분보면 알겠지만 192.168.1.10 가 1.1.1.1로 접속했지만 수신하는건 192.168.1.2이라서 접속이 안된다는 의미인데 그럼 192.168.10을 1.1.1.2 로 srcnat 시켜서

외부 포트 간의 연결이 되면 해결되지 않나요? 굳이 hairpin 같은 복잡한 설정이 필요한지 의문이 듭니다.

Chrome 2017-07
Àú°Ô Á¦ÀÏ °£´ÜÇÑ ¹æ¹ýÀÌ¶ó¼­ ±×·¸½À´Ï´Ù.
bigmaster´ÔÀÌ Á¦½ÃÇϽŠ¹æ¹ýµµ hairpin°ú °°´Ù°í º¸½Ã¸é µË´Ï´Ù. ±×·¯³ª ½±°Ô ¾òÀ» ¼ö ¾ø´Â °øÀÎ IP ÁÖ¼Ò(1.1.1.2)¸¦ Ãß°¡·Î »ç¿ëÇϱ⠶§¹®¿¡ ¾È ÁÁÀº °Å°í¿ä.
dhcp µîÀ¸·Î ¹Þ¾Æ¿À´Â°æ¿ì¿¡´Â ¼³Á¤ÀÌ ¾î·Æ±â¶§¹®¿¡ hairpin ±â´ÉÀ» ¾²´Â°Ô ÁÁ½À´Ï´Ù.
     
bigmaster 2017-07
±×·¸±º¿ä. ÀÌÇØÇß½À´Ï´Ù.


Á¦¸ñPage 77/105
2020-12   4891   ±è»óÀÏ
2021-04   4890   ±ôº¸65
2021-03   4877   epowergate
2020-11   4877   INMD
2022-06   4875   ÆÒ´õ°í¶ó´Ï
2021-02   4874   ·¹¸óÆ®¸®7
2020-05   4868   Á׸²Ä¥Çö
2019-04   4860   À±¹Î¼ö
2022-04   4859   mineroller
2019-12   4856   MikroTikÀÌÁø
2019-11   4854   BlueApple
2022-04   4854   ¼¾Åä¿ì³ë
2021-08   4839   ¿ÃµåÆÄ
2020-02   4838   ÇÑ°­ÇÑ»´ºä
2022-05   4835   MOONL
2021-01   4829   Ä«ÀÌÁ¦¸°
2019-09   4828   Mentis
2020-09   4815   ÂÞÂÞºÀ
2021-08   4809   ±¸°í±â
2021-11   4790   Xecus