On Mon, Jan 23, 2023 at 10:03:19AM +0000, Polarian wrote:
> Hello,
>
> So yesterday I was working on my BSD router, I realised that if I nmap'ed my
> external IP from my internal IP, it would treat it still as an internal
> request.
>
> Does OpenBSD detect when a packet endpoint is designated for it, for example
> with traditional ISP routers, if you send a packet to their WAN address, you
> would see the following:
>
> My laptop (192.168.0.104) --> ISP router (192.168.0.1) - NAT'd -> ISP -->
> ISP router
>
> Now when I was setting up my OpenBSD router, I believe the following was
> occurring (hence why the nmap preserved permissions set for internal IPs and
> not external).
>
> My laptop (192.168.2.3) --> OpenBSD Router
>
> Even though I was referencing the BSD router WAN address and not its WAN, I
> have my internal DNS server blocked externally, one because it is for
> internal use to allow mapping of hostnames to LAN addresses instead of
> resolving their WAN address.
>
> But despite using the public IP address of the BSD router, it still seemed
> to detect that the packet was for it, and I am not too sure why?
>
> Of course this behaviour would be preferred, less packets going to ISP and
> back again saves me resources (and money, bandwidth is not cheap), but I am
> curious to see if my prediction of this behaviour is true, and or is
> default, and why it occurs.
>
> If anyone could explain to me their thoughts about this, or how it works, it
> would be appreciated.
>
> Thank you,
> --
> Polarian
> GPG signature: 0770E5312238C760
> Website: https://polarian.dev
> JID/XMPP: polarian@polarian.dev
>
I believe you mean what is usually called "NAT hairpinning" or "NAT
loopback" [1] or something like that. I _think_ (i.e. never tried it)
you can achieve the same with rdr-to and nat-to, as is explained on the
FAQ:
https://www.openbsd.org/faq/pf/rdr.html#rdrnat
(As a side note, even with the "traditional" routers, the packets don't
actually go out to the ISP's and come back, they are internally routed.)
[1] https://en.wikipedia.org/wiki/Network_address_translation#NAT_hairpinning
--
No comments:
Post a Comment