49

Egress Hairpinning

I run a couple servers inside my network, mostly relying on a reverse-proxy to accept connections on TCP 443 and proxy the connections to the right internal server. I don't run separate internal v. external DNS. Instead, I have a more typical setup where I define an external DNS server in eero, then the eero includes its address as the DNS server in all DHCP addresses, and forwards the requests.

 

As a result, though, I can't access my server by [subdomain].[domain].com while *inside* my eero network. I have to instead use DNS shortnames. This is annoying for a number of reasons. 

161replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I get the potential security risk, but isn't that something that should ultimately be up to the end user? Add a NAT loopback toggle under Advanced Settings, default it to "off", and when I try to enable it, give me a confirmation window full of scary language about network security that will frighten off people who don't really understand what they're doing. I get my desired functionality, eero can truthfully say that they've made a reasonable effort to convince less tech-savvy users to leave it off, and people who have no interest in digging through Advanced Settings will never be exposed to risk. Problem solved.

    Like 2
  • NickP Sure. I ordered it from Amazon. It'll arrive on Sunday. That's what I heard about the Orbi for it's dedicated 5GHz channel. But I think it's only beneficial to mansions where you'll need more than 3 access points? But if you only need 3, or less, I think the lower end mesh wifi are enough. 

    go_robot_go  That's another way to solve this problem too, which should've been done from the start. An option to turn it on or off.

    Like
  • crispywisp Yea that's a good point.

    Like
  •  I received the Velop a day earlier than expected. I configured it, and it wasn't a great experience. Took me hours to get the WiFi running perfectly. I had to reset the main node a couple of times. First it couldn't get connected to the Linksys server, then I figured I had to put it in DMZ mode. Second, I couldn't get the second node connected so I had to do a full reset on both.

     

    But after all the painful process, which took like 2 to 3 hours... really. Everything works perfectly. And loopback works as well. But there's no option to customize the DHCP (but, at least it's using the Class A). Also, the app isn't as perfect as Google and Eero, there are noticeable bugs and glitches, which is minor (updating device list). And it takes a bit to get the app to connect to the WiFi. You also can't see how much bandwidth a device is using. 

    But the good thing is that it has more advanced options you can't get from Eero and/or Google. VPN, QoS, Port Range Settings, Port Trigger, oh and this one, Enabling and Disabling ports you created. 

    There are some other options missing in Velop, but at least right now, everything works for me with it.

    Also I'm having this weird behavior with the U-Verse modem. Somehow, U-Verse keeps kicking Linksys off DMZ mode. And when I try to add it back to DMZ, it would give me an error message like the Velop is in static IP and it's not allowed to be added in DMZ. And there's no option to disable static IP. I tried factory restoring the U-Verse, still having the same issue. I couldn't get both working properly. The only way I could get it working was to manually set the ports I need open from the U-Verse. It's weird I contacted U-Verse support about this and he too couldn't figure out what was wrong so he is sending me a newer modem that has a "bridge mode".

    Like
  • +1 for NAT hairpin.  It is ridiculous to require either an internal DNS server or additional hardware (separate router) to enable this functionality.  I bought Eero because I was tired of having a router I needed to reconfigure, troubleshoot & restart all the time, and refuse to add that back in to the mix.  

    The smart home becomes dumb, and the camera system becomes overly complex for any non technical person (my wife) to connect to.

    Like 3
  • +100 for NAT hairpin.  I can't remember the last router I had that couldn't do this. It worked perfectly with my Airport Extreme, with the Airport before that, with the cheap-#^$%$ Xfinity router before that, with...  In fact, it's so widely available it never even occurred to me that a premium-priced "make-your-life-easy" wifi/router wouldn't have that feature. Not having this feature might have been a reasonable choice, oh...  maybe a decade ago (which is around the time I first got my network set up that way).  Not having NAT hairpin in 2017? Really???

    For some of my uses, I can work around the issue by having two separate configs in various apps—named like service@home or service@outside.  But that won't work so well for, say, my IMAP server. I have yet to figure out how to convince any useful mail client to switch between addresses for the IMAP server without treating the two addresses as completely different accounts.  That's a show-stopper!  More generally, the various personal cloud services I run for the family really ought to have the same URLs no matter where they're being accessed from.  I'm stunned that the eero can't do this!

    At this point, I'll probably experiment with adding a local internal DNS server as yet another service to configure. If that works smoothly, things will be OK. If not, my shiny new Eeros go back to Amazon and get replaced with a system that meets my needs.

    I'll be sure to follow up with results, to add to the community's knowledge base.

    Like 1
  • +1 for me on this topic too.  I have a Synology Diskstation running a server that used to be accessible via my domain name from within my home on an Airport Extreme.  It was very disappointing when I discovered that no longer worked with my Eero setup.  Seems like a very basic feature considering every router I've had before Eero supported it (Linksys, Dlink, Netgear, and Apple).  Please add this feature.

    Like 1
  • +1 for this too.  I'm tired of this everytime I forget to shut wifi off:

     

     

    Like 1
  • I'm curious if the newly announced Eero Pro will support this? If so, is the first gen going to be left out?

    Like
  • swede76 it does not. I called support. Don't rush to buy, wait for it to be a feature.

    Like 1
  • I would love to pick up two of those new wall plug units, but I can't invest any more into this platform. Deleted the discount email.

    Like
  • Adding onto the pile of yet another new, previously-happy eero customer who got bit debugging port forwarding overnight. This is such a sad oversight by eero. This is a trivial change that, when done properly, doesn't have any security ramifications. Please, please, please support NAT loopback.

    Like
  • Following up to my post above.  Setting up an internal DNS server was reasonably straightforward. My internal server is a Mac running the Server app.  Here's what I did:

    1. Configure OS X Server so that it runs a DNS server for a single domain: my.fqdn.wherever
    2. Tell the DNS pane that the only host in that domain has the local address (e.g., the inside-my-network address) of my server
    3. Tell the DNS pane to use my Internet Provider's DNS servers for all other requests.
    4. Use the Eero app to reserve the IP address for my Mac server.
    5. Use the Eero app to use my internal server as its DNS server, with my Internet Provider's DNS server as backup. The config values I replaced used my ISP's primary and secondary DNS servers.
    6. Turn on the OS X Server's DNS service.
    7. Let everything restart that wanted to.

    There was still some small delay getting things working, because various devices had cached values for various DNS settings. Taking those devices off the network and then back on fixed that problem.

    Now, I'm back to using the same FQDN to access my services whether I'm at home or out and about.

    Kudos to Apple for making the settings in the Server App so simple that I could do it easily. All I needed was to think about the effect I wanted, and it was straightforward from there.

    Like 1
      • jalvani
      • jalvani
      • 5 yrs ago
      • Reported - view

      dfsutherland That's been my workaround until NAT Harpinning is supported. Not ideal; I don't love having extra services running in my network, but not that big of a deal.

      Like
  • Very sad this still isn't supported. Every other router supports this but not eero. Sure sounds like one developer engineer somewhere who doesn't believe in this feature so they won't include it. 

    Like
  • dfsutherland Thanks for sharing this for those who have an immediate need to temporarily address a major shortcoming of eero.

    That said, eero engineers, don't mistake this for a solution. This is something that is beyond the abilities of your core market, and something that many of us will refuse to do on principle, because it's providing functionality that eero should have provided from the beginning.

    For what it's worth, I've determined that the Netgear Orbi *does* support NAT loopback. I figure that they'll have sales on Orbi near the holidays, so eero has approximately five to six months to fix this mess before I jump ship.

    Like 1
  • Actually almost everything supports NAT Loopback/NAT Redirection/Hairpinning/so forth, so anyone should be able to easily find an alternative. Ha ha.

    Personally, I went the more expensive route and couldn't be happier. I went Ubiquiti and deployed 2 APs with their USG. At $320, my mom's house has 2 APs and the USG router and she's never had faster speeds on every sq ft of her property. I did the UAP-AC-HD so my network cost $750, but I have 75 active devices and the same results. I never got over 50Mbps down and 35Mbps up on Eero, but I now get 82Mbps/120Mbps. Honestly, I even get faster WAN speeds via ethernet for some reason over every other router I have tried. I had spent $600 on Eero since I bought more access points, but I returned them all within the time frame. The other poor folks on this thread didn't have that opportunity. I was fortunate.

    I still follow this thread since I set up systems for other people as a side job, and it's sad to think this hasn't been addressed.

    Like 1
  • Eero Engineers & go_robot_go 

    go_robot_go said:
    That said, eero engineers, don't mistake this for a solution. This is something that is beyond the abilities of your core market, and something that many of us will refuse to do on principle, because it's providing functionality that eero should have provided from the beginning.

     Yes, I made this work. But I've been programming since the 1970s, and on the Internet since the old Arpanet had three nodes, so I'm not exactly your core market... except that I'd rather spend a little more to avoid having to mess with issues like this. That's what I thought I was buying! I was only partly correct. 

    If I was helping family or friends, the Egress hair-pinning issue would have led to an instant return! I'm just barely willing to do the additional work I described above for myself—and that only because it worked perfectly on the first try. I would be utterly unwilling to do this extra work as volunteer support for someone else.

    The primary reason for paying premium prices for devices like the Eero is to get a good-performing network that "just works" with absolute minimum fiddling. Even with Apple making it easy, setting up an internal DNS server is clearly incompatible with absolute minimum fiddling. And with the vast majority of competing devices providing this functionality, you really, really should have provided it from the beginning.

    Like 1
  • Did anyone with a Synology NAS figure out how to configure the DNS Server app properly as a workaround here?   Messed a bit with the settings, but can't find the magic config that allows my domain name (or even the DDNS name) to be accessible from within my network.  It's crazy that this still is not supported.

    Like
  • +1 for NAT loopback/hairpinning. It's really sad that you don't support this when every cheapo $50 router has for 15+ years. Makes me regret my purchase, looking at Google's now instead.

    Like 1
  • This is a repost from another commenter that I totally agree with. "+1 for NAT hairpin.  It is ridiculous to require either an internal DNS server or additional hardware (separate router) to enable this functionality.  I bought Eero because I was tired of having a router I needed to reconfigure, troubleshoot & restart all the time, and refuse to add that back in to the mix.  

    The smart home becomes dumb, and the camera system becomes overly complex for any non technical person (my wife) to connect to." 

    Like 1
  • +1 for the feature that, as others have pointed out, almost every other router supports. I'm otherwise happy with the Gen 2 hardware, especially the beacons, but now I have to setup an internal DNS server to access my computers, cameras, and other smart devices the same at home as away.

    Like 1
  • Another vote for NAT hairpin.  If it is such a security risk, why does every other router manufacturer have it enabled.  I cannot return my eeros as they are 6 months old.  I would like to, after seeing the company fail to enable this feature despite about 100 replies to this thread.

    I was having trouble connecting to my iMac 2017 inside of my home wifi when using Screens Connect.  Had to contact tech support at Edovia, who sent me over to this thread.  If Bonjour stops working (for whatever reason) then the secondary connection method Screens uses is refused by eero router because of this hairpinning issue.

    So, eero----please get it together and enable this.

     

    Thanks

    Like 1
  • Another vote from me as well! I wish I would have read this before buying, took a lot for me to finally give in and get rid of my Apple Extreme Base station setup. 

     

    Please eero, add this feature ASAP, I am on the fence and really considering just returning them.

    Like 1
      • Konolua
      • Konolua
      • 5 yrs ago
      • Reported - view

      GiancarloGomez I'd suggest returning them. You could always buy them again. Try AmpliFi HD. Very very highly rated. Personally I went Ubiquiti AP and I couldn't be happier. You could use your Apple router and get two or three UAP-AP-Pro devices for cheaper than Eero and have FAR better coverage.

       

      AmpliFi is easier to deploy though. 

       

      Good luck!

      Like
    • Thank you Konolua 

      I did consider AmpliFi and Orbi during my purchase and went with Eero because I bought the latest version and I preferred them aesthetically. But I think I might just go thru the return and replace nightmare.

      Like
      • Luc
      • Luc
      • 5 yrs ago
      • Reported - view

      GiancarloGomez Eero left this thread a while ago. They'll never implement this feature. Just return them while you can!

      Like
    • Luc Thanks Luc, I am looking at an Orbi review and I have always liked Netgear, so I think I might go that way.

      Like
  • Off to BestBuy to pick up my Orbi and sending these Eero's back today. What a shame.

    Like
    • GiancarloGomez I went with google wifi and it works great.  I returned my units right after I saw that this thread was many months old.  I wish eero the best though, its just not a product for me.

      Like
  • Go to the Netgear Orbi forum and see how that is going...from there to here...

    Like
Vote49 Follow
  • Status Implemented
  • 49 Votes
  • 2 yrs agoLast active
  • 161Replies
  • 11045Views
  • 66 Following

Need Help? We're here for you!

We're big on support, and we want to make sure you always have the best eero experience possible. Here are several resources you can use if you ever need our help!


Quick links

Community Guidelines

Help Center

Contact eero support

@eerosupport

eero.com