Egress Hairpinning

I get the potential security risk, but isn't that something that should ultimately be up to the end user? Add a NAT loopback toggle under Advanced Settings, default it to "off", and when I try to enable it, give me a confirmation window full of scary language about network security that will frighten off people who don't really understand what they're doing. I get my desired functionality, eero can truthfully say that they've made a reasonable effort to convince less tech-savvy users to leave it off, and people who have no interest in digging through Advanced Settings will never be exposed to risk. Problem solved.

NickP Sure. I ordered it from Amazon. It'll arrive on Sunday. That's what I heard about the Orbi for it's dedicated 5GHz channel. But I think it's only beneficial to mansions where you'll need more than 3 access points? But if you only need 3, or less, I think the lower end mesh wifi are enough. 

go_robot_go  That's another way to solve this problem too, which should've been done from the start. An option to turn it on or off.

crispywisp Yea that's a good point.

 I received the Velop a day earlier than expected. I configured it, and it wasn't a great experience. Took me hours to get the WiFi running perfectly. I had to reset the main node a couple of times. First it couldn't get connected to the Linksys server, then I figured I had to put it in DMZ mode. Second, I couldn't get the second node connected so I had to do a full reset on both.

But after all the painful process, which took like 2 to 3 hours... really. Everything works perfectly. And loopback works as well. But there's no option to customize the DHCP (but, at least it's using the Class A). Also, the app isn't as perfect as Google and Eero, there are noticeable bugs and glitches, which is minor (updating device list). And it takes a bit to get the app to connect to the WiFi. You also can't see how much bandwidth a device is using. 

But the good thing is that it has more advanced options you can't get from Eero and/or Google. VPN, QoS, Port Range Settings, Port Trigger, oh and this one, Enabling and Disabling ports you created. 

There are some other options missing in Velop, but at least right now, everything works for me with it.

Also I'm having this weird behavior with the U-Verse modem. Somehow, U-Verse keeps kicking Linksys off DMZ mode. And when I try to add it back to DMZ, it would give me an error message like the Velop is in static IP and it's not allowed to be added in DMZ. And there's no option to disable static IP. I tried factory restoring the U-Verse, still having the same issue. I couldn't get both working properly. The only way I could get it working was to manually set the ports I need open from the U-Verse. It's weird I contacted U-Verse support about this and he too couldn't figure out what was wrong so he is sending me a newer modem that has a "bridge mode".

+1 for NAT hairpin.  It is ridiculous to require either an internal DNS server or additional hardware (separate router) to enable this functionality.  I bought Eero because I was tired of having a router I needed to reconfigure, troubleshoot & restart all the time, and refuse to add that back in to the mix.  

The smart home becomes dumb, and the camera system becomes overly complex for any non technical person (my wife) to connect to.

+100 for NAT hairpin.  I can't remember the last router I had that couldn't do this. It worked perfectly with my Airport Extreme, with the Airport before that, with the cheap-#^$%$ Xfinity router before that, with...  In fact, it's so widely available it never even occurred to me that a premium-priced "make-your-life-easy" wifi/router wouldn't have that feature. Not having this feature might have been a reasonable choice, oh...  maybe a decade ago (which is around the time I first got my network set up that way).  Not having NAT hairpin in 2017? Really???

For some of my uses, I can work around the issue by having two separate configs in various apps—named like service@home or service@outside.  But that won't work so well for, say, my IMAP server. I have yet to figure out how to convince any useful mail client to switch between addresses for the IMAP server without treating the two addresses as completely different accounts.  That's a show-stopper!  More generally, the various personal cloud services I run for the family really ought to have the same URLs no matter where they're being accessed from.  I'm stunned that the eero can't do this!

At this point, I'll probably experiment with adding a local internal DNS server as yet another service to configure. If that works smoothly, things will be OK. If not, my shiny new Eeros go back to Amazon and get replaced with a system that meets my needs.

I'll be sure to follow up with results, to add to the community's knowledge base.

+1 for me on this topic too.  I have a Synology Diskstation running a server that used to be accessible via my domain name from within my home on an Airport Extreme.  It was very disappointing when I discovered that no longer worked with my Eero setup.  Seems like a very basic feature considering every router I've had before Eero supported it (Linksys, Dlink, Netgear, and Apple).  Please add this feature.

+1 for this too.  I'm tired of this everytime I forget to shut wifi off:

I'm curious if the newly announced Eero Pro will support this? If so, is the first gen going to be left out?

swede76 it does not. I called support. Don't rush to buy, wait for it to be a feature.

I would love to pick up two of those new wall plug units, but I can't invest any more into this platform. Deleted the discount email.

Adding onto the pile of yet another new, previously-happy eero customer who got bit debugging port forwarding overnight. This is such a sad oversight by eero. This is a trivial change that, when done properly, doesn't have any security ramifications. Please, please, please support NAT loopback.

Very sad this still isn't supported. Every other router supports this but not eero. Sure sounds like one developer engineer somewhere who doesn't believe in this feature so they won't include it. 

dfsutherland Thanks for sharing this for those who have an immediate need to temporarily address a major shortcoming of eero.

That said, eero engineers, don't mistake this for a solution. This is something that is beyond the abilities of your core market, and something that many of us will refuse to do on principle, because it's providing functionality that eero should have provided from the beginning.

For what it's worth, I've determined that the Netgear Orbi *does* support NAT loopback. I figure that they'll have sales on Orbi near the holidays, so eero has approximately five to six months to fix this mess before I jump ship.

Actually almost everything supports NAT Loopback/NAT Redirection/Hairpinning/so forth, so anyone should be able to easily find an alternative. Ha ha.

Personally, I went the more expensive route and couldn't be happier. I went Ubiquiti and deployed 2 APs with their USG. At $320, my mom's house has 2 APs and the USG router and she's never had faster speeds on every sq ft of her property. I did the UAP-AC-HD so my network cost $750, but I have 75 active devices and the same results. I never got over 50Mbps down and 35Mbps up on Eero, but I now get 82Mbps/120Mbps. Honestly, I even get faster WAN speeds via ethernet for some reason over every other router I have tried. I had spent $600 on Eero since I bought more access points, but I returned them all within the time frame. The other poor folks on this thread didn't have that opportunity. I was fortunate.

I still follow this thread since I set up systems for other people as a side job, and it's sad to think this hasn't been addressed.

Eero Engineers & go_robot_go 

go_robot_go said:
That said, eero engineers, don't mistake this for a solution. This is something that is beyond the abilities of your core market, and something that many of us will refuse to do on principle, because it's providing functionality that eero should have provided from the beginning.

 Yes, I made this work. But I've been programming since the 1970s, and on the Internet since the old Arpanet had three nodes, so I'm not exactly your core market... except that I'd rather spend a little more to avoid having to mess with issues like this. That's what I thought I was buying! I was only partly correct. 

If I was helping family or friends, the Egress hair-pinning issue would have led to an instant return! I'm just barely willing to do the additional work I described above for myself—and that only because it worked perfectly on the first try. I would be utterly unwilling to do this extra work as volunteer support for someone else.

The primary reason for paying premium prices for devices like the Eero is to get a good-performing network that "just works" with absolute minimum fiddling. Even with Apple making it easy, setting up an internal DNS server is clearly incompatible with absolute minimum fiddling. And with the vast majority of competing devices providing this functionality, you really, really should have provided it from the beginning.

Did anyone with a Synology NAS figure out how to configure the DNS Server app properly as a workaround here?   Messed a bit with the settings, but can't find the magic config that allows my domain name (or even the DDNS name) to be accessible from within my network.  It's crazy that this still is not supported.

+1 for NAT loopback/hairpinning. It's really sad that you don't support this when every cheapo $50 router has for 15+ years. Makes me regret my purchase, looking at Google's now instead.

This is a repost from another commenter that I totally agree with. "+1 for NAT hairpin.  It is ridiculous to require either an internal DNS server or additional hardware (separate router) to enable this functionality.  I bought Eero because I was tired of having a router I needed to reconfigure, troubleshoot & restart all the time, and refuse to add that back in to the mix.  

The smart home becomes dumb, and the camera system becomes overly complex for any non technical person (my wife) to connect to." 

+1 for the feature that, as others have pointed out, almost every other router supports. I'm otherwise happy with the Gen 2 hardware, especially the beacons, but now I have to setup an internal DNS server to access my computers, cameras, and other smart devices the same at home as away.

Another vote for NAT hairpin.  If it is such a security risk, why does every other router manufacturer have it enabled.  I cannot return my eeros as they are 6 months old.  I would like to, after seeing the company fail to enable this feature despite about 100 replies to this thread.

I was having trouble connecting to my iMac 2017 inside of my home wifi when using Screens Connect.  Had to contact tech support at Edovia, who sent me over to this thread.  If Bonjour stops working (for whatever reason) then the secondary connection method Screens uses is refused by eero router because of this hairpinning issue.

So, eero----please get it together and enable this.

Thanks

Go to the Netgear Orbi forum and see how that is going...from there to here...