49Egress Hairpinning
I run a couple servers inside my network, mostly relying on a reverse-proxy to accept connections on TCP 443 and proxy the connections to the right internal server. I don't run separate internal v. external DNS. Instead, I have a more typical setup where I define an external DNS server in eero, then the eero includes its address as the DNS server in all DHCP addresses, and forwards the requests.
As a result, though, I can't access my server by [subdomain].[domain].com while *inside* my eero network. I have to instead use DNS shortnames. This is annoying for a number of reasons.
-
Hi everyone —
First and foremost, I'd like to thank all here for contributing to this topic and sharing your thoughts with us regarding your interest in Hairpin NAT. I'm excited to share that with eeroOS 3.3, Hairpin NAT is now officially supported on eero networks.
To use Hairpin NAT, all you will need to do is create a port forward. Once done, you will be able to access your devices from both in and out of your network.
If you are unsure what version your eero network is on, you can check by:
- Opening the app.
- Tapping the menu button.
- Tapping on Network Settings.
Under the section Network software, you will either see Update available (needs to be updated) or Up-to-date (your network is on 3.3).
Again, we greatly appreciate everyone's patience and understanding as we've worked on getting this feature out. As a company, we hold a high standard in any feature we implement, and it requires the necessary vetting to ensure that anything implemented both keeps your network secure and working as expected.
If you have any questions, please let us know.
-
Jeff C. Is this also supported ports created via UPnP?
-
Luc Hairpin NAT will be enabled on all port forwards both manual and UPnP.
-
Jeff C. Awesome!
-
Jeff C. how about showing an example of setting up port forwarding for hairpin?
-
Jeff C. awesome! Works for me. I didn’t have to do anything special. My existing forwards just worked.
-
Jeff C. Will this work if your modem/gateway's ports are closed? I cannot port forward my modem/gateway anymore and I am wondering if this will work with my modems ports closed? Sorry for my lack of knowledge on this topic.
-
Figg —
It won't. In order to use Hairpin NAT, the port must be open on all port forwards for both the eero and any upstream devices. Is your modem also a router? If so, are you able to disable the routing feature?
-
Jeff C. I have an xfinity gateway - wifi router and modem all in one. (more importantly, xfinity has all control) Perfect solution for most users, but I like to tinker and tweak things. I just ordered an Arris modem so now I should be able to make all port forwarding through my eeros once I get my own modem online. Thank you for your help and valuable information.
-
Jeff C. This works beautifully now. No more setting up two configurations for each network camera. Thank you for listening to the community and implementing this much needed feature!
-
Jeff C. --
I'm using a Frontier Actiontec MI424-WR router, and have my eero acting as my router, or at least I think that's what I'v configured. What I've done is set the eero as the DMZ Host on my router. Would that be similar to disabling the routing feature on the Actiontec?
-
Hi jalvani —
Welcome to the eero community! We appreciate you reaching out and taking the time to share your feedback.
We've heard quite a bit of discussion surrounding DNS settings here in the community, and we appreciate you chiming in with your case as well. I will share this feedback with our team.
Thanks again!
-
Hey, Jeff,
Thanks for following up. This isn't as much a DNS feature as a traffic routing feature. My request is that I'm able to make a request from inside my network to my WAN IP, and the eero is smart enough to either (a) look in its NAT table and forward/proxy that request to the internal port while keeping name information intact (to permit reverse-proxy requests) or (b) just permit a hairpin route from internal to public IP and back inside.
-
Thanks for the follow-up and for clearing that up, jalvani .
Happy to share that with our team!
-
jalvani Just wanted to let you know that I, too, would like this feature. I'm running a security camera server inside my home, and I can't access it from within my home using the friendly domain address I can use outside of the house. I emailed support, who explained that some engineers believe it is a security issue, but that many users have requested this feature. Hopefully they'll make it an option that we can enable soon enough.
-
It doesn't seem to be a priority at all for the eero team. I resorted to running a DNS sever inside my network. The lack of feedback and roadmap for eero is frustrating.
-
Hi jalvani —
Thanks for following up.
All feedback from our customers is invaluable to us and we continue to evaluate future features and improvements to the overall eero experience based on what we here. The purpose of this community is to gather feedback and understand what our customers are looking for, which allows us to make such decisions down the road.
In a perfect world, we'd be thrilled to get every requested feature out there for our customers. However, we are working on a lot of exciting new improvements and features which means our resources are currently working on those projects.
We will continue to evaluate future decisions based on the feedback and needs of our customers.
-
Thanks, Jeff , I understand that eero can't work on all requested features simultaneously. This is a board ostensibly for the solicitation of feedback, many of which will lead to new feature requests, though. At the moment, it's no more than throwing cards into a "Suggestions?" box, and hoping maybe something happens in the future.
Some amount of a roadmap, or list of features currently being considered, or really anything that provides some degree of visibility would be a huge benefit, and would start building a community.
-
Perhaps that's a topic for a different thread, though.
-
Our community here is still relatively new, so at this point, it may feel more like a suggestion box as people are going to add their specific requests and feedback. As it fills out, and more customers join in and contribute to existing topics, our team will be able to gauge what interest there is in certain types of features.
Our team has their eyes on our community (as well as other channels like social media and Reddit) where we are monitoring all forms of feedback that help us make such future decisions. While we don't share a product roadmap, and there isn't a plan to at this time, we hope that discussions like these will allow our customers to engage with team members like myself where we can help shape the future of eero and give our customers the opportunity to contribute in shaping that path.
Thanks again.
-
I know this is a little old and has be discussed above but I would also like to add another request for this feature.
I am in a similar position with a couple internal servers; one being a NAS that has nice capabilities like a photo gallery website. All my external facing sites are using trusted SSL certificates and I have the sites locked down to fully qualified domain names. My issues comes into accessing the site internally using the fully qualified domain name as mentioned above.
Most consumer routers have this function built-in; I'm coming from a dead Ubiquiti ERL, they refer to this as nat hairpining (also called nat reflection or nat loopback)
Other than this one issue I love the product, I think my wife loves it more since there is little I can tinker with and break... lol
-
Jeff C. any love for my pet peeve in this batch of updates?
-
jalvani no news to share, but I'll keep voicing it for when we evaluate what to build for future updates!
-
And I'll keep checking in :-)
-
I requested this feature back on March 15th because it is a major issue. Someone named John replied to me. I'm extremely disappointed that I still can't use these eeros because it has yet to be fixed.
-
I too would like to add my vote for NAT Loopback / NAT Hairpinning. Set everything up last night, love the speed and range, but disappointed to find out that I cannot access my IP Surveillance System using my external DDNS address. Would really like to keep these instead of switching back to OnHub which did support loopback. Hopefully the team can provide an update; is this at least on the roadmap?
Jeff C.
-
Agreed. I'm in the same boat. Need this badly!
-
+1000
-
Here is my request for this feature to be added! It's not preventing me from using the eero's but it's a PITA to work around it.
-
I just got a set today and found out that it does not have NAT loop back feature . I need it for my security cameras. Is there a time frame for this to be implemented. I would like to keep the unit, but if the feature is not available anytime soon then I would go back with my old router.
Can some someone from eero advise?
Regards,
K
-
Hi luandn —
Thanks for reaching out. Unfortunately, we don't have any updates to share regarding NAT loopback at this time. As soon as we have any updates, we will be sure to provide those details to this thread.
-
This is a growing need for eero users. I have eeros installed at two homes and cant access (with knowing IP addresses or some internal DNS setup):
- QNAP backup (they have an external dns service)
- Crestron home automation (they have external dns) - yes Zuckerberg uses this in his Jarvis home
- Several DVR/NVR security camera configurations
- Slingbox
I use an external ddns service from NOIP.com for a single address for each of these devices - would like to use this noip address inside of my house.
-
I must note, my eeros are arriving on Tuesday, and it sounds like they will immediately be returned. If I can not access them by putting in my public IP address or associated DynDNS hostname, I will not only be unable to use my 8 security cameras, but will also understand the mindset of eero. I am coming from Luma because of poor performance, but they at least support a fundamental understanding of networking.
Let's hope I have simply misunderstood, but this would affect 100% of security camera users, which of course are probably the bulk of your first round buyers and certainly your cheerleaders among your platform.
-
Konolua You'll still be able to access your cameras from outside your network via your networks public IP/DynDNS name, and inside your network via private IP. The issue is that if you want to use the same DNS name to access your cameras externally or internally via the same DNS name, you need to run split external and internal DNS zones which is more complexity than many router makers expect for home networks.
-
But on all routers I've tried (7+ in a year and a half), and on Luma this moment, I just leave my hostname (or public IP) in my camera app and I see my cameras on or off network. Only the Linksys EA9500 had a NAT Redirect feature I had to keep off for it to work. Every other router I've had or tried for the past 3+ years has worked out of the box with NAT loopbacks.
-
Sounds like your app might be accounting for hairpinning not being available. Let us know how it works out once you do get your system set up.
