Re: NPF NAT Hairpinning

[christos%astron.com@localhost (Christos Zoulas)]

In article <loom.20160704T163834-852%post.gmane.org@localhost>,
Ryan Brackenbury  <ryan.brackenbury%gmail.com@localhost> wrote:
>I recently got NetBSD + NPF running on a raspberrypi, and am now using it as 
>my gateway router (purchased a 2nd USB ethernet stick as internal nic). 
>Behind this router, I run a few servers and also have a 2nd router for my 
>home PCs - so it operates like a perimeter network.
>
>When I am hitting my global IP from the outside, NPF forwards my packets 
>correctly to my server, and I'm able to view my website. When trying to 
>access from one of my home PCs though, I get a connection timeout/refused.
>
>In Linux when I'm usually setting up a router, I am able to configure 
>iptables to do nat-hairpinning to any services running in the perimeter 
>network. I don't want to resort to split-zone DNS or other methods, so does 
>anyone know of a way to coerce NPF into doing nat hairpinning?
>
>For reference, PF seems to be able to do this (they call it "rdr-to and nat-
>to combo"), but I don't know how to construct an equivalent NPF rule: 
>http://www.openbsd.org/faq/pf/rdr.html

ext_if= your external interface
internalwww= the ip address of the internal web server

map $ext_if dynamic $internalwww port 80 <- inet4($ext_if) port 80

christos