Hairpinning or Net loopback or Internet NAT redirection

This feature (usually) prevents a local computer that’s using a URL or (external) Internet Address in your network to access your local server. It is known by all the above terms.
In my case one of default Ipfire POLICYFW rules (in my scenario on the Blue interface) catches and drops my traffic:

Chain POLICYFWD (1 references)

pkts bytes target prot opt in out source destination
749 0 ACCEPT all – green0 *
0 0 ACCEPT all – * * policy match dir in pol ipsec
0 0 ACCEPT all – tun+ *
0 3K ACCEPT all – blue0 red0
28 680 LOG all – * * limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
28 680 DROP all – * * /* DROP_FORWARD */

Here is an example of dropped traffic from the log:

12:57:24 DROP_FORWARD blue0 TCP 51136 6314 same mac
12:57:24 DNAT blue0 TCP ext-IP 51136 6314 same mac

(where ext-IP is my external IP).

So my question is how do I enable net loopback on the blue interface with ipfire so that it avoids hitting the “drop forward” rule from an resolved external IP address?

In other words if I try and describe this, I am on my blue network and try to go to an external IP address that resolves back to an address on the blue network that happens to be a blue IP server address it is dropped. Of course you could go directly to the blue server address locally and that works but that is NOT a requirement and not a work around in my case.

I do not have a reply for you rather I would like to know if you could solve this because I need the same feature for red and a device and server in green, just like described here, in sectio nNAT loopback.

So is this possible with IPFire and if so, how to set up?


Unfortunately have not worked this out yet. There is an old IPFIRE thread that seems to go into a possible solution using masquerading and customprerouting iptables rules. Here is the thread,

I’m trying to understand what does this but still am somewhat lost.

Thanks for this link. I tried to add some rules to firewall.local, however, no chance for getting this done. Still not possible to access my internal Plex server from within Sonos multiroom speakers.

I guess this is a very specific setup which cannot be solved by myself. OTH, I’m still not sure if I would like to open a port to external anyway.

What about a split DNS? One special for internal systems with correct IP addresses from there point of view?


Split DNS looks like it might work, not sure how to deploy this with ipfire. Could you elaborate or point to some description of how to do this with ipfire…thanks in advance.

For split DNS there should be normally a DNS server at your local network.
But… you can reach the goal with the hosts file at IPFire.
Menu “Network” -> “Edit Hosts”. Give it a try

1 Like

For what it’s worth: I operate a Nextcloud server that is know in the Internet by a dynamic DNS name that has an A resource record pointing to the single public IPv4 address of my router (e.g. 31.x.y.z). That Nextcloud server resides in the ORANGE network and must be connected from within my network segments GREEN and BLUE by its ORANGE IP address (192.168.x.y). I just added a host entry for “” pointing to “192.168.x.y” in “Network -> Edit Hosts” and that was it!

1 Like

Thanks, this seems to work for servers residing in Orange/Green zones. My server happens to reside in the Blue zone and as such the “host entry” option does not work. I think this is because the server IP address is behind the blue zone wifi router; this subnet “knows” nothing about the hosts entry.

FINALLY got it working with the host entry. In my case there were 2 other entries required to make it work.

  1. Host entry as suggested by several FINE PEOPLE in the Ipfire community.
  2. Changing the Primary DNS on the wifi router to the same ip as the blue gateway. (This is from the IP subnet 192.168.x.1/24 that you setup for your blue zone. This is the key; without this entry the host entry from step one will NOT be found.
  3. Again on your wifi router port forward the source port to the destination port on your server…

Thats it… with the wifi Primary DNS now pointing up to the Blue Zone the host entry was found and it works external and internal seemlessly. Perfect.

A big thanks for everyone’s help.

Great you found a solution! BTW, in my network setup the firewall (IPFire box) is the single DNS resolver for all of my Wifi APs and clients in BLUE and all other hosts in GREEN. This is mandatory for all clients by DHCP configuration. So I never ran into the problems you experienced.

1 Like