wget/curl from internal network (web server) to external ip address (web server) connection failed

Opa114

7/27/24, 12:54 PM

for some monitoring purposes on my own software i want to call wget with the "external" UR of the webserver, so my call will look like wget https://www.mydomain.de/path

But this call fails with the error message: Connection failed.

When i make the call from another server / device outside the network from above the call runs without any problems. So my Firewall rules in general are correct i think.

It seems it will be a problem with NATing or something like this.

I am using a Sophos SG UTM als Firewall and inside the DMZ there is a ESX Server with a virtual machine running RHEL 7 and the Apache webserver.

I have the following NAT-Rule configured: Traffic from Internet over https to external interface of Firewall then change destination to Web Server (DNAT). And i have the following Firewall rule configured: Web Server/Nagios over https to Web Server and External Interface.

Note: Nagios is used for other monitoring. I need the wget call inside the speical software running on the server

So in try and error i added the following DNAT-Rule: Traffic from Web Server over https to External Interface the change destination to Web Server.

After that the message connection failed is gone, but a connection will still not be established. So i think there is a problem with the NATing or something like this. I have not that much knowledge in network configuration, so maybe someone can help or give some Approaches or Ideas how to solve it.

1 + 3

networking

firewall

nat

sophos

wget

HBruijn

7/27/24, 3:54 PM

Is very much sounds like your problem/configuration is what is typically called "Hairpin NAT" and pretty well explained here: https://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat in the 2nd answer. The root of the problem is that your port forwarding rule on the external interface of the router only changes the destination of packets, but when the source of your packets is the internal network, those packets also need to get their source address rewritten. So in addition to DNAT you also need an SNAT rule.

HBruijn

7/27/24, 3:54 PM

Does this answer your question? [Loopback to forwarded Public IP address from local network - Hairpin NAT](https://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat)

Opa114

7/28/24, 9:09 AM

Thanks @HBruijn - this was the initial idea i need. I looked into the linked post and then i found a topic at for sophos utm https://community.spiceworks.com/topic/954015-sophos-utm-9-nat-issue-question-dnat-snat-full-nat and now it works. thanks!

Score:0

Server

Opa114

7/28/24, 9:14 AM

As @HBruijn mentioned in his comment it looks like the "Hairpin NAT" Problem. So the Answer to my problem was to add a new NAT-Rule (Full NAT):

Traffic from Web Server (Internal IP) over https to External Interface then change Destination to Web Server (Internal IP) and change Source to internal address.

In my special case for Sophos UTM this articel provide some information and screenshot: https://community.spiceworks.com/topic/954015-sophos-utm-9-nat-issue-question-dnat-snat-full-nat

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: wget/curl from internal network (web server) to external ip address (web server) connection failed

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.