Hairpin NAT issue. #437

New Issue

Closed

opened 2025-11-13 12:00:28 -06:00 by GiteaMirror · 8 comments

GiteaMirror commented 2025-11-13 12:00:28 -06:00

Owner

Copy Link

Originally created by @lthieman on GitHub (Jun 15, 2025).

Context: I have a domain name registered with Cloudflare and have a wildcard A record pointed to the public IP of a UCG Max router and ports 80, 443 and 51820 forwarded to my reverse proxy which is on a 192.168.69.xxx subnet while the rest of the house is on the 192.168.1.xxx subnet. The proxy then points to my services (audiobookshelf, etc) which are also on the 69 subnet.

Issue: This all worked perfectly without issue when I was using Nginx Proxy Manager for my reverse proxy. But I wanted to switch to Pangolin to make use of its pin code auth (I don’t need the tunneling with this setup) and everything works perfectly from the internet side but no device on the LAN side of the router can get to Pangolin or any of the services behind it. This would seem like a router issue, except it worked with Nginx Proxy Manager and I haven't been able to solve the issue with any settings in the router.

Note: I'm not using any tunneling with this setup, just a typical local reverse proxy config.

I hope this makes sense to you lovely people and you have some idea why it works with one reverse proxy and not the other. Thanks!

Originally created by @lthieman on GitHub (Jun 15, 2025). Context: I have a domain name registered with Cloudflare and have a wildcard A record pointed to the public IP of a UCG Max router and ports 80, 443 and 51820 forwarded to my reverse proxy which is on a 192.168.69.xxx subnet while the rest of the house is on the 192.168.1.xxx subnet. The proxy then points to my services (audiobookshelf, etc) which are also on the 69 subnet. Issue: This all worked perfectly without issue when I was using Nginx Proxy Manager for my reverse proxy. But I wanted to switch to Pangolin to make use of its pin code auth (I don’t need the tunneling with this setup) and everything works perfectly from the internet side but no device on the LAN side of the router can get to Pangolin or any of the services behind it. This would seem like a router issue, except it worked with Nginx Proxy Manager and I haven't been able to solve the issue with any settings in the router. Note: I'm not using any tunneling with this setup, just a typical local reverse proxy config. I hope this makes sense to you lovely people and you have some idea why it works with one reverse proxy and not the other. Thanks!

GiteaMirror closed this issue 2025-11-13 12:00:28 -06:00

GiteaMirror commented 2025-11-13 12:00:29 -06:00

Author

Owner

Copy Link

@ex-aequo-et-bono commented on GitHub (Jun 15, 2025):

This is likely a DNS issue. Do you use a local DNS resolver (pihole/adguard/technitium)? If so, you'll need to create A/CNAME records in your local resolver to point to the Pangolin instance.

@ex-aequo-et-bono commented on GitHub (Jun 15, 2025): This is likely a DNS issue. Do you use a local DNS resolver (pihole/adguard/technitium)? If so, you'll need to create A/CNAME records in your local resolver to point to the Pangolin instance.

GiteaMirror commented 2025-11-13 12:00:29 -06:00

Author

Owner

Copy Link

@lthieman commented on GitHub (Jun 15, 2025):

No Pihole or the like. Just standard Unifi configuration. I didn't have to do anything special with Nginx Proxy Manager but even setting up specific DNS records for internal domains in Unifi does not work with Pangolin.

@lthieman commented on GitHub (Jun 15, 2025): No Pihole or the like. Just standard Unifi configuration. I didn't have to do anything special with Nginx Proxy Manager but even setting up specific DNS records for internal domains in Unifi does not work with Pangolin.

GiteaMirror commented 2025-11-13 12:00:29 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Jun 15, 2025):

What is the error when you try to reach pangolin or a resource. Does it just time out in the browser? Could you do a tcpdump on the pangolin server and make some requests and see if any packets make it?

@oschwartz10612 commented on GitHub (Jun 15, 2025): What is the error when you try to reach pangolin or a resource. Does it just time out in the browser? Could you do a tcpdump on the pangolin server and make some requests and see if any packets make it?

GiteaMirror commented 2025-11-13 12:00:30 -06:00

Author

Owner

Copy Link

@lthieman commented on GitHub (Jun 15, 2025):

In the browser it seems to just time out. The Audiobookshelf app says it cannot ping the server. Unfortunately doing a TCPdump is a little over my head, but if you have a page that explains how I can try.

@lthieman commented on GitHub (Jun 15, 2025): In the browser it seems to just time out. The Audiobookshelf app says it cannot ping the server. Unfortunately doing a TCPdump is a little over my head, but if you have a page that explains how I can try.

GiteaMirror commented 2025-11-13 12:00:30 -06:00

Author

Owner

Copy Link

@lthieman commented on GitHub (Jun 15, 2025):

The physical hosts are at my parent's house so this is a little challenging to diagnose remotely since it works fine from my side being outside the house. But I managed to set up a VM inside their network to test with. I installed tcpdump on my Pangolin instance and then tried to reach my Audiobookshelf server from the VM. I can see in the tcpdump output where that machine hit Pangolin, but I'm not knowledgeable enough to know what I'm looking for. Are there any particular things I should be looking for about the packets that would tell you what's going on?

@lthieman commented on GitHub (Jun 15, 2025): The physical hosts are at my parent's house so this is a little challenging to diagnose remotely since it works fine from my side being outside the house. But I managed to set up a VM inside their network to test with. I installed tcpdump on my Pangolin instance and then tried to reach my Audiobookshelf server from the VM. I can see in the tcpdump output where that machine hit Pangolin, but I'm not knowledgeable enough to know what I'm looking for. Are there any particular things I should be looking for about the packets that would tell you what's going on?

GiteaMirror commented 2025-11-13 12:00:30 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Jun 15, 2025):

Could you post a snippet of the dump? If you are getting traffic thats a good sign. We would want to know the source ip of the traffic.

One thing to check: do you have cloduflare proxy on?

@oschwartz10612 commented on GitHub (Jun 15, 2025): Could you post a snippet of the dump? If you are getting traffic thats a good sign. We would want to know the source ip of the traffic. One thing to check: do you have cloduflare proxy on?

GiteaMirror commented 2025-11-13 12:00:31 -06:00

Author

Owner

Copy Link

@lthieman commented on GitHub (Jun 15, 2025):

I had Cloudflare proxy on when using Nginx Proxy Manager, but Pangolin did not work at all with it on so that is off now.

5:d6:e0:59:52.800b, length 36
15:43:50.743223 IP6 fe80::be24:11ff:fecf:6b4b.58776 > ff12::8384.21027: UDP, length 259
15:43:50.743230 IP bendebian.localdomain.45216 > 192.168.1.255.21027: UDP, length 259
15:43:51.580428 IP pangolin.home.lee.http > bendebian.localdomain.37508: Flags [S.], seq 4023027006, ack 3812388584, win 65160, options [mss 1240,sackOK,TS val 3316576746 ecr 1375474920,nop,wscale 7], length 0
15:43:51.580432 IP pangolin.home.lee.http > bendebian.localdomain.37494: Flags [S.], seq 3735180830, ack 2069717061, win 65160, options [mss 1240,sackOK,TS val 3316576746 ecr 1375474920,nop,wscale 7], length 0
15:43:51.836470 IP pangolin.home.lee.http > bendebian.localdomain.37518: Flags [S.], seq 2959763528, ack 735311790, win 65160, options [mss 1240,sackOK,TS val 3316577002 ecr 1375475170,nop,wscale 7], length 0
15:43:52.521659 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.9c:05:d6:e0:59:52.800b, length 36
15:43:54.521696 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.9c:05:d6:e0:59:52.800b, length 36
15:43:55.773025 IP bendebian.localdomain.37494 > pangolin.home.lee.http: Flags [S], seq 2069717060, win 64240, options [mss 1460,sackOK,TS val 1375490217 ecr 0,nop,wscale 7], length 0
15:43:55.773043 IP bendebian.localdomain.37508 > pangolin.home.lee.http: Flags [S], seq 3812388583, win 64240, options [mss 1460,sackOK,TS val 1375490217 ecr 0,nop,wscale 7], length 0
15:43:55.773070 IP pangolin.home.lee.http > bendebian.localdomain.37494: Flags [S.], seq 3735180830, ack 2069717061, win 65160, options [mss 1240,sackOK,TS val 3316580938 ecr 1375474920,nop,wscale 7], length 0
15:43:55.773074 IP pangolin.home.lee.http > bendebian.localdomain.37508: Flags [S.], seq 4023027006, ack 3812388584, win 65160, options [mss 1240,sackOK,TS val 3316580938 ecr 1375474920,nop,wscale 7], length 0
15:43:56.028930 IP bendebian.localdomain.37518 > pangolin.home.lee.http: Flags [S], seq 735311789, win 64240, options [mss 1460,sackOK,TS val 1375490473 ecr 0,nop,wscale 7], length 0
15:43:56.028969 IP pangolin.home.lee.http > bendebian.localdomain.37518: Flags [S.], seq 2959763528, ack 735311790, win 65160, options [mss 1240,sackOK,TS val 3316581194 ecr 1375475170,nop,wscale 7], length 0
15:43:56.038091 IP unifi.localdomain.2647 > 224.0.37.42.2647: UDP, length 10
15:43:56.038099 IP 192.168.30.1.2647 > 224.0.37.42.2647: UDP, length 10
15:43:56.038100 IP 192.168.58.1.2647 > 224.0.37.42.2647: UDP, length 10
15:43:56.038126 IP 192.168.69.1.2647 > 224.0.37.42.2647: UDP, length 10<

It doesn't seem to be using IP's at all for this exchange. So "home.lee" is just what I've always used when installing operating systems and it asks for a made up hostname, it's not my public domain name. "bendebian" is the name of the VM I used to attempt accessing Audiobookshelf behind Pangolin. Now I would expect the debian VM to appear as "bendebian.home.lee" but the Unifi router is using "localdomain" so maybe the router switched that as the packet went through? I don't know how this would affect our phones though, which I've never set any kind of host domain for. Could it be that the host OS that Pangolin is installed on needs to be "pangolin.localdomain" to match what the router is expecting?

@lthieman commented on GitHub (Jun 15, 2025): I had Cloudflare proxy on when using Nginx Proxy Manager, but Pangolin did not work at all with it on so that is off now. > 5:d6:e0:59:52.800b, length 36 15:43:50.743223 IP6 fe80::be24:11ff:fecf:6b4b.58776 > ff12::8384.21027: UDP, length 259 15:43:50.743230 IP bendebian.localdomain.45216 > 192.168.1.255.21027: UDP, length 259 15:43:51.580428 IP pangolin.home.lee.http > bendebian.localdomain.37508: Flags [S.], seq 4023027006, ack 3812388584, win 65160, options [mss 1240,sackOK,TS val 3316576746 ecr 1375474920,nop,wscale 7], length 0 15:43:51.580432 IP pangolin.home.lee.http > bendebian.localdomain.37494: Flags [S.], seq 3735180830, ack 2069717061, win 65160, options [mss 1240,sackOK,TS val 3316576746 ecr 1375474920,nop,wscale 7], length 0 15:43:51.836470 IP pangolin.home.lee.http > bendebian.localdomain.37518: Flags [S.], seq 2959763528, ack 735311790, win 65160, options [mss 1240,sackOK,TS val 3316577002 ecr 1375475170,nop,wscale 7], length 0 15:43:52.521659 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.9c:05:d6:e0:59:52.800b, length 36 15:43:54.521696 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.9c:05:d6:e0:59:52.800b, length 36 15:43:55.773025 IP bendebian.localdomain.37494 > pangolin.home.lee.http: Flags [S], seq 2069717060, win 64240, options [mss 1460,sackOK,TS val 1375490217 ecr 0,nop,wscale 7], length 0 15:43:55.773043 IP bendebian.localdomain.37508 > pangolin.home.lee.http: Flags [S], seq 3812388583, win 64240, options [mss 1460,sackOK,TS val 1375490217 ecr 0,nop,wscale 7], length 0 15:43:55.773070 IP pangolin.home.lee.http > bendebian.localdomain.37494: Flags [S.], seq 3735180830, ack 2069717061, win 65160, options [mss 1240,sackOK,TS val 3316580938 ecr 1375474920,nop,wscale 7], length 0 15:43:55.773074 IP pangolin.home.lee.http > bendebian.localdomain.37508: Flags [S.], seq 4023027006, ack 3812388584, win 65160, options [mss 1240,sackOK,TS val 3316580938 ecr 1375474920,nop,wscale 7], length 0 15:43:56.028930 IP bendebian.localdomain.37518 > pangolin.home.lee.http: Flags [S], seq 735311789, win 64240, options [mss 1460,sackOK,TS val 1375490473 ecr 0,nop,wscale 7], length 0 15:43:56.028969 IP pangolin.home.lee.http > bendebian.localdomain.37518: Flags [S.], seq 2959763528, ack 735311790, win 65160, options [mss 1240,sackOK,TS val 3316581194 ecr 1375475170,nop,wscale 7], length 0 15:43:56.038091 IP unifi.localdomain.2647 > 224.0.37.42.2647: UDP, length 10 15:43:56.038099 IP 192.168.30.1.2647 > 224.0.37.42.2647: UDP, length 10 15:43:56.038100 IP 192.168.58.1.2647 > 224.0.37.42.2647: UDP, length 10 15:43:56.038126 IP 192.168.69.1.2647 > 224.0.37.42.2647: UDP, length 10< It doesn't seem to be using IP's at all for this exchange. So "home.lee" is just what I've always used when installing operating systems and it asks for a made up hostname, it's not my public domain name. "bendebian" is the name of the VM I used to attempt accessing Audiobookshelf behind Pangolin. Now I would expect the debian VM to appear as "bendebian.home.lee" but the Unifi router is using "localdomain" so maybe the router switched that as the packet went through? I don't know how this would affect our phones though, which I've never set any kind of host domain for. Could it be that the host OS that Pangolin is installed on needs to be "pangolin.localdomain" to match what the router is expecting?

GiteaMirror commented 2025-11-13 12:00:31 -06:00

Author

Owner

Copy Link

@lthieman commented on GitHub (Jun 16, 2025):

I believe I got this figured out. Something about the Unifi firewall rules got screwed up when they changed to the new zone based system and it wasn't allowing any return traffic from the DMZ. Not sure what Nginx was doing to get around it, but I was able to get it working with Pangolin by fixing the firewall rules. Thank you for your time!

@lthieman commented on GitHub (Jun 16, 2025): I believe I got this figured out. Something about the Unifi firewall rules got screwed up when they changed to the new zone based system and it wasn't allowing any return traffic from the DMZ. Not sure what Nginx was doing to get around it, but I was able to get it working with Pangolin by fixing the firewall rules. Thank you for your time!

GiteaMirror referenced this issue 2026-04-16 08:05:27 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #1450

GiteaMirror referenced this issue 2026-04-20 07:19:58 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #3392

GiteaMirror referenced this issue 2026-04-25 15:05:32 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #6246

GiteaMirror referenced this issue 2026-04-30 03:38:56 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #8214

GiteaMirror referenced this issue 2026-05-06 13:20:21 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #10211

GiteaMirror referenced this issue 2026-05-13 17:26:12 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #12255

GiteaMirror referenced this issue 2026-05-16 02:07:09 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #14335

GiteaMirror referenced this issue 2026-05-18 16:27:20 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #16430

GiteaMirror referenced this issue 2026-05-21 17:59:59 -05:00

[GH-ISSUE #437] Editing SMTP from Pangolin GUI #18537

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/qs-6.15.2

rdp-ssh

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#437