WinRoute allows to “arrange” traffic between two clients in the LAN which “know each other” only from behind the firewall's public IP address. This feature of the firewall is called hairpinning (with the hairpin root suggesting the packet's “U-turn” back to the local network). Used especially for transmission of voice or visual data, it is also known as media hairpinning.
Let us suppose two SIP telephones are located in the LAN. These telephones authenticate at a SIP server in the Internet. The parameters may be as follows:
IP addresses of the phones: 192.168.1.100
and 192.168.1.101
Public IP address of the firewall: 195.192.33.1
SIP server: sip.server.com
For the telephones, define corresponding traffic rules — see chapter 7.8 Use of Full cone NAT (as apparent from figure7.39 Definition of a Full cone NAT traffic rule, simply specify Source of the Full cone NAT traffic rule by IP address of the other telephone).
Both telephones will be registered on SIP server under the firewall's public IP address (195.192.33.1
). If these telephones establish mutual connection, data packets (for voice transmission) from both telephones will be sent to the firewall's public IP address (and to the port of the other telephone). Under normal conditions, such packets would be dropped. However, WinRoute is capable of using a corresponding record in the NAT table to recognize that a packet is addressed to a client in the local network. Then it translates the destination IP address and sends the packet back to the local network (as well as in case of port mapping). This ensures that traffic between the two phones will work correctly.
Note:
Hairpinning requires traffic between the local network and the Internet being allowed (before processed by the firewall, packets use a local source address and an Internet destination address — i.e. this is an outgoing traffic from the local network to the Internet). In default traffic rules created by the wizard (see chapter 7.1 Network Rules Wizard), this condition is met by the NAT rule.
In principle, hairpinning does not require that Full cone NAT is allowed (see chapter 7.8 Use of Full cone NAT). However, in our example, Full cone NAT is required for correct functioning of the SIP protocol.