Firewall – Vyatta and DNS Rewrite (aka hairpin or doctoring)

I'm trying to make my public IP reachable also from inside LAN.

I know that it's better to spilt DNS in order to have an internal zone that solves hosts with internal IP, but for a lot of reasons this is not applicable to my environment.

I have a "simple" configuration, a server and few NAT ports:

set nat destination rule 4002 description 'NAT inbound'
set nat destination rule 4002 destination address 'x.y.z.k'
set nat destination rule 4002 destination port '80,443,10050,10051,11051'
set nat destination rule 4002 inbound-interface 'bond1'
set nat destination rule 4002 protocol 'tcp'
set nat destination rule 4002 translation address '10.0.0.190'

set nat source rule 4002 description 'NAT outbound'
set nat source rule 4002 outbound-interface 'bond1'
set nat source rule 4002 source address '10.0.0.190'
set nat source rule 4002 translation address 'x.y.z.k'

When I try to access the public IP from internal network I cannot reach it. It's a problem similar to How to implement Nat loopback/reflection?

I've found a solution here: http://onebadpixel.com/blog/2014/01/22/part-5-nat-translation/

And so I've tried to add this to configuration:

set nat source rule 1000 description 'NAT hairpin'
set nat source rule 1000 destination address '10.0.0.128/24'
set nat source rule 1000 outbound-interface 'bond0'
set nat source rule 1000 source address '10.0.0.128/24'
set nat source rule 1000 translation address 'masquerade'

But it still don't work.

Any suggestion on how to change my configuration in order to use DNS hairpin?

I'm not expert in Vyatta, I came from Cisco ASA world where it was easy… just add "dns" on the NAT rule 😉

Thanks
Fabio