NAT Loopback doesn't work anymore?

Discussion in 'Tomato Firmware' started by nsap, Apr 19, 2014.

  1. nsap

    nsap Addicted to LI Member

    I recently upgraded from a WRT54GL running the last version of the original Tomato firmware. Now I have an Asus RT-AC56U running shibby's Tomato. Here is what I have on the About page: Tomato Firmware 1.28.0000 -117 K26ARM USB AIO-64K

    I use a dynamic DNS service to assign a domain name to my web server. With my previous router, I had "NAT Loopback" turned on, and I was able access my website using the domain name while I was at home. After the upgrade, it seems as though the whole thing is broken. I cannot access my domain name inside my own network now. I can access it normally from the outside, but not from the inside.

    If I telnet to the IP address and port of the web server, I can do "get" requests. If I telnet to my domain name, it says I am connected, but I am not able to run any commands and eventually the connection is closed by the foreign host. If I telnet to my WAN IP and port of the web server, I get connected to "wan-ip", and again, I am not able to run any commands and the connection is eventually closed by the foreign host.

    Anybody have any ideas on this?
  2. nsap

    nsap Addicted to LI Member

    It must be something specific with CTF. I did a full reset and started from scratch. I can still access my domain name internally right up until I turn on CTF. Oh well, mystery solved.
  3. darkknight93

    darkknight93 Networkin' Nut Member

    So what does DNS lookup say for your dyndns Domain? Is this your wan ip?
  4. nsap

    nsap Addicted to LI Member

    Yes, the records for the name are up to date. Even if I tried to connect to my WAN IP (like, I was still unable to connect to the web server.
  5. koitsu

    koitsu Network Guru Member

    The habit you've gotten into is a bad one. You should not be relying on NAT loopback to the level you are; there are serious performance penalties (in some cases people's routers CPU usage skyrocketing) when doing this. I think this is the 3rd time I've mentioned it on this forum, heh. :)

    TL;DR -- Access the LAN IP of your router when on the LAN, access the WAN IP of your router when on the Internet. You can molest dnsmasq into returning the LAN IP for your FQDN ("dynamic DNS name") if you want to continue to access the router by FQDN. There are threads discussing how to do this (it's 1 line in the custom dnsmasq config area).

    As for CTF, it's been discussed here time and time and time again: enabling CTF will get you network I/O performance improvements, but the behaviour of all other features becomes questionable. CTF bypasses large (and sometimes in roundabout ways) portions of the networking layer/stack to achieve what it does, so it doesn't surprise me that some features break with CTF enabled. Now you understand why it isn't enabled by default / why you have to go through jumps and hoops to enable it manually.
    eibgrad likes this.
  6. nsap

    nsap Addicted to LI Member

    With the hardware upgrade, I don't really need CTF at this point. I just figured I should grab the easy performance gain while it was there. I am interested in hearing more about why using NAT loopback is bad; I looked through some of your previous posts and couldn't find anything. Would you mind pointing me in the right direction?
  7. koitsu

    koitsu Network Guru Member

    As indicated in one of the posts linked, I can no longer find the thread where a user provided good details of massive high CPU utilisation as a result of accessing their WAN IP from within the LAN (use of the LAN IP worked fine, and given how NAT loopback works, it makes perfect sense). Above are the references I have from my own involvement in it.
  8. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    NAT loopback frequently doesn't work when outside access works just fine, so it's not great for testing purposes, and when it does work there is an unnecessarily high CPU load on the router that would not be present if you used the LAN ip address. It's not useless. It can work, but there are many examples of people in this forum who have had problems with it (yourself included) ;-)
  9. darkknight93

    darkknight93 Networkin' Nut Member

    High cpu.
    Oh yeah... always wondered why my Ac66u is rebooting ;)

    solved it by using 2 different sites for my IIS. but of course a dns Manipulation for my external Domain Name would be a solution to - pointing directly to IIS Server with internal IP

    BUT: I've already switched to Sophos UTM ;)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice