What is NAT Loopback?

Used Products:
× 1
General Product

Define a feature in many SOHO routers that permit the access of a service via the public IP address or domain name from inside the local network. This eliminates the need for using separate domain name resolution for hosts inside the network than for the public network for a website.

 

Example:

Public address: 202.96.128.5. This is the address of the WAN interface on the router.

Internal address of the router: 192.168.2.1

Address of the server: 192.168.2.10    external port80

Address of a local computer: 192.168.2.3

 

 

If a packet is sent to the public address by a computer at 192.168.2.3, the packet would normally be routed to the default gateway (the router), unless an explicit route is set in the computer's routing tables. A router with the NAT loopback feature detects that 202.96.128.5 is the address of its WAN interface, and treats the packet as if coming from that interface. It determines the destination for that packet, based on DNAT (port forwarding) rules for the destination. If the data were sent to port 80 and a DNAT rule exists for port 80 directed to 192.168.2.10, then the host at that address receives the packet.

 

If no applicable DNAT rule is available, the router drops the packet. An ICMP Destination Unreachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in the packet. The local computer (192.168.2.3) sends the packet as coming from 192.168.2.3, but the server (192.168.2.10) receives it as coming from 202.96.128.5. When the server replies, the process is identical to for an external sender. Thus, two-way communication is possible between hosts inside the LAN network via the public IP address.

 

Troubleshooting:

1. Check and ensure the server is accessible inside the local network. Access the server from a host inside the network using LAN IP + Port 

 

2. Check whether the server is blocked by the firewall or the port forwarding is invalid

    > Access the server from a host outside the network using WAN IP + Port 

    > Turn off the firewall on the server and try again if fail to access the server

    > Try to enable DMZ and try again

   

3. Check whether the NAT loopback is working properly

    > Access the server from a host inside the network using WAN domain name + Port 

    > Access the server from a host inside the network using WAN IP + Port 

    > If failed to access the server via domain name but successful to access the server via WAN IP, use the ping command to check whether the IP address resolved by the server domain name is correct

    >If failed to access the server via both domain name and WAN IP, check if the port forwarding is valid to refer to this FAQ

 

 

Case Sharing:

A customer has an FTP server and a Mail server, LAN IP is 192.168.1.100, he is able to connect through the WAN address away from the network.

However, if he tries to connect to the server while on the local network it doesn't seem to work.

The FTP server working well after changing the External port from 21 to 2121. We find that the external port 21 conflicts with the FTP service port 21 of the router. After modifying the external port to 2121, the customer can access the server.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX90 New Firmware Added Support for EasyMesh and Ethernet Backhaul If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
8

Comment

Thank you

Hello, World ! Wi-Fi
Bius

Bius

 

Thank you !angel This information was very useful to me.yes

The disadvantage of this scheme is that almost all traffic on the local network will go through the Edge Gateway, which is not always a good thing.

An alternative method that can be used:

a) on each host in the LAN, write in the hosts file an A-record for the domain only by its internal IP;

b) use splitDNS technology (inside the local network, use your own separate DNS server with A-record for a domain with a private IP, but in this case, for correct operation, it is necessary to duplicate the A-records of all hosts located in the external DNS zone in the internal DNS zone).

How to configure such behaviour on ER605 (V2)? I found it's automatically done, but in my case it doesn't work.

upload
    upload
      Subscriptions