If two machines reside on the same LAN (a PC and a Webserver) why is it necessary to enable ‘NAT loopback’ on the router in order for the PC to access the website hosted on the webserver using the routers public IP (which port forwards on port 80 to the webserver)? This article on Dynamic DNS illustrates the setup perfectly http://www.dyndns.com/support/kb/loopback_connections.html
(In the example they are trying to access the webserver using the URL www.example.com, for the purpose of my question thats not relevant, I'm just interested in accessing the webserver via the public IP, no URL involved)
The last sentence of the above article reads: “If they try to access the computer via the hostname www.example.com, the NAT router will attempt to route this out its WAN interface and then back in. In most cases this will either fail or return the web interface for the router itself because the router doesn't understand what the user is trying to do.”
Can anyone offer a technical explanation as to why the router gets confused? What actually happens to the packets once they reach the router in this situation to confuse it?
Second question, if the router supports ‘NAT Loopback’ what is it that this feature changes in the routing to allow you to use the public IP?
Best Answer
Here is an example. Some routers, like the Neufbox4 (a router provided by a french ISP) are running Linux. On these routers the program "iptables" is used to configure NAT behavior (iptables is some sort of swiss-army knife for Linux networking).
Suppose you have a webserver (port TCP 80) behind your router listening on LAN address 192.168.0.2 and you add a port mapping (redirection) for it. This translates to something like this in iptables's terms:
This means "for every packet that comes in through the WAN interface directed at TCP port 80, send it to 192.168.0.2". Which is exactly what you want. All is fine... for now.
You have to understand that the IP address associated with the WAN interface of the router is your public Internet address. For example, if your Internet IP is 1.2.3.4, then the "wan" interface on the router has IP address 1.2.3.4.
Now suppose you're trying to access your webserver from your LAN, say from your personal computer at address 192.168.0.3, using your own Internet address. So for example, you type "http://1.2.3.4/" in your browser.
What happens is that your computer will send a packet directed to 1.2.3.4, TCP port 80, on the LAN. The router will receive this packet. But it will not redirect it to 192.168.0.2. Why? Because the iptables rule above only deals with packets coming in on the WAN interface, not from the LAN!
So what will happen then? Well, it depends on other networking rules on the router. Generally speaking one of two things will happen:
Either the router will see a packet directed at itself (remember, 1.2.3.4 is one of the IP addresses of the router, so this is perfectly normal). On most routers there is a web server listening on port 80 for the administration interface. Consequently, this webserver will handle the packet, not the webserver on your LAN, and you get the administration interface instead of your website.
Or the router will drop the packet for some reason, simply because it doesn't know how to handle a packet directed at its WAN address on its LAN port.
Technically, the solution is very simple, it consists in a iptables rule of the form:
This means "for every packet that comes in through the LAN interface directed at TCP port 80, AND with a destination address of 1.2.3.4, send it to 192.168.0.2". This is what you would call "NAT loopback".
However, most router manufacturers are obviously not aware of the issue and didn't put this rule (or the equivalent in the router proprietary system) into their product...