nikrivers.com

Yesterday I made the decision (read: mistake) to update my Netgear DG834G router (hardware v4, firmware v5.01.09) to firmware v5.01.14 – and, as is the way with these things, it brought trouble.  After the upgrade I couldn’t reach www.nikrivers.com from the LAN side of the router.

The problem is caused by the way the router handles traffic coming from an internal IP address and destined for the WAN (i.e. external) IP address.  In this situation it requires that the router first transfers the traffic from the internal network to the external network, and then immediately passes it back whilst applying any firewall or routing rules that are relevant to incoming external traffic.

This behaviour is called ‘NAT loopback’, and it seems the vast majority of routers built for the home market have this ability turned off, or do not have the ability at all.  It can be a big problem if you host a website and wish to access that same website using its domain name.  The domain name will resolve to the WAN IP address of your router, and any traffic headed there (such as an HTTP GET request on port 80) from the internal network will be ignored by the router.

There are a few ways to solve this, but none of them are ideal.

1. Use the server name instead of the domain name to access your website
2. Modify the list of known network hosts on each client to point your domain name straight to the server in question.
3. Run your own DNS server, using a view to return the server’s local IP address to requests for your domain name originating from your network.

Of course, the situation gets more complex if you’re also using your router to send TCP traffic on port 80 to your webserver and UDP traffic on port 8668 to a game server.

The solution is to get NAT loopback working on your router.  With some routers, such as the Touchspeed 535 as provided by Be Broadband, this feature can be enabled using a simple CLI command.  For other routers, such as the Netgear DG834G, it’s not quite so easy.

For the purposes of this post I’ll assume the internal network is on the 192.168.0.x range, the router is 192.168.0.254, and the web server is 192.168.0.1.  You will need to modify these IP addresses according to your own network setup.

The first thing to do is to enable debug mode on the router.  Simply go to http://192.168.0.254/setup.cgi?todo=debug and you’ll be rewarded with an appropriate message, “Debug Enable!”.  Nice.

Now connect to the router with ‘telnet 192.168.0.254′ to gain access to the router’s cut-down installation of Linux.  All that is required is to add one additional entry to the router’s iptables (which is a standard Linux feature; Google it or more info).  Type the following, amending any IP addresses according to the network setup:

iptables -t nat -A POSTROUTING -d 192.168.0.1 -s 192.168.0.0/24 -p tcp –dport 80 -j SNAT –to 192.168.0.254

This adds a rule to the POSTROUTING chain on the nat table which applies to all TCP traffic on port 80 (HTTP) coming from the private network and headed to the router.  The rule redirects the traffic to the server, and then processing jumps to the SNAT chain.

If your the is more than just a simple web server, such as an NTP server or mail server as well, the above step needs to be performed (changing the -p and –dport parameters accordingly) for each port and protocol combination you require.  Alternatively, those parameters could be omitted altogether, which will allow all traffic types on all ports through:

iptables -t nat -A POSTROUTING -d 192.168.0.1 -s 192.168.0.0/24 -j SNAT –to 192.168.0.254

If you do this, I recommend you run a firewall on your server, with the appropriate ports open.

There is more information in section 10 of Rusty Russell’s Linux 2.4 NAT Howto.

Unfortunately, the iptables change isn’t retained when the router restarts, so it is necessary to go through the process every time – which is a pain in the backside.  Fortunately, however, the Netgear support website has a download link for previous firmware versions, so I downgraded my router back to firmware v5.01.09 and everything worked fine again–including NAT loopback–with no iptables hack required.