ddns hairpinning on ng r9000 with Voxel + Kamoj running

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Occasional Visitor
Hello to everybody here,

I´m new here because I bought a used X10 and changed stock to Voxel.
I did that for having DNS and webfilter options.

But what i really would like to use is nextcloud talk and therefore i need ddns internally resolved by NAT Loopback.
I can´t get it to work and i thought it is common on every Router since the wndr3700 which i sill use (eleven years) is able to do that.
I do not use any VPN on the device.

Can please anybody help me? How to do the trick?
Sorry for my lousy english....
Thanks in advance.

R. Gerrits

Senior Member
first lets get some definitions straight:

NAT loopback:
from an internal device (for example 192.168.x.x) connect to a service that you exposed via port-forwarding, by connecting to the DDNS name of your router, i.e. connecting to a public IP address.

This is is working fine on my R7800, so I say it should also work on R9000.

Split DNS:
Have your DDNS name externally resolve to the public IP of your router and internally resolve to the private IP-address of the resource you are trying to connect to.
afaik, this is only possible via telnet / ssh, to manually change some config files.

Which of the two do you want to use?
(because you write "I need ddns internally resolved")

I'm assuming you want to use the first -> does connecting from an internal device to your public IP do work?
(and just to be sure, does connecting from an external device (for instance phone connected to 4G) do work properly)


Occasional Visitor
thanks for your reply and your questions to clarify R.Gerrits.

What i noticed today in my tests is, that ddns isn´t established again after reboot. ("No IP on WAN" Message)
When i change Logindata to nonsense and back, it is working again.
Then "*.dyndns.org" is working from outside the Network and i can get at the nextcloud-login.
But if i type "*.dyndns.org" from 192.* than it runs into nirvana. When i type the IP-Address of nextcloud internally i also get to login. But this does not work well with "talk".
When i switch back to my WNDR3700 it is all working as expected. (I can reach nextcloud-login typing "*.dyndns.org" from inside)

R. Gerrits

Senior Member
The fact that it does work with with the public IP proves that NAT loopback (or NAT hairpinning) does work properly.
So the issue lies with the DDNS part.

Does your IP address then change at every reboot??
Mine is always the same so I'd never notice if ddns would fail to update after a reboot.
But it sounds like the ddns update script is started before the internet connection is fully up.

Anyways, next time you have the issue, try doing an nslookup (or dig) on the ddns name to see were it resolves to.
Perhaps your device is using the *.dyndns.org from its cache? (try flushing the dns-cache).
Or your DNS provider is caching it? (can you try if you change your DNS settings to one of the big providers like, or
But that normally shouldn't happen with a TTL of 60 seconds. Did you perhaps change the TTL settings at https://account.dyn.com/dns/dyndns/?


Occasional Visitor
No, WAN-IP does change if i disconnect for five minutes or so. It stays the same while Router reboots.
I obviously do not know enough of that all about. What i read is, that with NAT loopback the Request never leaves Router and is looped to local IP!?
Router uses provider DNS or the Kamoj crypt options. Clients should ask Router. I also configured mobile devices to ask router only, because i don't like alphabet at all.

So I will test flushing DNS and come back here with the results.

Thanks again!


Very Senior Member
There is an option in the add-on 5.3 beta "Hairpinning for brwan".
But I don't know if that's what you are out for.


Occasional Visitor
Flushing DNS does sadly not the trick.
Hello to Kamoj. I also don´t know if i am searching for this option. I installed your add-on "kamoj-addon_191214-083737-1_r9000.ipk"
How can i get to 5.3 beta? Can i find the installed Add-On-Version in the user interface?
Thank you.

R. Gerrits

Senior Member
Flushing DNS does sadly not the trick.
could you be more specific?

does an nslookup from an internal device do resolve to the correct public ip?

I don't think that "hairpinning for brwan" is the solution for your problem.
It changes something on bridge br0, so that ethernet frames coming in from ethwan can also exit again from ethwan.
But ethwan isn't even a member of bridge br0, so in my opinion, this command shouldn't even work.
Anyways, it messes around in L2 while you already have L3 connectivity (on IP address it works).


Occasional Visitor
soo - back after three hours of experiments...

with setup "old Router" *.dynalias.org is routed to *..101.16 - watched from world.

Internal it is like this:
Standardserver: main
Address: 192.*

primary name server = ns1.dyndns.org
responsible mail addr = hostmaster.dyndns.org
serial =
refresh = 600 (10 mins)
retry = 300 (5 mins)
expire = 604800 (7 days)
default TTL = 600 (10 mins)

- Switched to R9000 -

At a first look around there is "*.dynalias.org updated successfully at BS!?" so time and date are out of nowhere.
Check NTP -> as it should be = actual Time.

so i started investigations ddns

From World i get *..101.203 ttl:60 this Time - so for me dyn is up to date (I can reach the NC-Login)

Internal there is "no response" on nslookup

so i "updated" as described the Kamoj-Add-On.

After last reboot i get "No update action. There is no IP address on the Internet port." again changed credentials after that i get .dynalias.org "updated successfully at right NTP Time and Date"

So i started investigations again but after about 15 Minutes first internet stops working then Router stops responding.
Restart Router -> reports WAN-IP but no internetconnection. "Release"/"Renew" No effort.
I did stay offline until i reset modem after this i had still the same WAN-IP.

again "*.dynalias.org updated successfully at the right NTP Time"

Then i ran out of Time and would take a quick look-around in 5.3 Kamoj-Add-On - deleted on "bypass" a Service in QoS-Settings
Then Internet is gone again.
Status reports "DNSCrypt Proxy v2 DNSCrypt v2 is not running, but is enabled and on in nvram."
and "DNS status ERROR: www.cloudflare.com not reached"
I changed back Routers - HMMMM
I didn't check "Hairpinning for brwan" this Time...
Is this the State of "unexplainable problems" mentioned in the Kamoj FAQ (I am not the first owner of the Router) Is this explainable/fixable or how do i totally reset? I did resets by GUI and after that via Reset-button before i changed from Stock to Voxel.
Puh any Ideas? Thanks a lot at all of you for investing your Time in my Problems!
Last edited:

R. Gerrits

Senior Member
@mmv I got an email notification with all the things you tested, but somehow I cannot see it here... Strange.

Anyways, I thought you used the old version Kamoj-Add-On -> I suggest to PM kamoj to get access to the latest beta add-on.
The old version you are using has issues with NTP (it sets it too late in the boot process) -> and because of the wrong time, DNScrypt doesn't work (because ssl certificates are not trusted because of the wrong time.


Occasional Visitor
Split DNS:
Have your DDNS name externally resolve to the public IP of your router and internally resolve to the private IP-address of the resource you are trying to connect to.
afaik, this is only possible via telnet / ssh, to manually change some config files.
I would like to try this please.

What i did underneath:

I startet over completely again.
I deleted Kamoj settings.
nvram show | awk -F= '/^kamoj/ {print $1}' | xargs -n1 nvram unset; nvram commit
I deleted Kamoj AddOn.
/bin/opkg remove kamoj-addon
I reset device
nvram default
nvram commit
ngmtd="$(awk -F: '/"netgear"$/ {print $1}' /proc/mtd | grep mtd)"
[ -n "$ngmtd" ] && flash_erase /dev/"$ngmtd" 0 0

Yes and always a reboot.

I get into Voxel reset by GUI
I Flashed Stock.
I reset by gui

Next day i had Time to flash Voxel again and made a basic setup.

No Kamoj AddOn by now and I get:
"[2020-05-27 10:04:01] [DNSCRYPT] 7590: 33.76:DNSCrypt-Proxy-2 is not enabled in nvram. Exit.
[Initialized, firmware version: V1.0.4.41HF]"
in log

DDNS Status is "*.dynalias.org erfolgreich aktualisiert um 10:04, 27.05.2020" (established on BS time)
Server is reachable from World (No change in WAN-IP)

Log says:
[Time synchronized with NTP server] Sunday, June 21, 2020 02:27:42
DDNS Status is "*.dynalias.org erfolgreich aktualisiert um 10:04, 27.05.2020" (established on BS time)

No log entry at all concerning ddns

So DDNS is Up and Running. Time is inconsistent. And no FQHN from ddns on LAN.

Thanks again for Input

R. Gerrits

Senior Member
And no FQHN from ddns on LAN.
I assume that you mean with this that on your LAN, you still cannot resolve the ddns fqdn?

Which DNS server are you using on your LAN? Do you point to the router IP?
Which DNS server is your router then using?

what does nslookup <ddns fqdn> <router ip> say ?
what does nslookup <ddns fqdn> <router dns-server> say ?
what does nslookup <ddns fqdn> say ?

(time inconsistant you can ignore for now, as long as you don't use DNSCrypt)

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!