How to have dyndns domain resolved locally?

[labradort]

FibreOP pushed me into replacing the Actiontec router with Asus, and now I'm here!
Thanks for the nice and conservative firmware. I like.

Previously I had cable ISP and a Linux firewall with NAT, PREROUTING and POSTROUTING.

This allowed me to have a domain I use with dyndns work locally in the LAN.

As of now, my domain works fine from outside the house, but inside, it just times out.

Here is an example of the iptables rules which did the job before on the
Debian Linux router.

The website is running on port 8900, on a local system at 192.168.0.3, and the router is 192.168.0.1. eth0 is the internal LAN, and eth1 faces the Internet.

-A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.3 --dport 8900 -m state --state NEW -j ACCEPT
-A PREROUTING -i eth0 -p tcp -d 24.XXX.YYY.ZZZ --dport 8900 -j DNAT --to 192.168.0.3
-A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.3 -p tcp --dport 8900 -j SNAT --to 192.168.0.1

That is a lot of rules to do something simple, but it worked well. I've seen some
routers where the same thing is achieved by only port forwarding and one checkbox
for the forwards to work internally as well.

How will I get the local LAN to see the same thing as the outside visitor? Will I need
iptables like above, or is there one simple feature in Asus-wrt Merlin I have not found yet?

 

[Gerr]

I'm no expert, but it sounds to me like you want NAT loopback, and if you're using 376.48, there is an issue with that feature. You can read Merlin's comments here.

 

[Ford Prefect]

...the ASUS features the use of dnsmasq.

I'd try to tweak and use this in order to direct internal clients to the local intranet address.

This is from the man-page (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) and looks promising for what you want to do, doesn't it:

-A, --address=/<domain>/[domain/]<ipaddr>
Specify an IP address to return for any host in the given domains. Queries in the
domains are never forwarded and always replied to with the specified IP address
which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use
repeated -A flags. Note that /etc/hosts and DHCP leases override this for individual
names. A common use of this is to redirect the entire doubleclick.net domain to some
friendly local web server to avoid banner ads. The domain specification works in the
same was as for --server, with the additional facility that /#/ matches any domain.
Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from
/etc/hosts or DHCP and not sent to an upstream nameserver by a more specific
server directive.

...use a custom config to add this, as described here: https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[labradort]

Internally resolving now

I took a look at the issues raised in the responses, but didn't really change anything.
I didn't find an option called NAT loopback in the UI.

In the meantime, it started working, or at least it worked once,
if it is not stable. Perhaps my browser had the result
from the Actiontec router cached or Windows had cached the negative name
resolution (which tends to stick for a day in Windows).

I am running the firmware 376.48_1 with ASUS RT-N66U

Thanks for the replies on this question.

 

[Gerr]

NAT loopback is not an UI option AFAIK. It should be enabled by default, but was not always working as it should. Try this new build.