NAT Loopback Issue

[jtp10181]

Router: AC56R
Firmware: 378.52 (plan to upgrade to _2 tomorrow)

I noticed today that I was having issues access my webserver from inside the network using the DDNS hostname. I remembered seeing NAT Loopback so I google searched it and sure enough that seemed to be exactly the problem (it wasnt working). The setting was set to "Merlin" so I changed it to "ASUS". Poof it worked fine now.

I was also having an issue where if I went to my http://DDNS (default port 80) from OUTSIDE or INSIDE my network I would get the router interface page. I thought this was odd since the outside facing one is set to a different port. Now with that NAT Loopback setting changed, this also seems to be resolved. Yes I do want WAN access to the interface so I can check on the network when I am traveling. Might setup a VPN eventually but this works for now.

 

[ChikkSpot]

from .51:

• The original NAT loopback was re-added, and is now user-selectable (between None, Asus, and Merlin). I recommend using Merlin for MIPS routers. For ARM routers with the Trend Micro engine, I applied a few tweaks to attempt to make my NAT loopback code work with it (so far it's working fine on my own router), but your own results may vary, so experiment with both. I expect Asus's own loopback to be hopefully fixed with their next release.

but, on my AC68R actually "Merlin" works but not the other.

 

[jtp10181]

Thanks I missed that when reading over things apparently. I can confirm after updating to .52_2 that on the AC56R only the ASUS nat loop back works. The Merlin setting is broken. I tested the web gui being exposed on port 80 again and cannot replicate it on either setting, so nevermind on that issue.


Sent from my iPad using Tapatalk

 

[RMerlin]

Thanks I missed that when reading over things apparently. I can confirm after updating to .52_2 that on the AC56R only the ASUS nat loop back works. The Merlin setting is broken. I tested the web gui being exposed on port 80 again and cannot replicate it on either setting, so nevermind on that issue.

My NAT loopback does not work reliably on routers with the Trend Micro DPI engine, such as the RT-AC56U. Nothing I can do about it, that engine is closed source, and can overwrite my firewall rules.

 

[jtp10181]

Ok, just wanted to put the info out there in case others had issues. I think it defaulted to the Merlin setting after a reset so maybe the default should get switched?

 

[RMerlin]

Ok, just wanted to put the info out there in case others had issues. I think it defaulted to the Merlin setting after a reset so maybe the default should get switched?

It currently defaults to mine because Asus's own was completely broken until recently, while mine was at least working some of the time on ARM routers (and all of the time on MIPS routers).

 

[jtp10181]

Understandable then on why that is the default. I know I have a slightly less popular router also, so things might not be tested on it specifically.

I am just really glad to see this new traffic monitor graph and better qos settings. I was waiting for the shibby tomato to work better on this router but now I don't see any reason to switch back again. I am glad I found this fork off the original Asus firmware. Gives just the right feature set that I liked in tomato on my old router.

What kind of dev environment would I need to contribute? There is some minor stuff that bugs me and maybe I can figure out how to fix it myself. Right now thinking about how it only uses my static dhcp names in the traffic history if that device is connected, otherwise it shows a MAC or IP depending on what area you are in.

 

[RMerlin]

What kind of dev environment would I need to contribute? There is some minor stuff that bugs me and maybe I can figure out how to fix it myself. Right now thinking about how it only uses my static dhcp names in the traffic history if that device is connected, otherwise it shows a MAC or IP depending on what area you are in.

You will need a Linux environment. See the Wiki for various guides on how to setup a working build environment.

 

[PabloAbonia]

One comment about this while I am using RT-AC56U, Merlin 378.53, and Merlin loopback vs ASUS loopback. When using Netalyzr I received the following error with
Merlin, but not ASUS or no loopback (however UPnP doesn't work completely when set to no loopback as expected).

When using Merlin Loopback:
"Your system can send and receive fragmented traffic with IPv6. The path between our system and your network does not appear to handle fragmented IPv6 traffic properly."

Once switched to ASUS, no errors with were noted for Netalyzr. Unfortunately, I can't provide a solid answer as to why this would be the case, as I can't quite understand how a loopback failure would cause problems with fragmented IPV6 traffic.

Thanks for your efforts,

Pablo

 

[Marsi4eg]

AC66U is not ARM but also only ASUS loopback works, I have posted somewhere already in the main feedback topic

 

[RMerlin]

One comment about this while I am using RT-AC56U, Merlin 378.53, and Merlin loopback vs ASUS loopback. When using Netalyzr I received the following error with
Merlin, but not ASUS or no loopback (however UPnP doesn't work completely when set to no loopback as expected).

When using Merlin Loopback:
"Your system can send and receive fragmented traffic with IPv6. The path between our system and your network does not appear to handle fragmented IPv6 traffic properly."

Once switched to ASUS, no errors with were noted for Netalyzr. Unfortunately, I can't provide a solid answer as to why this would be the case, as I can't quite understand how a loopback failure would cause problems with fragmented IPV6 traffic.

Thanks for your efforts,

Pablo

This doesn't make much sense, since the NAT loopback is only implemented in IPv4. IPv6 isn't NATted, so there's no firewall rule related to NAT in ip6tables. Something else caused your test to fail/succeed.

 

[PabloAbonia]

Agreed it doesn't make sense, but it is what is reported. The error message in itself is also disconcerting, as it initially indicates that the router can handle it, but somehow the path between me and them is flawed.

Even in ASUS mode (which appears a bit wonky with regards to UPnP), it is also complaining about errors in EDNS0 support, which is odd as I thought
that it was fixed by DNSMASQ 2.73rc1 that you're using. The Netalyzr error message:

"Your DNS resolver is unable to receive a medium sized (~1400 byte) DNS response successfully, even though it advertises itself as EDNS-enabled.
Your DNS resolver is unable to receive a large (>1500 byte) DNS response successfully, even though it advertises itself as EDNS-enabled."

I am using TrendMicro, and I wonder if that could be causing these problems...

I'll keep modifying my configuration to see if I can identify a root source of the problem.

Pablo

 

[Giorgio]

Hi, I'm having troubles too. AC68U here. Tried both ASUS and Merlin modes, various combinations of firewall and QOS, but I only managed to see the HTTPS green lock a couple of times without the page being loaded (now not even that anymore)

 

[dna6a]

Joined the forum to report the same issue with my AC68U, Rebooted under 'Merlin' and 'Asus' and unable to connect to my DDNS server, only internally.

Really hope this can be resolved as it set me backwards all day before discovering it was 'NAT rollback'

 

[RMerlin]

Joined the forum to report the same issue with my AC68U, Rebooted under 'Merlin' and 'Asus' and unable to connect to my DDNS server, only internally.

Really hope this can be resolved as it set me backwards all day before discovering it was 'NAT rollback'

You have it backward. The NAT loopback is for connecting internally. If you are failing to connect externally, then the issue is either your ISP, or your modem blocking access to your router.

 

[dna6a]

You have it backward. The NAT loopback is for connecting internally. If you are failing to connect externally, then the issue is either your ISP, or your modem blocking access to your router.

I can connect to 192.168.1.100 (NAS no issues, just the DDNS external portal I cant open while on the network anymore, I can only access it with my 3g/4g. I thought a good work around would be to put the laptop I use to access it under the VPN but still it doesn't load up the page :/

 

[dna6a]

RMelrin :

The ISP was fine with the Billion 7800N modem/router. Any other ideas?

 

[RMerlin]

RMelrin :

The ISP was fine with the Billion 7800N modem/router. Any other ideas?

Nothing more than what I already posted in this thread. Asus's NAT loopback has issues with certain configuration, and my loopback is not compatible with the Trend Micro DPI engine.

 

[dna6a]

No worries, thanks all the same mate!

 

[Woody1]

This is weird. I've been using an AC68P with Merlin for several weeks and NAT Loopback was working with no problem. A few days ago, it suddenly stopped working. The URL I was trying to reach is a web page hosted on a server on my home LAN.

After spending a few hours trying to diagnose the problem, I found this thread. I switched loopback from Merlin to Asus, as Merlin suggested and that fixed it. I'm just really curious why it worked without an issue for weeks before suddenly not working???