Q on "NAT trombone" connections

[stevech]

I've seen this for years and don't know what to expect nor do to improve things.

I'll call this the "NAT trombone" problem. It goes like this.
A common home router in use. Has dynamic DNS client to keep "mydomain.com" updated.

There's an issue in most (all?) routers on the use of the public IP address while on the private NATed LAN. Example
A mobile device (e.g., my Android phone)... FTP or HTTP connection (to my own servers) using theto the public address, but I'm on my own WiFi: fails. Switch from WiFi to public carrier cellular: same connection works.
Of course, if I know I'm on WiFi and user the LAN IP address, the connection works.

Anyone know how this should work? Is there some router setting I can do to deal with this? Of course I have port forwarding for the WAN to LAN mapping, but the issue is the LAN side, as above.

 

[thiggins]

This is known as "NAT Loopback". Routers either allow it or they don't. I'm not aware of any switches that control it.

The list at this site might be helpful. I can't vouch for its accuracy.

 

[stevech]

Thanks...

With my router, if I say
FTP mydomain.com

I correctly connect to the computer on which my FTP server is located. But the FTP session's get/put fail. If instead, I use the private LAN address, it works. Same sort of issues with HTTP and the web server.

So that it initially connects using the symbolic public address may mean that the router does NAT loopback. But IIRC, FTP does more TCP connections on other ports to effect the data transfer. And this is what seems to fail.

Connecting in from the Internet, no problems, via port forwarding.

It's a PITA because a mobile smartphone that toggles between LAN and WAN and uses HTTP and FTP and so on apparently has to use different IP addresses depending on LAN/WAN.

 

[teknojnky]

This is a controllable option in dd-wrt.

security > firewall > block wan request > (uncheck) filter wan nat redirection

 

[thiggins]

This could be a different issue than NAT loopback.

If your FTP client supports passive mode, try that.

 

[stevech]

Thanks... more clues

winSCP (non-encrypted, FTP mode) - - BTW, this is a GREAT ftp client.

I cannot find a choice of PASV mode.
Using it, from a PC on the LAN side of my router, if I login to mydomain.com it succeeds (authenticates the password for user), and displays the user root directory. But when I try to open a folder in root, it fails.​

ftp client in Win 7

I cannot find a choice of PASV mode.
Using it, from a PC on the LAN side of my router, if I login to mydomain.com it fails in the initial authentication.​

With either, if I use the LAN IP address (192.168.x.x) there are no failures.

Confused is me.

 

[teknojnky]

I don't know why your confused, your router simply does not support NAT loopback/redirection, either at all, or properly enough.


This lets you access internal servers, internally, with their public ip, just like you are trying to do.

http://www.dyndns.com/support/kb/loopback_connections.html

https://encrypted.google.com/#safe=off&q=nat+loopback+redirection

 

[stevech]

You're right. The router partially supports NAT loop back. The initial TCP connection to the FTP or HTTP server, using the public IP address, works correctly. But during that session, when (e.g.) FTP begins a data transfer, it opens another TCP connection - and that one fails - unless I use the private LAN address to begin the session.

I think my Android phone does the same thing.

I wonder if the Android (Linux?) has a "hosts" file.

 

[stevech]

Here's an extract from my router's built-in help file. I'm trying to decide if any of it is relevant. Each bold-faced item is a user choice in one of the menus for NAT/Firewall options


The router provides a tight firewall by virtue of the way NAT works. Unless you configure the router to the contrary, the NAT does not respond to unsolicited incoming requests on any port, thereby making your LAN invisible to Internet cyberattackers. However, some network applications cannot run with a tight firewall. Those applications need to selectively open ports in the firewall to function correctly. The options on this page control several ways of opening the firewall to address the needs of specific types of applications. See also Advanced → Virtual Server, Advanced → Port Forwarding, Advanced → Application Rules, and Advanced → Network (UPnP) for related options.

Firewall Settings

Enable Stateful Packet Inspection
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the router's NAT manages incoming connection requests to ports that are already being used.

Endpoint Independent
Once a LAN-side application has created a connection through a specific port, the NAT will forward any incoming connection requests with the same port to the LAN-side application regardless of their origin. This is the least restrictive option, giving the best connectivity and allowing some applications (P2P applications in particular) to behave almost as if they are directly connected to the Internet.
Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when they come from the same IP address with which a connection was established. This allows the remote application to send data back through a port different from the one used when the outgoing session was created.
Port And Address Restricted
The NAT does not forward any incoming connection requests with the same port address as an already establish connection.

Note that some of these options can interact with other port restrictions. Endpoint Independent Filtering takes priority over inbound filters or schedules, so it is possible for an incoming session request related to an outgoing session to enter through a port in spite of an active inbound filter on that port. However, packets will be rejected as expected when sent to blocked ports (whether blocked by schedule or by inbound filter) for which there are no active sessions. Port and Address Restricted Filtering ensures that inbound filters and schedules work precisely, but prevents some level of connectivity, and therefore might require the use of port triggers, virtual servers, or gaming to open the ports needed by the application. Address Restricted Filtering gives a compromise position, which avoids problems when communicating with certain other types of NAT router (symmetric NATs in particular) but leaves inbound filters and scheduled access working as expected.

UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.

Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and "Symmetric" were used to refer to different variations of NATs. These terms are purposely not used here, because they do not fully describe the behavior of this router's NAT. While not a perfect mapping, the following loose correspondences between the "cone" classification and the "endpoint filtering" modes can be drawn: if this router is configured for endpoint independent filtering, it implements full cone behavior; address restricted filtering implements restricted cone behavior; and port and address restricted filtering implements port restricted cone behavior.

NAT Port Preservation

NAT Port preservation (on by default) tries to ensure that, when a LAN host makes an Internet connection, the same LAN port is also used as the Internet visible port. This ensures best compatibility for internet communications.

Under some circumstances it may be desirable to turn off this feature.

 

[teknojnky]

I would disable all of them and see if it works. If it does then start enabling them until it stops, then you know.