We help IT Professionals succeed at work.

How to defeat router loopback on SOHO router....?

Is there any way to get around router loopback on a SOHO router?
It is always getting in my way and causing me trouble and I hate it.
Here is one of many, many, many examples....
Install a Security Camera DVR on location. Customer has an iPhone. All applications on the market require you to map each camera to a web address (it could be local or remote), port number and camera number. So you have to map *******.no-ip:****.*** for each camera + the local address, port number, camera number for the customer and explain that they have to use two separate sets whether they are on site or remote. But with a 64 camera system, with 10 devices, this is very arduous. And this is just for cameras. I run into the same problem for RDP and many other situations where it is not possible or practical to modify the hosts/dns file on every device. Is there any way to allow WAN access for within the LAN with routers that are in the $50-$150 price range?
Comment
Watch Question

Commented:
Hi Jtech

I'm not sure I understand your question properly. Do you want the devices on the LAN to bypass the router/firewall and be directly accessible from the WAN? like DMZ?

When you mentioned RDP I assume you mean you want to access the LAN from WAN. I like logmein for all my remote work, its secure and takes away alot of the hassle.

If I understand correctly you are mappping a dedicated WAN IP to a device on your LAN to access it remotely?

If that is the case have you considered a VPN solution most routers support VPN? (Logmein's hamachi is a great VPN as well.)
That way they would not need a WAN IP just a LAN one and they connect to the VPN before accessing a device.

Author

Commented:
Sorry about the confusion.

Here is the problem.

Inside the network you have to map to the internal IP address of the device
Outside the network you have to map the WAN Address (or associated dynamic host name) to the router plus the port number so it knows where to direct the traffic.

All good so far. The trouble comes in is when you have multiple services setup that need to be accessed inside and outside the LAN. Such as RDP, VNC, IP Cameras, Security DVRs, Intelligent Locks, Alarm Systems, SQL Servers, etc. And the IP cameras all have to be addressed independently.

So to give a specific example lets say you have a client with a laptop that needs to RDP into the server at the office. You have to give him two RDP shortcuts, one called Sever LAN and one called Server WAN. One has the internal IP address, one has the external IP address and port number. Then you have to explain to the client that they have to use different shortcuts depending on if they are at work or not.
'
That in itself is no so bad, I can deal with that. However, like I mentioned before if you have 64 IP cameras, security system, SQL server, Terminal Server (For RDP), and 20 client devices it can be a huge pain to have to enter everything twice (For LAN and WAN) and explain which one they have to use and when.

So at the root of the problem and the question is the fact that every router I have ever used blocks incoming WAN traffic originating from a device on the network. So if I try and access a device on the network using the Static WAN + Port Number it gets blocked.

Is there any way around this?

Author

Commented:
VPN seems like a very cumbersome way around a simple problem. All I want is the router to stop blocking WAN traffic from requests sent from devices on the LAN.

Commented:
To me a VPN connection is a much better solution than opening up all those ports to incoming WAN connections. I guess the best method will depend on the particular make and model of router you are using.

I cant think of one universal option on a router that is going to work.
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
My simple Netgear home and small office routers -- DG834 series with DGTeam firmwares will happily talk to the external address from the internal interface.... few small office customers use these or similar basic routers quite happily for their 2-25 user kind of size...

"proper" routers are generally configurable for such things, and basic ones that I have come across all allow this I thought?

Having said that I would be very wary of opening up all those ports, ideally some form of VPN from outside as has been suggested, or at very least if it is to a limited number of locations then filtering on the firewall to only allow access from certain external IP / ranges.

Steve

ping xxx.domain.co.uk

Pinging xxx.domain.co.uk [xx.yyyy.zz.161] with 32 bytes of data:
Reply from xx.yyyy.zz.161: bytes=32 time=1ms TTL=64
Reply from xx.yyyy.zz.161: bytes=32 time<1ms TTL=64

Ping statistics for xx.yyyy.zz.161:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms
Control-C

Tried telnet into some open ports on the outside address from inside too, fine.

Steve
Bud DurlandDirector of IT
CERTIFIED EXPERT

Commented:
As I understand what you're saying, here's the problem (all IP address made up).  You have a camera on the internal network at 192.168.1.10.  You've created a "NOIP" hostname, such as 'camera1.example.noip.net', which resolves to your SOHO router's EXTERNAL ip address of 1.2.3.4.  Programming the smart phone software to connect to 'camera1.example.noip.net' works fine from outside the network, but once inside is doesn't, because the host name resolves to the external address, and router gets confused.  There's a couple ways to go about this:

1) set a smarter router.  Some of the higher-end SOHO routers can do "address reflection", which basically solves the issue you're experiencing.  I would expect the higher end LinkSys devices to do this.  or, you could get an old x86 computer and load up pfsense (http://www.pfsense.org) or smoothwall (http://www.smoothwall.org)

2) if you have a separate DNS server on the private network (or if the router you are using provides DNS proxy, such as SmoothWall or pfSense), you can simply add host records for the ***.noip.net addresses that use the internal network IP addresses for the cameras.

Hope this helps
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:

One other question... just curiopus, but what is the size of these businesses, seems it has 64 security cameras but using small SOHO router and no secure connection in?

Would suggest a better way if VPN isn't an option would be they RDP or suitable web interface into an internal host which then displays the camera output purely internally?

Steve
Most Valuable Expert 2011
Commented:
Going back to the original question:

The answer is simple....

.....It is NO.  You cannot disable that,...because it is not a "feature" in the first place, therefore it is not something that you can disable.  It is a limitation in how NAT technology generically works,...trying to do what you want to do creates a situation where both the Source MAC and the Destination MAC inside the packet become the same MAC,...hence it cannot send from itself to itself so it has an identity crisis and shoots itself in the head and fails.

It is also not a SOHO thing,...many high-end commercial and industrial Firewall are exactly the same way.

Some firewall products get around this by adding a "proxying" function above the NAT process which gets around the limitation in NAT.  MS's ISA Server and MS's TMG are able to do this with HTTP by the way it runs it through the Web Proxy Service,...but it only works with HTTP, FTP-over-HTTP,  and HTTPS.
 If you want more information on that you can find it here. Look about half way down the article where it shows examples of "MAC Tables" produced by the "NAT Editor".    At the time I wrote this the Site of that link is down, but it should be back later:

MAC address issue in Hairpining (looping back or U-turning) with NAT firewalls
14120 Errors; Discussion and Solution
http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html

The proper way to handle this is the do a simple Split DNS and then use a "name" (instead of IP#s) to access the resource.  When inside the LAN the "name" resolves to the Internal LAN IP and it works fine,...when outside the LAN it resolves to the Public IP and it work fine that way too.  I'm not going to get into how to do the Split-DNS unless you decide that it is the way you will go.
Most Valuable Expert 2011

Commented:
@dragon-it
Would suggest a better way if VPN isn't an option would be they RDP or suitable web interface into an internal host which then displays the camera output purely internally?

It is a sound theory. However RDP doesn't handle video very well,...often it just shows "black" where the video is supposed to be in the software Player for the camera.   Sometimes it may show it as a horrible "slide show" with about 8 colors.  However for other situations not video related it may work fine.
Most Valuable Expert 2011

Commented:
I just saw above that VPN was mentioned.  VPN would be a good over all solution.  I would much rather use VPN than trying to Publish all those gazillions of services one-by-one over the NAT Firewall.  VPN also provides an additional layer of security in that you have to authenticate with the VPN to get in through the VPN to begin with,..before you ever get to all the other things.
Steve KnightIT Consultancy
CERTIFIED EXPERT

Commented:
@pswindell -- A good point about the RDP and video.  Split DNS is what I use personally for numerous reasons but it does seem somehow this wasn't an option which is why I was a little confused --> SOHO router, 64 cameras, no server / DNS internally?!

I haven't sniffed the packets on the router itself to see how they do it but the basic modem-firewall-routers I use do loopback all ports/protocols OK from inside to the external interface -- I assumed the packet come from the internal interface, via NAT to the MAC of the external interface and back again through NAT but not really thought it through, just know it works!

Easiest I guess would be one of the SSL VPN's, authenticate with it and access to all the internal cameras by there internal DNS names or IP addresses.

Steve
Most Valuable Expert 2011

Commented:
A good point about the RDP and video.  Split DNS is what I use personally for numerous reasons but it does seem somehow this wasn't an option which is why I was a little confused --> SOHO router, 64 cameras, no server / DNS internally?!

Yea,...there's a lot of unknowns with this case.  That's why I don't like seeing a long thread with a bunch of suggestions when hardly anything is even really known about the situation.  It just turns into chaos.  I'd rather more information be brought to the surface first.

Author

Commented:
Split DNS definitively looks like the way to go. I also have a much better understanding of the fundamentals of the problem now, which I also appreicate you explaining.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.