AC68U loopback still off

[Maxou]

Hi all, I'm quite upset right now. I'm not a specialist in networking but I managed to make my little LAN to work fine except for this DAMNED NAT LOOPBACK ISSUE.

Please let me introduce my installation:
Internet --> ISP Fiber box --> DMZ on RT-AC68U --> LAN with DMZ on Synology NAS updating a registered www.my_domain.com DDNS account at NO-IP.

Till very recently, I didn't know the concept of NAT loopback and had 2 bookmarks for every one of my NAS services. One address used from WAN and one from LAN.
Now that I know I could use the WAN address i.e. www.my_domain.com to access my NAS even when I'm in the LAN, I just can't stand the fact that I can't get it to work with a high end ASUS Router.
I recently upgraded from stock firmware to last Merlin Firmware on my AC68U thinking that it would solve the problem but nothing happened.
NAT Loopback is set on Merlin in the firewall section but I never had any result trying to access my NAS from within the LAN with a my_domain.com address.

I'm not comfortable with updating config files as I didn't understand how to append the hosts file. Nevertheless, I shouldn't need it.

I consider changing my router for that reason as I'm really tired updating hosts files on each of my WAN and LAN devices.

Would you have a clue?

Thanks a lot.

 

[sfx2000]

Wow... that's a bit of an odd setup, perhaps take the DMZ's out of the loop, port forward what you need to the outside world, and...

Which box is doing the primary routing from the Internet? I'm assuming it's the ISP fiber box - is there a way it can be put into Bridge Mode, and then let the AC86U handle firewall and DHCP/DNS duty?

If so, then you can add your internal names to the hosts file in dnsmasq, letting it do the resolution for internal, and forward external requests upstream. RMerlin's builds should allow this...

Do that, then you can dump the hosts files on your other WAN/LAN devices.

BTW - not a good idea to leave a NAS box naked in the DMZ's...

 

[Maxou]

Hi sfx and thanks for the answer.

Nevertheless, french fiber box --> no features such as bridge, it would be of course easier. I just disabled DHCP from it and assigned fixed IP to the AC68U.

For the DMZ on the NAS, I found it easier to let the NAS protect itself with correct firewall setup and opened port so that I don't have to add a NAT rule for each port or port range on the ASUS Router. Is there really a security gap. I assumed that the NAS does the firewall job as well as the router, no?

Considering the NAT Loopback issue, don't you have another way to solve it?

Thanks

 

[sfx2000]

So which box is dishing out DHCP addresses? The fiber box, Asus, or the NAS?

I would put the NAS out of the DMZ, and let it sit behind a robust SPI firewall, and open ports accordingly.

I think all of your DMZ stuff is what is making your NAT loopback a bit of a challenge - but basically, you can configure dnsmasq to point records for both local and WAN addresses, so requests from inside will resolve to the internal address, so that way you don't have to hairpin the connection at all...

 

[sfx2000]

How I solved my loopback/hairpin issue was to use mDNS (Avahi/Bonjour), and use hostname.local which only works internal, and hostname.mydomain.net on the external side - and add the appropriate records to my DNS configuration on dyndns

Everything is behind my router, firewalled off, nothing in DMZ, and I open ports/IP's as needed...

And I was able to get away from constant editing of /etc/hosts files and static IP's all together...

mDNS is pretty awesome - Windows doesn't support it out of the box, but I've found by installing iTunes - iTunes installs Bonjour...

Mac's all support this out of the box, and most modern Linux distro's install Avahi, or have Avahi as a package...

 

[Evansgo]

Apologies for jumping on this thread but I have a very similar problem and I am trying to understand how to fix it.
My first router is ISP provided and I have no control over it, it provides me with a 192.168.2.x address and on one of the lan ports I have all ports open, (a DMZ?) this then feeds my RT-AC68U with Merlin firmware installed on it. So far so good as almost everything is now working. But even with NAT loopback on (tried both types) it isn't working when I send external addresses to it. Not knowing how this works, I am wondering if its because my external IP isn't at the ASUS so it doesn't "know" its external, could this be right and if so is there another way for me to achieve the same thing?
Thanks,
Gareth

 

[RMerlin]

The NAT loopback is something that has to be provided by the main router. It won't work if you are configured in a double NAT setup.

 

[sfx2000]

The NAT loopback is something that has to be provided by the main router. It won't work if you are configured in a double NAT setup.

Thanks for jumping in - the OP is in more than a double NAT, look at all the DMZ's and what not - I'm sure that this was something born perhaps out of necessity, but it's a good chance to take a step back and review the network design...