No NAT Loopback on RT-AC68U running 386.5.2

[mzcymro]

I bought this router on the strength that it would accomodate NAT Loopback, which is a basic requirement for running an Open Simulator server (used for the creation of Second Life like virtual worlds). This was back in late 2017. After setting it up, all worked very smoothly, like a dream in fact, and performance was much better than with the Netgear WNR 2000 it replaced.

Some months go I upgraded the firmware on the router, and thought nothing of it, and when I tried to connect to my Open SImulator server from another PC on my LAN it refused connection. I hadn't changed settings, so in theory it should have worked.. It didn't so basically I gave up running the Open Simulator server pending further invesigation.

I then hit on the idea of trying to connect via a VPN, as this would emulate NAT Loopback, so my thinking went. I tired this, and it worked, so I was able to connect to my Open Simulator servers, albeit in a less than ideal manner.

On upgrading to the 386.5.2 firmware I again revisited the NAT Loopback issue with the router, only to discover that this feature has been removed back in 2018, according to this post: https://www.snbforums.com/threads/i...oopback-reflection-hairpinning-anymore.67068/

This post, however seems to suggest that NAT Loopback does still work, (though maybe because the OP there is using 384.17 firmware) and those responding are unaware that the feature has been removed.

I've tried to 'roll back' to a previous version of the firmware know to have NAT Loopback ability, but of course the router is set up to not allow this as a 'security feature', which is frustrating to say the least. I hope there is a solution, otherwise this router is just useless to me.

If anyone has any ideas for a solution that is relatively easy to implement I'd be happy to read them.

 

[dave14305]

Do you have a rule like this?

# iptables -t nat -S POSTROUTING | grep br0
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE

 

[mzcymro]

Do you have a rule like this?

# iptables -t nat -S POSTROUTING | grep br0
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE

Thanks for the reply. No, I don't have a rule like that, and to be honest, I wouldn't know where to put that rule, or how to implement it for my setup.

I bought the router on recommendation, in the knowledge that it would enable NAT Loopback with the Asuswrt - Merlin firmware, which it initially did. I don't remember it being a difficult set-up procedure, just port forwarding and ensuring that NAT Loopback was enabled - plus of course correct DNS setup.

 

[ColinTaylor]

Thanks for the reply. No, I don't have a rule like that, and to be honest, I wouldn't know where to put that rule, or how to implement it for my setup.

I bought the router on recommendation, in the knowledge that it would enable NAT Loopback with the Asuswrt - Merlin firmware, which it initially did. I don't remember it being a difficult set-up procedure, just port forwarding and ensuring that NAT Loopback was enabled - plus of course correct DNS setup.

You have to SSH into the router and issue the iptables -t nat -S POSTROUTING | grep br0 command from the prompt to see that rule.

You don't need to "enable" NAT loopback. It's there by default, both in stock firmware and in Merlin's. The option that was present in very old firmwares was for an alternative method that Merlin developed to try you get around some issues with the stock firmware at that time. That option has long since been removed as it is not relevant or needed anymore.

If you are having issues with NAT loopback you need to do some more diagnosis as to the cause. I would start by confirming that the DNS name you are using correctly resolves to your public IP address, and that address is also the same as the one shown in the GUI on the Network Map page. Any VPN clients on the router also need to be disabled.

 

[eibgrad]

I've never heard of a situation that *required* NAT loopback.

All NAT loopback does is allow you to reference the *public* IP (typically by its DDNS) of a service available via port forwarding over the WAN, rather than the local *private* IP of the service (aka, the target of the port forward).

AFAIK, its only purpose is the *convenience* of NOT having to constantly reconfigure the client of that service between the public and private IPs as you move back and forth between the home/office and public side of the WAN. But again, it's a *convenience*, NOT a necessity.

In those cases where NAT loopback isn't available, and you only need access to a single, local, private IP, you could just as well create a host-record directive in DNSMasq of the same domain name used w/ your DDNS to facilitate the switch from public to private IP.

host-record=<hostname>.asuscomm.com,192.168.1.100

 

[mzcymro]

@colin Taylor - I don't seem to be able to telnet into the rouoter. (I followed this video tutorial as far as setting up SSH access) I've ensured that SSH is enabled in the router, but when I attempt to telnet in I get this response:

padi@moron:~$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused
padi@moron:~$ ^C
padi@moron:~$

@ eibgrad, thanks for the suggestion - maybe most use case scenarios don't require NAT Loopback, but as far as I know, Open Simulator does, and the lack of a router's ability to handle NAT Loopback is a major issue when running the platform, and causes far more issues than anything else. I'm sure that if a solution such as you suggest worked it would feature prominently in the Open SImulator wiki. Whilst there are solutions that involve iptables, they were written a long time ago, and as far as I know, very few have managed to get that process to work, if any. It's certainly not the recommended method. I will of course give your suggestion a go, once I manage to login with telnet. If your suggestion works, then I'm sure that many in the Open Simulator community would be very interested in that solution.

 

[ColinTaylor]

@colin Taylor - I don't seem to be able to telnet into the rouoter. (I followed this video tutorial as far as setting up SSH access) I've ensured that SSH is enabled in the router, but when I attempt to telnet in I get this response:

padi@moron:~$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused
padi@moron:~$ ^C
padi@moron:~$

Telnet and SSH are two completely different protocols. Merlin's firmware doesn't support Telnet as it is a security concern, it only supports SSH. You need to use an SSH client like PuTTY or from the Windows 10 command prompt:

ssh admin@192.168.1.1

Change account name and IP address as appropriate.

But I will say again, there is nothing wrong with NAT loopback in the current firmware.

 

[mzcymro]

Telnet and SSH are two completely different protocols. Merlin's firmware doesn't support Telnet as it is a security concern, it only supports SSH. You need to use an SSH client like PuTTY or from the Windows 10 command prompt:

ssh admin@192.168.1.1

Change account name and IP address as appropriate.

But I will say again, there is nothing wrong with NAT loopback in the current firmware.

Thanks Colin, I'm on a Linux system, but I guess the process is similar bar using a different client to PuTTY. I'm sure what you say about NAT Loopback in the current firmware is correct, but it isn't working for me, yet.

EDIT: I've SSHed into the router, issued the command you suggested in your first response to me and this is the output:

# iptables -t nat -S POSTROUTING | grep br0
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
dd-wrt@RT-AC68U-2088:/tmp/home/root#

 

[ColinTaylor]

EDIT: I've SSHed into the router, issued the command you suggested in your first response to me and this is the output:

# iptables -t nat -S POSTROUTING | grep br0
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
dd-wrt@RT-AC68U-2088:/tmp/home/root#

OK that confirms that the NAT loopback rule is present, as expected.

 

[mzcymro]

Thanks Colin, I'm on a Linux system, but I guess the process is similar bar using a different client to PuTTY. I'm sure what you say about NAT Loopback in the current firmware is correct, but it isn't working for me, yet.

OK that confirms that the NAT loopback rule is present, as expected.

yes, but it's not working for me, as I'm unable to login to my Open Simulator regions unless I'm using a VPN service. Is there more I need to do. Sorry, I'm an absolute n00b when it comes to this, if it wasn't obvious.

 

[ColinTaylor]

yes, but it's not working for me, as I'm unable to login to my Open Simulator regions unless I'm using a VPN service. Is there more I need to do. Sorry, I'm an absolute n00b when it comes to this, if it wasn't obvious.

I said in post #4:

If you are having issues with NAT loopback you need to do some more diagnosis as to the cause. I would start by confirming that the DNS name you are using correctly resolves to your public IP address, and that address is also the same as the one shown in the GUI on the Network Map page. Any VPN clients on the router also need to be disabled.

 

[mzcymro]

I said in post #4:

I have confirmed that the DNS name correctly resolves my public IP address as I've checked that, both in the router and on the no-ip management page. I have no VPN clients enabled in the router. and use VPN from an individual machine.

 

[ColinTaylor]

Looking at the OpenSimulator website it appears that you're using UDP rather than TCP as I had assumed. You may be suffering from this problem.

Try this as an experiment. Log into the router and go to LAN > Switch Control. Change NAT Acceleration to disabled. Test again.

The OpenSimulator configuration instructions state here that the server can be accessed using its local IP address from the LAN. So that would avoid any requirement for NAT loopback at all.

 

[mzcymro]

Looking at the OpenSimulator website it appears that you're using UDP rather than TCP as I had assumed. You may be suffering from this problem.

Try this as an experiment. Log into the router and go to LAN > Switch Control. Change NAT Acceleration to disabled. Test again.

The OpenSimulator configuration instructions state here that the server can be accessed using its local IP address from the LAN. So that would avoid any requirement for NAT loopback at all.

Thank you. I tried your suggestion and it works, and though I can teleport from my world to others (basically move from my 3D website to another through changing the URI (url for Opensim 3D worlds) in the special browser map. I still don't seem to be able to teleport back to my world though, and this will be a router issue for which I'll probably need help from the Open Simulator community as the message I receive in the special browser is a common one that is at best cryptic.

Yes, an Open Simulator instance running locally on the same LAN with no connection to the internet does not need NAT Loopback because it's not being accessed from outside the LAN as is the case with it set up in what is called Hypergrid or Grid mode, i.e. as a standalone or as part of a wider virtual world respectively.

I've been using this software for the best part of a decade now, and up til now haven't really had these issues, as previously I've either been a mere user of a virtual world, or have had my region hosted. Since 2013 I've run my own servers, initially using a Netgear WNR 2000 with dd-wrt firmware and since late 2017 with my current router, the RT-AC68U, which as I explained in my initial post, worked well with no issues.

So, partial success and certainly a step in the right direction. Once again, many thanks.

 

[ColinTaylor]

So, partial success and certainly a step in the right direction. Once again, many thanks.

OK that's progress, and a workaround of sorts.

As explained in that other thread the problem with disabling NAT acceleration on the RT-AC68U is that the maximum internet download speed drops from ~930 Mbps to about 220 Mbps. If your internet speed is less than 220 Mbps you can leave it disabled and call it a day.

If however your internet speed is higher you should use one of the suggested fixes in that other thread. Both fixes require creating a custom config file or script. Let us know if that's something you want to do and we can explain more. In the meantime I'll try to flag this issue for @RMerlin's attention.

 

[mzcymro]

Thanks Colin. My download is around 80 Mbps max atm, so I can just leave the NAT acceleration as disabled. I'll get on to one of the OSGrid admins over the issue I'm having with returning to my region, as I'm sure it's a common issue. I'll also pass on the info about the router still supporting NAT as there is a belief that it no longer does so, and indeed, I was informed when I bought the router specifically to connect my Open Simulator instances that I'd need the Asuswrt-Merlin firmware flashed to the router to enable NAT Loopback. It seems that this was wrong all along.