Accessing my public IP from my private IP...

By riahc3
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

riahc3

Posted
Posted

Hello,

Yeah, this is a stupid Darwin nominee here but I cant see to get it to work.

Im accessing from 192.168.1.7 and I have Apache running on 192.168.1.5 My public IP is 8.8.8.9

The exact address is

https://8.8.8.9/hi

In the firewall, Ive configured that port to open correctly, Ive done my port forwarding right, and when I Teamviewer to a PC outside the network, it works.

NOW, if I try INSIDE the network, I simply get redirected from https://8.8.8.9/hi to https://8.8.8.9

What exactly should I check? Im almost sure its a HTTPS issue of some sort. Allowed NAT Loopback as well.

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

Are you sure?

That is a Google ip. I am pretty sure he j just using that as an example

<snipped>

Anyways, this is a window to create a new NAT rule:

post-25747-0-88955300-1393949320.png

Here is where I set my NAT ruling. I set a

Rule name (whatever I want)
Classification Virtual Server (always been like this for it to work correctly)
Incoming Interfaace wan1_ppp (My PPPoE connection)
Original IP any (This way it can come from anyone)
Mapped IP (the IP of the server)
Por Mapping Type any

Now you see there the Enable NAT Loopback. I tried to enable that but it says it doesnt allow it if the Original IP is "any" as it can lock me out (makes sense)

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

I need some sit down time with this. Meetings and bs fir work

No problem. It has to be some strange NAT Loopback issue Im obviously doing incorrectly. Thanks for the helpful advice as always.
Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

Here's the on-topic question: If you are off your network, does the forwarding work? Like if you use a port tester such as here: http://www.yougetsignal.com/tools/open-ports/ does it say open or closed?

This is one of the first tests I did :) Indeed it says that port is open.

 

 

If it says open, its most likely a loopback issue and you should try connecting from another location.

:huh: My first post says:

Im almost sure its a HTTPS issue of some sort. Allowed NAT Loopback as well.

Then I comment:

No problem. It has to be some strange NAT Loopback issue Im obviously doing incorrectly. Thanks for the helpful advice as always.

The thing is that I KNOW its a loopback issue and I mention:

I Teamviewer to a PC outside the network, it works.

So the thing is that I know its a loopback issue, Ive tried it from another location, it works, and now I want to solve it for this, the internal network, location since I know my gateway supports NAT loopback :) Maybe I wasn't clear, if so, my mistake! :)
Link to comment
Share on other sites
Grand Master

episode

Posted
Posted

So the thing is that I know its a loopback issue, Ive tried it from another location, it works, and now I want to solve it for this, the internal network, location since I know my gateway supports NAT loopback :) Maybe I wasn't clear, if so, my mistake! :)

 

Manually set your DNS on your computer to an external address (8.8.8.8, hah), do an ipconfig /flushdns and then try it.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I personally never understand the use of nat reflection or loopback or whatever other term you want to use for hitting a public IP on the router from an inside IP just to be "reflected" back to inside your own network.

 

The host is on on the same network as your client box - so just setup your internal name resolution to point you to the internal IP.  This is much better solution then having to worry if your nat device support reflection or not, or if you have it enabled.  Turning on loopback and testing from box inside your network is not a valid test of a forward for starters since there might be issues from the public side in accessing your IP or port - maybe your ISP blocks the port, maybe their ISP blocks the port outbound (non http/https for example)

 

You should always validate from outside your network.  From internal just correctly setup name resolution to resolve whatever fqdn you want to use to resolve to your internal IP and now its moot if your nat device supports reflection/loopback.

  • c.grz and winrez
  • Like 2
Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

I think if you read this at the bottom it will make sense to you.

http://www.crabtree-consulting.com/port-forwarding-and-nat-loopback-on-zyxel-usg20/

Ill give this a shot Thanks.

 

 

I personally never understand the use of nat reflection or loopback or whatever other term you want to use for hitting a public IP on the router from an inside IP just to be "reflected" back to inside your own network.

 

The host is on on the same network as your client box - so just setup your internal name resolution to point you to the internal IP.  This is much better solution then having to worry if your nat device support reflection or not, or if you have it enabled.  Turning on loopback and testing from box inside your network is not a valid test of a forward for starters since there might be issues from the public side in accessing your IP or port - maybe your ISP blocks the port, maybe their ISP blocks the port outbound (non http/https for example)

 

You should always validate from outside your network.  From internal just correctly setup name resolution to resolve whatever fqdn you want to use to resolve to your internal IP and now its moot if your nat device supports reflection/loopback.

I was experiencing a bug with OwnCloud and I wanted to see at the moment if it was something internal or external :)

Sadly, it seems to be something internal and it happens on another network as well. Ill try some more tests and see if someone here has some idea on working with OwnCloud.

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

Thread Cleaned

Thank you

Anyways, Ive pretty much solved it setting a hostname like BudMan said...Im doing some tests and as soon as I see it resolved, Ill mark it as solved because damn DNS are refreshing...

Now just gotta push it thru my AD (currently trying to figure that out)

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

Odd. Adding a new forward zone in my AD DNS server, setting the name as "cloud.mydomain.com" (example), and making a A record in there with a blank name and setting it to the local IP address doesnt seem to work and it still thinks it has to look for it thru WAN. Restarted DNS server.

Must be doing something wrong.

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

:laugh: :rofl: Man I hope we upgrade our AD soon....Pushing the DNS entries was slow as watching paint dry.

Solved. Thank you.

Link to comment
Share on other sites
Community Regular

grunger106

Posted
Posted

This is a slightly off topic, but I see you are using a USG.....

 

When you build your NAT rules (or rules generally) on the USG series it is my best practice to have 'any' in as few fields as possible.

 

So what you should do is for each of your public facing IPs create an object (I use GLOBAL_123 where 123 is the last octet of the public IP in question, but you can use whatever you like)

 

Then reference this object in your NAT rule, this will allow you to easily reference addresses for SNAT in the routing options and means you can allocate NAT rules to different IPs if you have a block allocation from your ISP. It will also allow NAT Loopback to function. 

 

So your breakdown of the NAT rule is slightly incorrect:

 

Rule name (whatever I want) - Yes
Classification Virtual Server (always been like this for it to work correctly) - Yes if you want a standard port forward,
Incoming Interfaace wan1_ppp (My PPPoE connection) - Yes
Original IP any (This way it can come from anyone) - No, this should be be the IP address you are expecting your traffic from (8.8.8.9 in your example, and would be an object GLOBAL_9 in mine) This is not a firewall rule, it is purely NAT, if you want to restrict or otherwise IPs it is the SourceAddress field in the FW that does this

Mapped IP (the IP of the server) Yes, but again better to create an object and reference it.

Port Mapping Type any - It can be, but do you really want to do this? If yes then maybe you do want a 1:1 NAT, rather than Virtual Server

 

If you do have a range of IPs and are NAT'ing to them, remember to do SNAT in the routing screen to ensure the traffic leaves with the right return address in the header.

 

I'm not saying I like the idea of NAT Loopback as a testing mechanism, I don't and the using a DNS name is a far better test in this scenario!

 

Hope this is helpful

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

This is a slightly off topic, but I see you are using a USG.....

 

When you build your NAT rules (or rules generally) on the USG series it is my best practice to have 'any' in as few fields as possible.

 

So what you should do is for each of your public facing IPs create an object (I use GLOBAL_123 where 123 is the last octet of the public IP in question, but you can use whatever you like)

 

Then reference this object in your NAT rule, this will allow you to easily reference addresses for SNAT in the routing options and means you can allocate NAT rules to different IPs if you have a block allocation from your ISP. It will also allow NAT Loopback to function. 

 

So your breakdown of the NAT rule is slightly incorrect:

 

Rule name (whatever I want) - Yes

Classification Virtual Server (always been like this for it to work correctly) - Yes if you want a standard port forward,

Incoming Interfaace wan1_ppp (My PPPoE connection) - Yes

Original IP any (This way it can come from anyone) - No, this should be be the IP address you are expecting your traffic from (8.8.8.9 in your example, and would be an object GLOBAL_9 in mine) This is not a firewall rule, it is purely NAT, if you want to restrict or otherwise IPs it is the SourceAddress field in the FW that does this

Mapped IP (the IP of the server) Yes, but again better to create an object and reference it.

Port Mapping Type any - It can be, but do you really want to do this? If yes then maybe you do want a 1:1 NAT, rather than Virtual Server

 

If you do have a range of IPs and are NAT'ing to them, remember to do SNAT in the routing screen to ensure the traffic leaves with the right return address in the header.

 

I'm not saying I like the idea of NAT Loopback as a testing mechanism, I don't and the using a DNS name is a far better test in this scenario!

 

Hope this is helpful

I understand what you are saying its just so disgusting to use objects for every thing! Ticks me off!

Original IP - Well, technically, you are correct. I put "any" since I expect traffic from 8.8.8.9 (WAN) and I could care less about internal affairs (10 PCs at most). I agree that if this was a larger scale organization, maybe some more specific filtering would be in order.

Mapped IP - I actually started out this way "MySQLServerIP" "OpenVPNServerIP" etc. but just got plain sick of it.

Port Mapping - From what I understand from NAT and what you are saying, 1:1 would basically mean it comes from port 98 and goes to port 98. I apoligize for not knowing the different between that and Virtual Server. Looking up tutorials, it was talked about virutal server on that setting...

Thank you for your help and advice :)

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Push what through your AD?  In an AD environment all clients should be point to ONLY your ad dns - thought you only had 1 2k3sbs box..  So in its dns, create a new forward zone that your authoritative for whatever this domain is.  Then create whatever records you want in this zone.  Keep in mind once you do this there will be no external dns for this domain.  Any of your clients asking this nameserver will think its authoritative for that domain.  So say you have A record www that points your local IP, but there is a record ftp that is hosted on the public internet somewhere - you will want to create that ftp record in your new zone and put in the public IP for it, etc.

 

As to dns are refreshing -- What do you mean exactly? There is no propagation or refreshing in dns - there is the SOA, and there is a TTL for whatever records from the SOA, a record is cached for the length of the TTL starting from where they go it and that TTL.  So what exactly is refreshing?

 

Let say you have this

 

NS (SOA) A record (www in the domain.tld) TTL = 24h or 86400 seconds, this is very common.

 

ISP DNS (isp user queries www.domain.tld, nobody has looked for www.domain.tld in over 24 hours), ttl clock starts 24 hours countdown

 

That clock is ticking down..  Your client1 queries your dns for that same record 12 hours later, your dns then asks your ISP dns, what do you think your TTL for that record is - 12h!!

Your DNS now starts ticking down from 12H

 

Now client 2 on your network say 6 hours later asks your router for www.domain.tld == guess what that TTL is..  6Hrs

 

The only time you will ever get the FULL dns if it is an authoritative query..

 

example - top is direct query to neowin authoritative NS, see the full length of the TTLs

 

post-14624-0-51693800-1394023557.png

 

Now if I ask my dns, bottom one you will notice the TTL has been counting down since the last query for them.. Which only happens after the TTLs have expired.  So what do you mean by refreshing?  Do you mean waiting for the TTLs to expire?  You can flush dns cache on the client to clear them.

Link to comment
Share on other sites
Community Regular

grunger106

Posted
Posted

Hello,

I understand what you are saying its just so disgusting to use objects for every thing! Ticks me off!

Original IP - Well, technically, you are correct. I put "any" since I expect traffic from 8.8.8.9 (WAN) and I could care less about internal affairs (10 PCs at most). I agree that if this was a larger scale organization, maybe some more specific filtering would be in order.

Mapped IP - I actually started out this way "MySQLServerIP" "OpenVPNServerIP" etc. but just got plain sick of it.

Port Mapping - From what I understand from NAT and what you are saying, 1:1 would basically mean it comes from port 98 and goes to port 98. I apoligize for not knowing the different between that and Virtual Server. Looking up tutorials, it was talked about virutal server on that setting...

Thank you for your help and advice :)

No problems, 1:1 NAT means a public ip is mapped directly to a private one, all ports.

 

The objects are actually a good thing - You create them once and then can reference them all over the device, for me much easier than remembering IPs of devices, but you don't have to use them!

 

You can use ANY as a source assuming you only have a single IP, it's just neater not to :)

 

Where it becomes important is with a range of IPs if you had 5 IPs to use as a range on your WAN Link for example and wanted to have HTTPS (for example) to two different servers internally which you obviously couldn't do with a single IP.

 

So you'd have Public DNS record 1 pointing to PublicIP1 say 8.8.8.9, and then your NAT rule with that as a source and your 1st server as the destination 

You'd also have

Public DNS record 2 pointing to PublicIP 2 say 8.8.8.10, and then your NAT rule with that as a source and your 2nd server as the destination 

 

It doesn't have anything to do with restricting access, you can do this but on the firewall rules, not the NAT rules.

 

(In my above example you would also need 2 routing rules setting routing HTTPS traffic from server 1 up WAN1PPP with and SNAT of 8.8.8.9 and HTTPS traffic from server 1 up WAN1PPP with and SNAT of 8.8.8.10)

 

But I think I've strayed waaaaay of topic now

 

But in your NAT loopback, if you'd put 8.8.8.9 as your source, switched on NAT Loopback, and then browsed to 8.8.8.9 internally it would have worked.

 

Cheers :)

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

Push what through your AD?

I really gotta get my termanology checked. I say incorrect/stupid #### and confuse everyone. Sorry.

I always think of this:

post-25747-0-28904800-1394031109.png

Which is wrong.

When it is actually this:

post-25747-0-54416800-1394031133.png

Thats why I said it pushes it thru AD when it has (almost) nothing to do with it! Sorry.

Moving on:

 

In an AD environment all clients should be point to ONLY your ad dns - thought you only had 1 2k3sbs box..  So in its dns, create a new forward zone that your authoritative for whatever this domain is.  Then create whatever records you want in this zone.

Exactly what I did. I checked tutorials, YouTube, etc. All were doing it the same: Make a forward zone with the domain/FQDN, make a blank named A record with the internal IP. Problem was that it wasnt "doing it" so to speak.

I /flushdns a client, checked that the DNS server was correct and every time I pinged the site, it still gave me the remote IP! I removed it several times and added it back.

I said, hell, there might be some kind of strange TTL so I waited about 10 minutes. And 10 minutes later, it finally replied to the internal one based on the forward zone.

It sounds strange and like you said, there really is no pushing but...huge lag to actually do it.

 

Keep in mind once you do this there will be no external dns for this domain.  Any of your clients asking this nameserver will think its authoritative for that domain.  So say you have A record www that points your local IP, but there is a record ftp that is hosted on the public internet somewhere - you will want to create that ftp record in your new zone and put in the public IP for it, etc.

I thought about this so thats why I went with a subdomain instead of our regular domain.

I cleared both the cache on the DNS server and on a client. It seem to not pay attention until 10-15 mins when then it looked at the A record I inserted in the forward zone.

 

 

No problems, 1:1 NAT means a public ip is mapped directly to a private one, all ports.

Then what does the virutal server mean?

 

 

The objects are actually a good thing - You create them once and then can reference them all over the device, for me much easier than remembering IPs of devices, but you don't have to use them!

I never really liked OOP languages :laugh: but I understand what you mean by simply refrencing them by name instead of IP.

I think I would use this if I was in a larger scale network.

 

You can use ANY as a source assuming you only have a single IP, it's just neater not to :)

A single public IP I assume you mean?

 

 

Where it becomes important is with a range of IPs if you had 5 IPs to use as a range on your WAN Link for example and wanted to have HTTPS (for example) to two different servers internally which you obviously couldn't do with a single IP.

 

So you'd have Public DNS record 1 pointing to PublicIP1 say 8.8.8.9, and then your NAT rule with that as a source and your 1st server as the destination 

You'd also have

Public DNS record 2 pointing to PublicIP 2 say 8.8.8.10, and then your NAT rule with that as a source and your 2nd server as the destination 

 

It doesn't have anything to do with restricting access, you can do this but on the firewall rules, not the NAT rules.

 

(In my above example you would also need 2 routing rules setting routing HTTPS traffic from server 1 up WAN1PPP with and SNAT of 8.8.8.9 and HTTPS traffic from server 1 up WAN1PPP with and SNAT of 8.8.8.10)

 

But I think I've strayed waaaaay of topic now

 

But in your NAT loopback, if you'd put 8.8.8.9 as your source, switched on NAT Loopback, and then browsed to 8.8.8.9 internally it would have worked.

 

Cheers :)

Ah OK, so I image what you are saying is that if I had more than 1 public IP, putting any would be bad practice and using objects that repped IP I could do for example two different servers or including some load balancing.

Intresting. Ill mentally jot it down as we have a OpenVPN server here that is just sucking up energy and I would like to move it to another one.

Thank you for helping.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

what does WS stand for in your diagrams?

 

As to client returning public after you created a local record for it on the local dns..  Did the local dns still have a cache for the record?  You can look in the dns server admin client and I believe if you turn on advanced view you can see everything cached on that server (microsoft dns - bind not like this)

 

If your local client dns cache is flushed, and the dns its asking for is authoritative for the domain - the instant you create a record or change the record its available.. There should be no wait.  So something was not right - what do you mean you created subdomain?

 

If your public domain is domain.tld, you can not create sub.domain.tld on your dns and expect that to work - unless your going to query www.sub.domain.tld.. So confused to what you mean "why I went with a subdomain instead of our regular domain."

Link to comment
Share on other sites
Grand Master

riahc3

Posted
  • Author
Posted

Hello,

what does WS stand for in your diagrams?

Windows Server.

 

As to client returning public after you created a local record for it on the local dns..  Did the local dns still have a cache for the record?  You can look in the dns server admin client and I believe if you turn on advanced view you can see everything cached on that server (microsoft dns - bind not like this)

In the MMC for DNS, you can right click and "Clear/refresh/clean cache". I didnt even look at things cached. Just automatically cleaned it.

If your local client dns cache is flushed, and the dns its asking for is authoritative for the domain - the instant you create a record or change the record its available.. There should be no wait.  So something was not right

Im not sure what happen either.

what do you mean you created subdomain?

Let me see if I can explain it correctly.

I have http://8.8.8.9 which is my web site on my hosting. The FQDN to that would be http://website.com Thats set in my hostings DNS.

My hosting allows me to have subdomains. Original I was gonna do http://8.8.8.9/cloud (http://website.com/cloud) but I thought about it and think it would make a bit more sense (although its harder to type out even though harder in some cases is more secure) but then I thought, why not make a subdomain? So I went ahead made http://cloud.website.com/cloud (redundent I know, but its based off a NAS package so I really have no desire to touch rewrites and stuff to make it http://cloud.website.com )

Now, my hosting, obviously has a record for *.website.com so I had to go to my hosting's DNS and make sure that subdomain has a A record pointing to where I have owncloud installed which is basically here, at our office at our NAS.

If your public domain is domain.tld, you can not create sub.domain.tld on your dns and expect that to work - unless your going to query www.sub.domain.tld.. So confused to what you mean "why I went with a subdomain instead of our regular domain."

No, I didnt expect that to work. I changed that on my hosting's DNS in order for it to work :)

I went with that because since I already had a domain I might as well use it and since it is known internally....

Link to comment
Share on other sites
Community Regular

grunger106

Posted
Posted

Hello,

I really gotta get my termanology checked. I say incorrect/stupid #### and confuse everyone. Sorry.

I always think of this:

attachicon.gifw.png

Which is wrong.

When it is actually this:

attachicon.gifr.png

Thats why I said it pushes it thru AD when it has (almost) nothing to do with it! Sorry.

Moving on:

 

Exactly what I did. I checked tutorials, YouTube, etc. All were doing it the same: Make a forward zone with the domain/FQDN, make a blank named A record with the internal IP. Problem was that it wasnt "doing it" so to speak.

I /flushdns a client, checked that the DNS server was correct and every time I pinged the site, it still gave me the remote IP! I removed it several times and added it back.

I said, hell, there might be some kind of strange TTL so I waited about 10 minutes. And 10 minutes later, it finally replied to the internal one based on the forward zone.

It sounds strange and like you said, there really is no pushing but...huge lag to actually do it.

 

I thought about this so thats why I went with a subdomain instead of our regular domain.

I cleared both the cache on the DNS server and on a client. It seem to not pay attention until 10-15 mins when then it looked at the A record I inserted in the forward zone.

 

 

Then what does the virutal server mean?

 

 

I never really liked OOP languages :laugh: but I understand what you mean by simply refrencing them by name instead of IP.

I think I would use this if I was in a larger scale network.

 

A single public IP I assume you mean?

 

 

Ah OK, so I image what you are saying is that if I had more than 1 public IP, putting any would be bad practice and using objects that repped IP I could do for example two different servers or including some load balancing.

Intresting. Ill mentally jot it down as we have a OpenVPN server here that is just sucking up energy and I would like to move it to another one.

Thank you for helping.

 

Virtual Server is where you will only forward a single service (or range of ports) to a particular address.

1:1 Maps everything to a particular address

So what your rule is doing is doing 1:1 NAT manually in a Virtual Server rule, it will work, but there are more boxes to fill in.

 

A single public IP - yes.

 

With multiple IPs and using the source it will allow you to have manage multiple services allocated to different IPs on the same interface, so you could run 5 mailservers on a single internet link each using port 25 on a different IP.

 

Loadbalancing is a whole different area of the USG, yes it will do it, but you would need a USG50 (Can't tell from the screenshot which yours is) minimum (the little USG 20 has only 1 WAN port) and you configure it in the WAN_TRUNK

  

As for OpenVPN, you might want to check your USG for that too ;) supports IPsec, L2TP, and SSL (Depending on your model) You can even agumenet the SSLVPN with a OTP dongle and radius authentication

 

Quite a feature rich unit for the money :)

 

The Zyxel support notes are pretty good ftp.zyxel.co.uk and look for your model.

 

(And no I don't work for Zyxel!)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.