Access server via port-forward on WAN from LAN (R7800, NSS)

I've been using OpenWRT for many years, but I recently bumped into an issue that I have a hard time figuring out what's wrong, it used to work before but now it doesn't.
I use a Netgear R7800 router, currently with Kong's build, but I also tried ACwifidude's build.
The issue is that I have several servers running on my local network, for which I have a port-forward configured in the router to access them from WAN, this works fine.
Only when I try to access the servers on the WAN-ip from a device in my LAN, the servers are unreachable. When I connect directly from the LAN device onto the LAN-server (not via port-forward on the router on the WAN-ip) I can reach the server.
This was always working correctly, but stopped working when I switched to the Kong build, or the ACwifidude build for the R7800. I need these custom builds for performance reasons, I have a 1gig up/down link which the normal openwrt releases cannot cope with (max up/down of ~500mbit).

I expect my problem has something to do with the firewall configuration, but I cannot find the right setting to change to get this working again.
Does anyone know what I need to change to get these servers reachable again on the WAN-ip's forwarded port from a device connected in my LAN ?

Thanks for any help,

1 Like

Search for "hairpin NAT" or "NAT reflection".


Hi, thanks for your quick response.
In the advanced tab for the port-forward rule I have a setting for 'NAT Loopback', that comes closest to what you describe.
I tried all possible settings (enable/disable and use internal/external ip address), none of the settings I tried did help :frowning:

Tying to investigate further, i've been looking into the fireware stats page and see these rules

with just below this rule the SNAT reflection rules for my server and also

with just below the DNAT rules for my servers

So it seems (to me) that the reflection rules are setup properly from my configuration, but that there is a sort of 'catch all' rule just above which effectively disables the reflection rules :frowning:
Now i'm trying to find out where this 'catch-all' rule comes from, this doesn't seem to be something that I configured....

If it worked earlier, it might be a bug in the NSS hardware offloading used in two those builds (creating that performance boost you want), or in OpenWrt firewall's incompatibility with NSS. Note that the NSS functionality has not been merged to the OpenWrt repo, but is still experimental / under development by some users. The NSS offloading means that the normal firewall & NATting is partially bypassed.

Ps. NAT Loopback should be the correct option.

Pps. I think that those two rules are just default placeholders providing a standard place to place user-specific custom rules. They shouldn't affect you.


Note that OpenWrt implementation for NAT loopback/reflection expects the client and server to be in the same firewall zone to work properly.
Also be aware that it's basically a dirty hack that results in redundant traffic, extra CPU load on the router and possible throughput limitation.
An ideal solution is to use own subdomain for each service and then address them by IPv6 locally and worldwide, or rebind public IPs to the private ones on the local DNS when restricted by IPv4 limitations.


you're probably right that it has something to do the the nss drivers, the reason I chose these builds was exactly that ;).
I might give your build (that hasn't nss built in, right ?) a try this evening and see what performance I can reach with that and if my issue is still present then.

thanks for your feedback, I do like your suggestion to use local DNS to point to my internal servers instead of using the external ip with forwarded port, I hadn't thought of that option.
Will give it a try this evening and see if that fixes my issue.

Update: I included the wan name into my local dns server and that works great, neat and easy solution

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.