Cannot see hosted service with external IP and NAT loopback

Hello! I have gotten my port forwarding to work properly for external users, but when trying to connect via internal network, I am only able to connect via internal IP (not sufficient for this game service & requirements). I have enabled NAT Loopback and 'use Internal IP address' is selected.
I have done quite a bit of research if I should use internal or external IP here. No concise answer.
I also don't know if this NAT loopback makes sense to be on this rule, or if it should be a new rule specific for loopback.

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark Game1'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '7777'
        option dest_port '7777'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark1 Peer'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '7778'
        option dest_port '7778'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '27015-27024'
        option dest_port '27015-27024'
        option name 'Ark1&2 Query'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark1 RCON'
        option src 'wan'
        option src_dport '32330'
        option dest_port '32330'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ArkGame2'
        option src 'wan'
        option dest_ip '192.168.1.106'
        option src_dport '7779'
        option dest_port '7779'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark Peer2'
        option src 'wan'
        option dest_ip '192.168.1.106'
        option src_dport '7780'
        option dest_port '7780'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ark2 rcon'
        option src 'wan'
        option src_dport '32331'
        option dest_ip '192.168.1.106'
        option dest_port '32331'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '27016'
        option dest_ip '192.168.1.106'
        option dest_port '27016'
        option src_ip '192.168.1.1/24'
        option name 'loopback Ark2'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'loopback ark1'
        option src 'wan'
        option src_ip '192.168.1.1/24'
        option src_dport '27015'
        option dest_ip '192.168.1.106'
        option dest_port '27015'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark2 Querry'
        option src 'wan'
        option dest_ip '192.168.1.106'
        option src_dport '27023'
        option dest_port '27023'
        option reflection_src 'external'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'lan'
        option dest_ip '192.168.1.106'
        option name 'T-PC loopback'
        option reflection_src 'external'
        option src_dport '27015-27016'
        option dest_port '27015-27016'
        option src_ip '169.254.79.179'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'T-PC loopback gameports'
        option src 'lan'
        option src_dport '7777-7780'
        option dest_ip '192.168.1.106'
        option dest_port '7777-7780'
        option src_ip '169.254.79.179'
        option reflection_src 'external'
        option enabled '0'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'lan to wan?'
        option src 'lan'
        option src_ip '169.254.79.179'
        option src_dport '27015-27016'
        option dest_ip 'EXTERNALIP'
        option dest_port '27015-27016'
        option enabled '0'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:ab:cd::/48'

config device
        option name 'eth0'
        option macaddr 'MACADD'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'MACADD'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

Thanks for any help!

I'm afraid I just can't understand enough to execute on this. I figured I would need a new rule, but what exactly does the rule need to do?
I tried:

image959×183 15.9 KB

Alternatively, I also just barely don't know enough about creating a host name and going that route either. I need just a little bit of instruction.

image952×101 3.58 KB

I've tried following this guide here: https://unix.stackexchange.com/questions/282086/how-does-nat-reflection-nat-loopback-work
My iptables look like this now:

# Generated by iptables-save v1.8.7 on Sun May 29 21:01:58 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[383754:19965003] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A PREROUTING -s 192.168.1.0/24 -d 67xxxxxxx -i br-lan -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.106
[0:0] -A PREROUTING -s 192.168.1.0/24 -d 67.xxxxxxx -i br-lan -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.106
[0:0] -A PREROUTING -s 192.168.1.0/24 -d 67.xxxxxxx -i br-lan -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.1.106
[0:0] -A PREROUTING -s 192.168.1.0/24 -d 67.xxxxxxx -i br-lan -p tcp -m tcp --dport 7778 -j DNAT --to-destination 192.168.1.106
[49:2597] -A PREROUTING -s 192.168.1.0/24 -d 67.xxxxxxx -i br-lan -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.106
[12:636] -A PREROUTING -s 192.168.1.0/24 -d 67.xxxxxxx -i br-lan -p udp -m udp --dport 7777 -j DNAT --to-destination 192.168.1.106
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.106/32 -o br-lan -p tcp -m tcp --dport 27015 -j SNAT --to-source 192.168.1.1
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.106/32 -o br-lan -p tcp -m tcp --dport 7777 -j SNAT --to-source 192.168.1.1
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.106/32 -o br-lan -p tcp -m tcp --dport 7778 -j SNAT --to-source 192.168.1.1
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.106/32 -o br-lan -p udp -m udp --dport 27015 -j SNAT --to-source 192.168.1.1
[0:0] -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.106/32 -o br-lan -p udp -m udp --dport 7777 -j SNAT --to-source 192.168.1.1
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun May 29 21:01:58 2022

I still can't find my service.

It appears the UDP PREROUTING are the only rules doing anything. So I need a corresponding POSTROUTING rule to solve this?

Anyone able to see what I'm doing wrong? Using a VPN on my machine that I want to join the server works but not possible as a permanent solution.

Did you make the rule as I noted?

HTTP Example:

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option src_ip '192.168.1.0/24'
	option name 'REDIRECT_HTTP_LAN'
	option dest_ip '192.168.1.106'
	option dest 'lan'

The information was in the link provided above.

a rule that allows the traffic and places the packet in the SRC network . This changes the DST IP from the Public to the LAN, and allows the packet to travel using the zones regular routing rules.

Thank you for following up. I re-read again with some more knowledge and was able to make the following rules:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'iLeachii rule'
        option src 'wan'
        option src_ip '192.168.1.0/24'
        option src_dport '27015'
        option dest_ip '192.168.1.106'
        option dest_port '27015'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'iLeachii Rule 7777'
        option src 'wan'
        option src_ip '192.168.1.0/24'
        option src_dport '7777-7778'
        option dest_ip '192.168.1.106'
        option dest_port '7777-7778'

The query port for the server is 27015, and the game port(s) are 7777 and 7778. These rules don't look the same as yours, but I believe they are the same. Let me know what you think, and if I made any errors.

image960×182 15.9 KB

Thank you!

EDIT: I didn't say in the initial edit, but these rules didn't fix the problem

Because this is the same network as the SRC, no routing takes place (which would be needed in your use case).

• You would simply address the server at 192.166.1.106 (i.e no routing); or since you say that's impossible
• Place in another VLAN, then a rule that requires routing will work; or
• Add a DNS name on the OpenWrt for the server with the LAN IP

• You would simply address the server at 192.166.1.106 (i.e no routing); or since you say that's impossible

Yea, that makes sense. I thought the rule might force it to route thru WAN back to my LAN.

• Place in another VLAN, then a rule that requires routing will work; or

How would I accomplish this? Make a new Interface in OpenWRT?

• Add a DNS name on the OpenWrt for the server with the LAN IP

This is something I tried to research but couldn't understand. Is it something that OpenWRT can do itself, or do I need to figure out how to host something on one of my PCs to act as DNS? I did this but have no idea how to use it, or if it's helpful:

image959×266 15.9 KB

is SRC = 'Source' ?

I appreciate you following up on the post.

Revert the configuration you applied earlier.

Then please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

results in

{
        "kernel": "5.15.25",
        "hostname": "FriendlyWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyelec,nanopi-r4s",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc1",
                "revision": "r19302-df622768da",
                "target": "rockchip/armv8",
                "description": "OpenWrt 22.03.0-rc1 r19302-df622768da"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:ab:cd::/48'

config device
        option name 'eth0'
        option macaddr 'MAC:ADD'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'MAC:ADD'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Flux2new'
        option dns '1'
        option mac 'MAC:ADD'
        option ip '192.168.1.106'
        option leasetime '0'

config domain
        option name 'Flux2'
        option ip '192.168.1.106'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark Game1'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '7777'
        option dest_port '7777'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark1 Peer'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '7778'
        option dest_port '7778'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'
        option src_dport '27015-27024'
        option dest_port '27015-27024'
        option name 'Ark1&2 Query'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark1 RCON'
        option src 'wan'
        option src_dport '32330'
        option dest_port '32330'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.106'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ArkGame2'
        option src 'wan'
        option dest_ip '192.168.1.106'
        option src_dport '7779'
        option dest_port '7779'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ark Peer2'
        option src 'wan'
        option dest_ip '192.168.1.106'
        option src_dport '7780'
        option dest_port '7780'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ark2 rcon'
        option src 'wan'
        option src_dport '32331'
        option dest_ip '192.168.1.106'
        option dest_port '32331'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'iLeachii rule'
        option src 'wan'
        option src_ip '192.168.1.0/24'
        option src_dport '27015'
        option dest_ip '192.168.1.106'
        option dest_port '27015'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'iLeachii Rule 7777'
        option src 'wan'
        option src_ip '192.168.1.0/24'
        option src_dport '7777-7778'
        option dest_ip '192.168.1.106'
        option dest_port '7777-7778'
        option enabled '0'

head: cannot open '/etc/firewall.user' for reading: No such file or directory
# Generated by iptables-save v1.8.7 on Wed Jun  1 22:25:07 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-MAN - [0:0]
:DOCKER-USER - [0:0]
[0:0] -A INPUT -p tcp -m tcp --dport 27015 -j LOG
[461649598:442699669737] -A FORWARD -j DOCKER-USER
[461649598:442699669737] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[461649598:442699669737] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-MAN -i br-lan -o docker0 -j RETURN
[0:0] -A DOCKER-MAN -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
[0:0] -A DOCKER-MAN -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
[461649598:442699669737] -A DOCKER-MAN -j RETURN
[461649598:442699669737] -A DOCKER-USER -j DOCKER-MAN
[0:0] -A DOCKER-USER -i eth0 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[461649598:442699669737] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Jun  1 22:25:07 2022
# Generated by iptables-save v1.8.7 on Wed Jun  1 22:25:07 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[674372:35704079] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[7:360] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[7:360] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Wed Jun  1 22:25:07 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 67.180.137.222/21 brd 67.180.143.255 scope global eth0
       valid_lft forever preferred_lft forever
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
25: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
default via 67.180.136.1 dev eth0 proto static src 67.EXT.IP
67.180.136.0/21 dev eth0 proto kernel scope link src 67.EXT.IP
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 67.EXT.IP dev eth0 table local proto kernel scope host src 67.EXT.IP
broadcast 67.180.143.255 dev eth0 table local proto kernel scope link src 67.EXT.IP
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

22.03 is using nftables for firewall. I haven't used it and I don't know if nat loopback is implemented and working fine.

What can I install to work 'normally'? Is there a version that's more straight forward?

Surely there is someone using NAT loopback for their service. Any other things to try?

Yes I am. I have it set on many servers, Public IPs, etc.

I provided you the information. You should try that.

I also provided you information that "Loopback" check mark works for the IP in the rule in question only (e.g. an HTTP server on a desktop PC and you test with the Public IP); but you're tying to redirect traffic.

Again, you cannot route in the same LAN/VLAN, the Kernel and clients are smart enough to know the SRC (source) and DST (destination) network are identical (i.e. no need to use router/gateway/firewall). So to redirect, you have to cross a network.