Your ISP's router isn't configured to allow "hairpin NAT".
Yes and i don't have any access the the config gui. The ISP configured a DMZ for me on 192.168.254.2. Because of that, i use a OpenWRT router too. (IP 192.168.1.1)
What's the "best" directory in put in my iptables workaround script. It needs to start like a service - without any user interaction, not manually, with every router boot:
#!/bin/sh
set -x && wget -qO- http://ipecho.net/plain > ./public_ip.txt
for IP in $(cat ./public_ip.txt); do iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.171; done
iptables -t nat -A POSTROUTING -d 192.168.1.171 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 && rm -f ./public_ip.txt
That depends on the contents of the include
directive in /etc/config/firewall
.
By default it points to the file at /etc/firewall.user
but that can be changed.
It should be executed AFTER all other firewall rules...
Bung your custom rules in a separate script, then use a sleep timer to delay the execution of the script, on each startup:
sleep 60
/etc/myfirewallrules
Isn't that the correct path to execute it automatically?
/etc/init.d/iptables_custrules.hm
instead of
/etc/iptables_custrules.sh
?
Can you disable NAT on the OpenWrt router.
No. Because of that i think i need to change my ISP soon!!
Now are problems that the service seems to run too early:
Nat Loopback ist the problem. But i have a DMZ, configured by ISP
Since you've got control over DNS, either through DHCP or by configuring "your" clients, make it easy on yourself and set up a "local override" for www.example.com
to 192.168.1.171
i don't like domain to ip entries on client, e.g. the windows hosts file or something like that...
and i need to check the web service runs on public ip address!! there is no other way!!!
maybe my smartphone, tor browser or a vpn connection to bypass the nat loopback problem... no, not really...!!
You're making it far too complicated
- DHCP points clients to "your" local DNS server
- Clients on your network with static addresses you point to your local DNS server
- That server gives out 192.168.1.171 as the A record for
www.example.com
No need to know your public IP address for any internal hosts.
I do this with unbound
on my network for my public-facing mail, web, and MQTT hosts. You should be able to do the same with dnsmasq
as well.
i don't have an own local dns. my router do relay from public dns servers.
Much easier to set up dnsmasq
or unbound
than all you're trying to do.
Even if you get half of hairpin NAT working, how are you going to deal with the return packets if the two hosts are on the same network?
Outbound packet
192.168.1.100 => publicIP gets routed to 192.168.1.1 and NAT-ed to
192.168.1.100 => 192.168.1.171
Return packet
192.168.1.171 => 192.168.1.100 which is link-local and never touches the router
Your host never sees publicIP => 192.168.1.100
Edit -- Here's what I would do
Ignore the subnet that your ISP gives you, configure your OpenWrt WAN for 192.168.254.2 -- that's effectively a one-to-one mapping of your public IP.
Put all your hosts behind the OpenWrt box.
Set up dnsmasq
on your OpenWrt box to provide DHCP and DNS
Set up dnsmasq
on your OpenWrt box to resolve whatever hostname(s) you want to the IP of the service host on your behind-OpenWrt net.
Set up port forwarding on your OpenWrt box to forward 192.168.245.2:nnnn to the IP and appropriate port of the service host on your behind-OpenWrt net.
Done.
Want a little more security? Put your service hosts on their own subnet and route to them from your internal hosts. Firewall as appropriate between the two. (I personally wouldn't trust the security of "win10 machine with apache" exposed to the Internet.)
That's what i have done, the port forward works. but the problem was the access to my external ip form my own subnet (where the server is)...
-> "NAT Loopback". And yes, i occurs too when i put my server directly into the 192.168.254.xx zone from the ISP's router. So the Nat loopback problem is there, and not on OpenWRT...
The Win10 Machine with Apache is just for testing. It's my own laptop and not a server