Help with hairpinning / NAT loopback with openwrt 18.06

Hey all, first time needed to post to configure something that up untill now didn't find a solution for.

Running OpenWrt 18.06.1 r7258-5eb055306f on linksys 1900acs for few years now.
I've switched this week my isp to get higher down/up speed. (moved from pppoe to dchp docsis3)
I have several services on my lan that i access with ddns from outside and inside the lan.
Up until now every thing worked (before switching isp) to access the url didn't need to configure anything but open ports (80/443)

after switching i can't access inside the network to the external ip with the ddns address.

I've tried several tricks like making sure the port forward has reflection flag on it.
Tried adding to /etc/hosts file the address (which i dont really like) which works at the beginning but some of the computers/tablets not getting it and i want a better solution then that.

I'm software enginner and have some knowlege around networks/openwrt configuration (but not so much).

what i'm trying to figure out, is there a configuration to fix it in openwrt that i'm missing or haven't configure right.
Maybe the problem is with the new ISP and there is no solution.

Hope you could inspire me with a solution it really fustrate me.
Have a great week.

NAT Loopback is not a good solution.
Just create a domain entry in dhcp configuration (or Network Hostnames in Luci) with the name that you use and the internal IP of the server.

1 Like

can you elaborate on that?
i've went in luci to network-> hostnames

added the hostname and the machine's ip that should connect to it.
not seeing any change when in lan network (tried reconnect to network if that's neccesseray)
i also see in etc/config/dhcp the new record i've added

any help what to check next?


Not sure of your ISP, but many DOCSIS ISPs use carrier-grade NAT in their networks with IPv4-addresses on the router that are not publicly routed, so can not be reached from the outside. I would not be amazed if the DDNS service would collect the public IPv4 address from the CG-NAT device and just stop there...
What is the out put you get from:

opkg update ; opkg install mtr; mtr -ezb4w -c 10

what the output tells you?

Do an nslookup from the host in the lan and post here the output.
You seem to be behind CG-NAT by the way. DDNS and port forwarding won't work. Is your wan IP public or private?

this is the output

I'm a bit confused about what you said about CG-NAT, not sure exactly what it is but:
when i'm outside the network i'm able to access my server (the ports i've opened are working, the ip i get from the modem is the external ip in the www net)

can you elaborate about how it affects me?

The first two addresses are not publicly routed addresses:

computer:~ user$ whois
% IANA WHOIS server
% for more information on IANA, visit
% This query returned 1 object

inetnum: -
organisation: IANA - Private Use
status:       RESERVED

remarks:      Reserved for Private-Use Networks [RFC1918].Complete
remarks:      registration details for are found
remarks:      iniana-ipv4-special-registry.

changed:      1995-06
source:       IANA

computer:~ user$ whois
% IANA WHOIS server
% for more information on IANA, visit
% This query returned 1 object

inetnum: -
organisation: IANA
status:       assigned


changed:      1994-03
source:       IANA

That IMHO is a decent hallmark of your ISP using some sort of NAT. What IP-address does the ddns service return? My prediction is, if it just queries the router it will get something close to which will not be reachable from the outside, and when it queries from the outside somehow, you might get the CG-NAT devices public IP-address. In any case DDNS is not going to result in a working solution. Either use IPv6, or ask your ISP for a publicly routed IPv4 address (and/or dual stack, with both publicly routed IPv4 and IPv6 prefixes).

P.S.: You can just copy and paste the content of a terminal window as text, no need for taking image screen grabs, just paste the text between two lines og three back-ticks each (without the quotes), like:

root@router:~#  mtr -ezb4w -c 10
Start: 2020-05-06T11:29:50+0200
HOST: xxxxxxxxxxx                                                                  Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS6805 (      30.0%    10    9.0   9.2   9.0   9.5   0.2
  2. AS6805 (   20.0%    10   13.5  10.0   9.2  13.5   1.4
  3. AS6805 (            20.0%    10   16.2  16.4  16.2  16.5   0.1
       [MPLS: Lbl 925 TC 0 S u TTL 1]
  4. AS6805 (             20.0%    10   16.1  16.7  16.0  20.4   1.5
       [MPLS: Lbl 931 TC 0 S u TTL 1]
  5. AS6805 (  20.0%    10   27.2  17.9  16.2  27.2   3.8
       [MPLS: Lbl 24074 TC 0 S u TTL 1]
  6. AS6805 (     20.0%    10   16.4  16.5  16.4  16.8   0.2
@Not a TXT record
  7. AS??? (                     10.0%    10   27.3  18.9  16.9  27.3   3.3
  8. AS12306 (                                            20.0%    10   16.7  16.8  16.5  17.1   0.2
       [MPLS: Lbl 24006 TC 0 S u TTL 1]
  9. AS12306 (                                          10.0%    10   23.1  19.9  16.3  36.5   6.6
 10. AS12306 (                                          20.0%    10   22.9  17.4  16.5  22.9   2.2
 11. AS12306 (                                         30.0%    10   19.7  17.1  16.5  19.7   1.1

Can you show me what entry you have for the host?
uci export network; uci export dhcp; ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

If you are able to connect from outside then this is not the case.

Using private IPs on some routers doesn't necessarily mean there is CG-NAT. The way to be certain is to check the wan IP.

1 Like

Well, two layers of private IPs from a traceroute/mtr of the router to the internet is a relative strong indicator, no?


It is a strong indication, but not a definite one.

1 Like

Mmmh, belongs to your ISP and is publicly visible, so that could be true dynamic IPv4 addresses or the CG-NAT front of your ISP, but traditionally with cg-nat you can not reach your machine from the outside, so the fact that you can access your computers from the outside argues against CG-NAT being your immediate problem.

BTW, this being cable, have you put your cable modem/router into bridge mode, or is it acting in router mode?

the modem from the ISP in bridge mode, i'm using my private router for everything else.

and yes i'm able to access my services outside the LAN with the ddns address, the problem is that inside i can't and i was able to before i switched ISP's, from what i've told the modem i've got now (which i must use and can't switch, because it's propaitary docsis) can't handle hairpinning/ NAT loopback (just saying the terms, not sure i fully understand it)

i would like to understand what are my options so when i'm inside the network i'll be able to access with the same address as from outside the LAN

root@router:~# uci export network; uci export dhcp; ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fda8:0f9e:3c6d::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option auto '0'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config route
	option interface 'wan'
	option target ''
	option netmask ''

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/'
	option nonwildcard '1'
	option localservice '1'
	list rebind_domain ''

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host

config domain
	option name ''
	option ip ''

config domain

lrwxrwxrwx    1 root     root            16 Aug 16  2018 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May  6 11:56 /tmp/resolv.conf
-rw-r--r--    1 root     root            67 May  6 11:58 /tmp/
==> /etc/resolv.conf <==
search lan

==> /tmp/resolv.conf <==
search lan

==> /tmp/ <==
# Interface wan

@trendy you asked for that output

I believe that that actually is a router thing, a bridged modem should not affect that at all.

That looks like you are trying to re-define your external with a local address manually. I was under the impression that hairpinning will do that automatically for your, so maybe this re-definition is interfering?

I hope that you have restarted the service to apply the change in the name.
service dnsmasq restart
If that is not the case, make sure that the host you are using is not bypassing the nameserver of OpenWrt and uses your ISP or some GoogleDNS.

okey i think i narrowed down the problem to 2 areas.

i pinged the ddns inside the router ssh, before i made any change i got the external ip address.
changed the hostsnames page so the machine's ip has the ddns address.
after few restarts i got from ping the internal ip.
but when i revert the change and do several restarts it doesn't come back to the external ip..

i'm not sure if it's persistent, if i wait, close the terminal and test again it sometimes comes back.

i would like to know what makes the change, so when i ping the ddns address i get the external or the internal ip...

@trendy @moeller0

any thoughts?

DNS cache can persist the old IP. Do a flush to make sure you'll query again for the latest record.

i've done a flush, is this flush the dns?
service dnsmasq restart
ping again, no change

is there other command to test? for the first step i only want to see that the change i make is persistent inside the router


In Windows and in Linux
What you have done would flush the cache in OpenWrt only.