Port Forwarding, NAT two routers

Hi Community,
i was looking around the internet for hours now. I try to describe my topic. Hopefully someone knows what might be the right setting.

My Scenario:
DSL (public Dynamic IP) on the WAN interface of the DSL Router AllNet All-BM.
Then the internal Interface with static is directly connected to an Openwrt router (WAN: and LAN: On the local Lan on the IP: is my destination Server located.

So, did a Portforwarding from the WAN Allnet to the LAN(WAN) of the OPENWRT and here a Portforwarding to the local device

I use dynamic DNS and an host.ddnss.de(443 &80) to reach the machine on -> This Works like a charm :slight_smile: If i am outside my local LAN.

If i try to reach the host.ddnss.de from inside the local LAN. I get an timeout. I can only reach the if i use the local IP or the name which is different then the host.ddnss.de.

In the Openwrt router i have enabled NAT Loopback with Option to use External IP.
Switched this Option to internal makes no difference.

Is there a way to tell my default -Gateway (Openwrt Router that it should resolve the host.ddnss.de from local lan?

If i traceroute i can see that the first hop is the and 2nd the public IP of host.ddnss.de
So it seem the Openwrt does all right but if i try to connect in browser (LAN) to it give me an timeout.

Maybe there is an DNS Problem but i dont have any idea unfortunately.

Thanks for Ideas on this :slight_smile:

You could rebind myhostname.ddnss.de to the LAN IP address of the server.

uci add dhcp domain
uci set dhcp.@domain[-1].name="myhostname.ddnss.de" #Set the correct FQDN
uci set dhcp.@domain[-1].ip=""
uci commit dhcp
/etc/init.d/dnsmasq restart

If you insist on the NAT loopback approach, we'll need to see the current firewall rules.

iptables-save -t nat -c; nft list ruleset

Hi Pavel, thanks for your reply. I will try that :slight_smile: and come back

Hi Pavel,
works like charm :slight_smile: i dont understand why but its great . Thx
Maybe you can give me a bit explanation?


Rebinding the domain name causes dnsmasq to resolve (for LAN clients) the FQDN to your machine's private IP address instead of the router's public one.

This is the better approach since NAT is not used for local clients.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.