Port forwarding works outside home network but not inside

Hi everyone, I got a nanopi r2s and I'm using friendlywrt. I was able to set it up the port forwarding, so when I'm not at home, I'm able to access some services from my local LAN via port forwarding.

I use Google Domains since I don't have a static IP address, so I have a little bash script that checks if my IP address changed in order to update the DNS entry, if it's needed.

However, when I'm in the same network at home, I'm not able to reach out to those services using the DNS that I have. So for example:

mydns.com -> points to the public IP, at home if I try to access it, I always get a time out. Am I missing something on FriendlyWRT/OpenWRT? When I was using my tp-link router with OEM firmware that worked properly.

I'm pretty new to the openwrt world, so bear with me :slight_smile:

Thank you,

1 Like

So, when you're away from home, you are able to connect to mydns.com:12345 (for the sake of argument assuming that 12345 is the forwarded port). Your router is forwarding 12345 to some computer inside your LAN.

But when you are at home, this isn't working.

If I understand this correctly, then this is good. Your router is doing what it's supposed to be doing. It shouldn't work from home. Your router is, as it's being asked, forwarding connections coming in from the WAN to a port on your LAN. But when you're at home, and ask to connect the same way, the connection isn't coming from the WAN. It's coming from the LAN.

When you are at home, don't connect to mydns.com:12345. Connect to 192.168.1.xx:12345 (or whatever the LAN IP of the server is).

Better yet...

...don't do this. This is the dangerous way to go about something like this. The thing to do is set up Wireguard (or other VPN) on your home router. This way, if you're away from home you simply turn on Wireguard, then connect to 192.168.1.xx:12345, and if you are at home, you do the same thing just without turning on Wireguard.

EDIT: Btw, Welcome to the OpenWrt community.

Hey @VA1DER , thanks for your reply!

Actually, I already have the Wireguard set it up and that worked as you described :slight_smile: . One of the ports that are being forwarded is to wireguard.

But I still doesn't understand how that worked on the previous router, do you know why? I'm curious about, what was the magic that was defined there.

I see an option: add to my /etc/hosts the mydns.com pointing to my internal IP, but it's so convenient to take advantage of that domain pointing to public IP.

Again, thanks for your reply!

You could set up the port forwards to also redirect ports coming in from the LAN zone too. It's all how you configure the port forwarding. OpenWrt is set up into zones, and usually the port forwards are configured for incoming on WAN to forward to LAN. But you could add a forward for incoming on LAN to forward back to the LAN.

Other routers sometimes don't have as strict zone separation. They enter the rule into the nftables more generically.

What you need is called "NAT loopback" (or other similar names like "hairpin NAT" or "NAT reflection" and so on).