Troubles with NAT Loopback

I am a new OpenWRT user (long time TomatoUSB user) that runs a gaming server on my network and i am having a heck of a time with NAT Loopback (i think anyway)

Here is my issue:
When attempting to connect to my server locally i must use it's local IP otherwise i am unable to get the server to respond.
The reason this is a problem is the authentication for accessing the server for switching instances requires you to go outside the network and come back in when accessing it locally; hence my issue.

I have NAT Loopback checked for all of my port forwarded rules in the LuCI menu yet it appears to not be functioning..

Is anyone else familiar with this and know of any work arounds?

I am a comcast user so i know i am in a router behind a router scenario; however my main router is in the DMZ of the comcast gateway.

My landlord; although the allow access to the Comcast gateway and i have full permission to port forward anything i need; has told me putting the Comcast gateway into Bridge mode is not an option.

I would try to use "tcpdump" / "wireshark" and see if the packets are entering ena exiting the server properly.

Also, posting your current firewall config file here will help.

New to OpenWRT; is there a way to save the config file? Or am i posting screens?
using LuCI btw

I've found that the loopback selection doesn't work or operate in the manner you're describing. It enables loopback on the forwarded IP in question only (almost like a test).

You'll have to setup redirect firewall rules. Here's an example for port 80/tcp.

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.x.4'
	option dest_port '80'
	option src_ip ''
	option dest 'lan'
	option name 'REDIRECT_HTTP_LAN'

Since i use LuCI; where do i put this?

1 Like

Good question - it would go in Port Forwards. If it helps, I believe I used LuCI to create it too.

I'm not sure how to view the information other than through the UI; but i set up a loopback config to test on port 25565
it does not work unfortunately.

Name: loopback
Protocol: TCP+UDP
SourceZone: WAN
Source IP:
SourcePort: 25565
External IP: any
External Port: 25565
Internal Zone: LAN
Internal IP:
Internal Port: 25565

Loopback is checked.

This was done in the "Port Forwards" area of the firewall.
I tried to make a similar rule with "Traffic Rules" with no luck either.


  • you have an extra port parameter I didn't give you, and since you're not using the command line, I donno which one it is remove Source Port
  • I didn't say check loopback, it's not included in the sample config above; and I explained what it does, so I'm not sure why you checked it anyways - please clarify if I'm missing something on that

Again, Port Forwards - BTW making random, bad and/or incorrect rules won't work either.

To be honest as a newbie i am not really sure what i am doing; Loopback was automatically checked when it was created; I was just trying to mention it so you had all information.

I added "Source Port" because i thought that is what option src_dport was.
I've removed the Source Port without any luck.

  • So to be clear, you didn't remove src_dport - correct???
  • For all this trouble, you could just copy/paste this rule on the command line.
  • You're trying to reach port 25565 on the LAN server?

If i knew how to get to it; i assure you i would lol.

Since the GUI doesn't tell me what src_dport is; i have no idea.
You told me to remove Source Port so i removed it.

25565 is one of the ports i am trying to reach yes; I am testing one of the services that only requires one port instead of many; to simplify it.

Well, I'm not gonna guess and you don't wanna

All I can suggest are screenshots at this point.

Also could be your default firewall rules, we usually ask for a past of /etc/config/firewall - but you don't seem willing to produce command line outputs.

No no i very much want to learn; I am not sure how my admitting my own ignorance on the subject is an unwillingness to learn.

1 Like

@hellbringer616, it's simple.

Please provide the config you posted. I cannot and will not guess if you did/did not properly remove something. I also need to see your firewall config.

(And I assume you configured the correct IPs and ports in your rule.)

(I see you edited and added a screenshot) :+1:

here is the screenshot of the config.

the router is otherwise 100% a base install other than my forwarded ports; which are confirmed working from the outside.

Also, it is not an unwillingness to produce the commandline output... as i previously stated; i do not know how to produce it as i do not know how to access the router from commandline... If you could point in the direction i would be happy to provide it..

Still not sure why you keep altering the rule I gave you, so I'm just gonna show you a screenshot, as this is getting harder than it needs to be:

Screenshot from 2019-12-13 10-29-08

Screenshot from 2019-12-13 10-29-25

The to display the firewall, the command would be cat /etc/config/firewall

Found it!

config redirect                                                                                                                                                                                             
        option enabled '1'                                                                                                                                                                                  
        option target 'DNAT'                                                                                                                                                                                
        option src 'wan'                                                                                                                                                                                    
        option dest 'lan'                                                                                                                                                                                   
        option proto 'tcp udp'                                                                                                                                                                              
        option dest_ip ''                                                                                                                                                                      
        option dest_port '25565'                                                                                                                                                                            
        option name 'Loopback'                                                                                                                                                                              
        option reflection '0'                                                                                                                                                                               
        option src_ip '' 


Smh, I asked for the whole firewall. Nonetheless, please try the screenshot above.

I didn't change anything.. that was just the output it gave me; I've changed NOTHING in the gui :confused:

here is my full firewall

if you compare our screens i do not have "destination Zone"
I only have "internal zone" are they the same? (they both say LAN)

Would you say this output is correct?

config redirect                              
        option target 'DNAT'                    
        option src 'wan'                        
        option dest 'lan'                    
        option proto 'tcp udp'                  
        option src_dport '25565'                
        option dest_ip ''       
        option dest_port '25565'                
        option name 'Loopback'        
        option src_ip ''       
        option reflection '0'     

I've no idea why it keeps adding reflection '0'