Viewing a web server hosted on a server on the LAN - but seeing the modem/router instead
Gordon Messmer
gordon.messmer at gmail.com
Thu Oct 29 16:42:39 UTC 2015
On 10/29/2015 12:55 AM, birger wrote:
> many routers only do that port forwarding when you actually hit from the outside.
...which is an artifact of the way that NAT works.
Typically, NAT is set up to rewrite the destination in an IPv4 packet.
So, let's say that the router *does* NAT for the internal network.
192.168.1.2 tries to access the public IP of the router, x.x.x.x, which
applies the NAT rule, rewrites the destination as 192.168.1.3, and
forwards it. That system receives a packet with "source:192.168.1.2
destination:192.168.1.3". How does it reply? Well, it sends a SYN/ACK
with "source:192.168.1.3 destination:192.168.1.2". And since it has a
route to that destination, it's sent directly, not through the router.
So no NAT gets applied. The client receives a SYN/ACK whose source
doesn't match the destination of the SYN packet it sent, so it drops the
packet and continues to retry the connection.
If you have control of the router, you can solve that by rewriting both
the destination AND the source address when applying NAT to the local
network, but then all of your connections appear to come from the router
instead of the real clients.
NAT is a mess. It will always be a mess. While you're using it, you
should be using split-horizon DNS so that internal requests for the NAT
servers are routed directly to internal addresses. Split-horizon DNS is
also messy, but that's what we get with NAT. The best solution is to
move to IPv6 as soon as possible.
More information about the users
mailing list