Another NAT-Loopback Saga

mattius001 · ‎27-12-2022

This post is my last ditch attempt before replacing the EE Smart hub.

Im trying to circumvent nat-loopback but having little success,

I've setup a local DNS server, and setup a static route for the problematic server ( synology NAS ),

Interestingly this works when i set the DNS on windows to the local DNS server and the ddns is routed to the internal ip, but when i set the DNS server in the EE Smart hub settings it fails to route it, its not even hitting the DNS server.

What i really don't understand, is according the the smart hubs own configuration, anything that doesn't get blocked by the firewall rules ( firewall is disabled ), will be routed to the DMZ host ignoring the NAT. Yet that isn't true, because it is blocking this.

Is there something im missing? or is replacing the EE smart hub the only option?

It really is a massive omission to not enable nat loopback on these routers, using an internal address is not really a convenient option, you are constantly having to change logins for applications depending on whether you are home or away, setting the DNS to a local one is quite an extreme option not really available to most users.

bobpullen · ‎28-12-2022

@mattius001 wrote:
Im trying to circumvent nat-loopback but having little success,

What exactly is it you're trying to achieve?

I've setup a local DNS server, and setup a static route for the problematic server ( synology NAS ),

So, you're trying to access a NAS on your local network from another machine?

Interestingly this works when i set the DNS on windows to the local DNS server and the ddns is routed to the internal ip...

Given you're talking about DDNS, I'm assuming that you're trying to access a NAS on your local network where there is an externally accessible DDNS hostname pointed to your public IP (and port forwarded via the EE Smarthub to your local storage)? If so, I'm a bit confused as to why you would want to circumvent nat-loopback. I'd have thought that would be exactly what you want in this scenario?

... but when i set the DNS server in the EE Smart hub settings it fails to route it, its not even hitting the DNS server.

I suspect the Smarthub will allocate the custom/local DNS IP as part of the DHCP lease, rather than the assign it to the WAN interface. If so, you may need to renew the DHCP lease on the client device before testing the changes. Simplest thing is probably to reboot the hub so all devices are forced to renew.

What i really don't understand, is according the the smart hubs own configuration, anything that doesn't get blocked by the firewall rules ( firewall is disabled ), will be routed to the DMZ host ignoring the NAT. Yet that isn't true, because it is blocking this.

Should be the case, but unlikely to help if there's some inherent issue with nat-loopack that's preventing it. Port forwarding should be sufficient though. You shouldn't need to use the DMZ.

It really is a massive omission to not enable nat loopback on these routers

Bit confused. You opened saying you were trying to circumvent nat-loopback, but here you say it isn't enabled. Is there some oft-complained about issue with the EE Smarthub where nat-loopback doesn't work? I'm not overly familiar with the device but am inclined to agree that it's a bit of an odd ommission.

mattius001 · ‎28-12-2022

Im trying to circumvent the lack of nat-loopback on the EE smart hub modems.

i.e. Accessing an externally accessible DDNS from the internal network.

This is not possible natively as the EE smart hub doesn't support nat-loopback.

The only current way of accessing the local device on the local network is by accessing it via its local IP. Externally everything works accessing it on the DDNS address. Which is just stupid, as it means any apps which connect to the server, then need two address' to access it ( one for internal, one for external ).

Its a very strange omission not having nat-loopback, most other suppliers i have tried have supported this ( SKY, PlusNet, Virgin ), its not really a security concern on a small scale network and a worst should be a configurable setting on the hub.

So to circumvent the lack of it, i implemented a local DNS server, which when queried for the DDNS returns the internal ip address of the device. As stated above, this works when configured on Windows as the DNS, so naively i thought this should then work if i replace the DNS servers on the EE smart hub with my local DNS.

But it appears the smart hub is still NAT'ing the requests and hence failing them. Which is why im doubly confused by the DMZ statement on the smart hub settings screen, it clearly states that the smart hub won't NAT unknown traffic to the DMZ, so i configured the server as the DMZ, yet it appears it still NAT the requests when they are loop back.

bobpullen · ‎28-12-2022

Thanks, that's how I read the problem - but good to have confirmation.

It would be interesting to know why nat loopback isn't supported by The Smarthub. I assume you have the same problem if you use port forwarding, rather than putting the NAS into the DMZ? (which would be the recommended way to do things).

Assuming nat-loopback doesn't work, then what you're trying to do should be achievable if you have a local DNS entry configured on the internal DNS server, and it's being considered in favour of the public record. If the DDNS hostname > Internal IP lookup is happening, then the traffic should never leave your network and therfore shouldn't be subject to any NAT limitations.

Have you tried renewing the client DHCP lease as suggested in my last post? It would also be worth clearing any possible cached DNS records on the device you're trying to access the NAS from.

What DNS server are you using out of curiousity? Pi-hole?

Edit: rather than go to the trouble of running a local DNS server, could another option be to add some entries to the hostfile on the local machine you're trying to access the NAS from? Probably not practical if you need access from mobile devices, but for a laptop/desktop it should be achievable with minimal effort.

mattius001 · ‎28-12-2022

Yeah i have port forwarding setup ( needs to be for external access ) and the DMZ setup ( in the hope it would do like the documentation states and not NAT the traffic ).

The Local DNS is synology's own DNS server, essentially with one rule (zone), forward the DDNS to the local ip, then just forward everything else onto googles DNS servers. This works a treat when configured in windows, just not when configured as the Smart Hub DNS.

Once configured i rebooted the smarthub ( in the hope of flushing its DNS ) then on clients flushed the DNS. and registered the DNS.

Editing the hosts file is not really possible, as its mobile clients which are the problematic ones and im trying to avoid having to constantly manually configure any new device added to the network.

bobpullen · ‎28-12-2022

Personally, I'd disabled the DMZ as I doubt it's doing much to assist with resolution.

What clients have you tried from? Doesn't it work from any? What happens if you run a traceroute from an affected client to the DDNS hostname? Does the traffic route out of your network?

If you do something like this from a Windows command line, is the local IP of the NAS returned?

>nslookup <ddns_hostname>

Also worth querying the NAS directly to see what it's doing: -

>nslookup <ddns_hostname> <local_ip_address_of_nas>

In both cases, I'd expect the IP of your NAS to be returned.

mattius001 · ‎28-12-2022

Yeah so thats where it gets confusing,

So nslookup mydomain.net returns the ip address of the router and cannot resolve

nsloopup mydomain.net 192.168.1.2 ( my dns ) returns the ip address of the server im trying to reach

So my DNS server is working correctly, but the Smart hub is ignoring the DNS server settings for some reason...

I have both primary and secondary DNS setup as my local

bobpullen · ‎28-12-2022

Yeah, that suggests the custom DNS/DHCP from the router is not being picked up by the client device.

If you do an ipconfig, what DNS server addresses is assigned to the active Windows network interface?Presumably the router IP still? It should be the IP of your local DNS server.

>ipconfig /all

The above command will also give you details of when the DHCP lease was obtained which might offer some more clues.

What does the area of the hub manager look like where you can assign custom DNS? What menus do you navigate through to get to it? Just trying to reinforce my belief that the DNS is supposed to be dished out by the DHCP server.

mattius001 · ‎28-12-2022

But given i have restarted the smart hub would it not have renewed the leases?

bobpullen · ‎28-12-2022

Yes, but the output from the command will help confirm whether or not that's happened. If custom DNS genuinely didn't work on this hub then I'd expect there to be a fair few complaints about it.

Things can often be 'sticky', especially where DHCP/DNS caching etc. is concerned.