My ISP set me up with a public IP address a few years ago so it would be easier for me to connect to devices on my home network from my office. I just had to set up port forwarding rules on my home router, and everything worked fine. My home router gets a private IP address (let's call it privateIP) from my ISP's router in the building, and then they set up a 1:1 NAT on their router, mapping all ports from privateIP to my home router.

A few weeks ago, my home router failed, so I got a new one (a TP Link Archer A7). I assumed that I could just set up the same port forwarding rules on the new one and everything would work just fine, and it does from outside my home network.

When I'm at home, however, I can't do anything with publicIP. I can't ping it from inside my network, or connect to any device via SSH or HTTP, and I can do both of those things from my office. With my old router (an Asus RT-N56U), everything worked as expected when I used publicIP, whether I was connecting from my own subnet or from the outside.

My ISP claims that nothing on their side is different, and suggested that the default routing rules are different between my old router & my new one. That's as much as they can tell me, and I'm not terribly clear on how to set up a static route for this case. By that I mean, I know how to do it in my router's configuration, but I don't know what to set as the destination IP, subnet mask, and gateway in the routing table. In this case, I would think that the destination would specifically be publicIP, so the subnet would be 255.255.255.255, but that feels wrong. Also, I have no idea what the gateway address should be for that.

Does this sound like I'm on the right track? How should I set up a route to the public IP address of my router from behind two NATs?

Edit:

My home router's configuration (by default):

Note: the ISP's router in the building gives my home router an address on the 10.11.180.0/22 subnet (privateIP). That router is where the 1:1 NAT from publicIP to the 10.11.xxx.yyy address is configured. I don't have any control over that configuration, but it did work previously. My home router manages the 192.168.0.0/24 subnet.

Solution 1:

External IP address is used in communication with the outside world. Inside our own network you use internal IP address. As the connections from your office work, there's nothing wrong with the routing.

For example; I have a Linux server I manage with SSH. The internal IP address of the server is 192.168.1.100/24. When I connect to it from the office, I'll go ssh user@externalip. When I connect to it at home from my workstation I'm in the same network, so I use the internal IP of the server instead, i.e. ssh [email protected].

Only the traffic that's crossing the internet interface of your router will be routed. Traffic that's flowing inside the network does not cross this interface, so it's not routed but the router uses its switch part to forward the traffic using just the MAC addresses. Because the internal traffic never passes the internet interface you don't need to use the external IP address in intra-network communication at all.

Also because the traffic isn't routed, you don't have to set up any kind of static routes to reach the internal devices from other internal devices.

Please note: this assumes that all your internal devices are in the same network, as is by default the case with any off-the-shelf So-Ho router. If you have configured two or more separate VLANs and networks, the traffic between them is routed, and in some (rare) situations you might need to configure static routes. However because the traffic still isn't crossing the internet interface, you wouldn't use the external IP, only internal ones.

Some special cases may require using the external IP also with internal communications. There's no standardization that states how exactly a SoHo router must internally work, the device manufacturers have free hands in deciding what they offer. For example in this case it seems that the new router doesn't support hairpin NAT (NAT loopback) as Frank Thomas suggested in his comment above.

If the exact same functionality is required, the old device should be replaced with the same exact model; but even that case there may be a OS (firmware) difference between the old and new one causing difference in behavior. The only way to be certain is to compare the capabilities of the two devices (or OS versions) before purchase.

If the same or comparable device isn't readily found, one can check whether some Open Source router OS like OpenWRT has the required capability, and purchase a device that supports the replacement OS.