How to implement Nat loopback/reflection?

I'm trying to access a server on my LAN via its public IP address. External clients can connect just fine, but I'm unable to do so from within the LAN. There is a separate rule in the NAT settings of my gateway (which translates subnet addresses to the public interface IP, but is otherwise identical), but it doesn't appear to be working properly.

How would I correctly set things up to access a local resource via a public IP address?


The most common problem is that your gateway rewrites the destination address of the packet to the internal server, but not the source. So, when the internal server responds it sees that the packet came from something on the local network, sends back the packet directly - and the client can't tell this is from the server, because the packet still has the internal, not the public, address on it.

The standard fix is to force the traffic to come back through your gateway. One way to achieve that is to put the server that the public address redirects to in a "DMZ", so that traffic between the client and the server has to pass through the router.

The other way is to also apply NAT to the source address of internal connections to the external IP, so that they look like they come from the gateway. The internal server will then respond to the gateway, that will undo both NAT changes, and send the packet back to the internal client.


I know it isn't what you are asking, but the way I've setup my internal network is via split DNS: machines within the network get internal addresses when looking up home.domain.tld, mail.domain.tld and so forth. No address translation to worry about (well, unless there is something else between the client and server of course), nothing client-side cares that it is not talking to a publicly routeable address, server-side will only care if you have things specifically binding to the external interface and not the other(s), and unlike with NAT all the internal hosts don't look the same in log files (which can be a help if you need to use said logs to diagnose a problem being experienced on the local network).