Accessing a website via the webservers public IP from a PC within the same LAN

Here is an example. Some routers, like the Neufbox4 (a router provided by a french ISP) are running Linux. On these routers the program "iptables" is used to configure NAT behavior (iptables is some sort of swiss-army knife for Linux networking).

Suppose you have a webserver (port TCP 80) behind your router listening on LAN address 192.168.0.2 and you add a port mapping (redirection) for it. This translates to something like this in iptables's terms:

iptables -t nat -A PREROUTING -i wan -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2

This means "for every packet that comes in through the WAN interface directed at TCP port 80, send it to 192.168.0.2". Which is exactly what you want. All is fine... for now.

You have to understand that the IP address associated with the WAN interface of the router is your public Internet address. For example, if your Internet IP is 1.2.3.4, then the "wan" interface on the router has IP address 1.2.3.4.

Now suppose you're trying to access your webserver from your LAN, say from your personal computer at address 192.168.0.3, using your own Internet address. So for example, you type "http://1.2.3.4/" in your browser.

What happens is that your computer will send a packet directed to 1.2.3.4, TCP port 80, on the LAN. The router will receive this packet. But it will not redirect it to 192.168.0.2. Why? Because the iptables rule above only deals with packets coming in on the WAN interface, not from the LAN!

So what will happen then? Well, it depends on other networking rules on the router. Generally speaking one of two things will happen:

  • Either the router will see a packet directed at itself (remember, 1.2.3.4 is one of the IP addresses of the router, so this is perfectly normal). On most routers there is a web server listening on port 80 for the administration interface. Consequently, this webserver will handle the packet, not the webserver on your LAN, and you get the administration interface instead of your website.

  • Or the router will drop the packet for some reason, simply because it doesn't know how to handle a packet directed at its WAN address on its LAN port.

Technically, the solution is very simple, it consists in a iptables rule of the form:

iptables -t nat -A PREROUTING -i lan -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2

This means "for every packet that comes in through the LAN interface directed at TCP port 80, AND with a destination address of 1.2.3.4, send it to 192.168.0.2". This is what you would call "NAT loopback".

However, most router manufacturers are obviously not aware of the issue and didn't put this rule (or the equivalent in the router proprietary system) into their product...