3

I am configuring a router to redirect TCP port 5900 (yes, this is for VNC) to a specific IP address on the network. Here is what I have:

enter image description here

From a local computer on the same network, I can telnet to 192.168.1.64 (port 5900) just fine. However, when trying to telnet to the machine (port 5900) using its external IP address, it doesn't work. (The connection times out.)

The router is a Gigaset SE567, if that helps.

gWaldo
  • 11,957
  • 8
  • 42
  • 69
Nathan Osman
  • 2,725
  • 7
  • 32
  • 46
  • Also, I found this Mikrotik page to be pretty useful in understanding hairpin NAT... [Mikrotik Wiki - Hairpin NAT](http://wiki.mikrotik.com/wiki/Hairpin_NAT) – pmilb Dec 15 '11 at 18:58

1 Answers1

7

You're running into the hairpin NAT problem. The problem is the following:

  1. Your client opens a connection to [externalIP]:5900
  2. Your gateway converts the target address to [InternalIP]:5900
  3. Your server on [internalIP] sees a connection from [InternalIP-2] and sends an ACK to [InternalIP-2]
  4. Your client sees an ACK from [InternalIP-2] and not from [externalIP] like it was expecting, and drops it. No connection is ever established.

The gateway needs to be smart enough to translate internal source addresses to itself so it can handle the correct translations. Consumer routers generally don't support this operation. The usual method is to just use the internal IP when connecting internally, or use a split DNS configuration.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • That's odd though... my home router does this just fine (translating internal addresses like you mention) so I didn't expect this type of problem. What's a split DNS configuration? – Nathan Osman Mar 28 '11 at 02:44
  • Also, is there a special name for this type of problem? – Nathan Osman Mar 28 '11 at 02:45
  • 1
    Your internal DNS server resolves myserver.example.com to 192.168.1.14 and your external DNS server resolves myserver.example.com to a real IP address. – sysadmin1138 Mar 28 '11 at 02:45
  • @sys: Aha! More examination of the router options page reveals a NAT address configuration page with the following: "Network address translation (NAT) directly translates an IP address from your home network to an address on the Internet. It only allows one machine from the home network to access the Internet." (Which is of course not an option.) – Nathan Osman Mar 28 '11 at 02:49
  • 1
    @GeorgeEdison Yes, the term for this problem is called NAT Hairpinning, named after the 'hairpin turn' the packet makes at your border router. – sysadmin1138 Mar 28 '11 at 02:50
  • @sys: When you describe split DNS, I'm a little confused... what is the internal DNS server? (I assume the external DNS server is the one configured in the router settings, currently 8.8.8.8) – Nathan Osman Mar 28 '11 at 02:54
  • @GeorgeEdison: Try connecting to your external IP from an external machine (instead of your local one) and see if it works. That will verify the problem. – sybreon Mar 28 '11 at 03:59
  • @syb: The problem is there alright. – Nathan Osman Mar 28 '11 at 04:10