Who is blocking external IP access behind NAT?

[mk76]

I am trying to test web server setup on raspi-3. Installed Apache, changed port, set up port forwarding in router (N66U).
- Server is up and accessible from LAN
- External sites show port is open
All good till here.

However, when I try to access my web server, it times out. Came across a post where someone suggested using vpn ... and it works.

So what blocks external IP access from within the LAN and why? Can this be overridden?
@vivek.krishnan - advice needed

 

[tommy_vercetti]

Some more information required here, I too run a test web server of a RPI-2, however do not face such an issue, which ISP are you using, how are you connected?

 

[mk76]

Using Den Broadband. Have a static ip from ISP, with ports open.

 

[vivek.krishnan]

You need hairpin NATing done mate - look it up. It does not work like that internally. Check on your mobile or another device with outside access.

 

[mk76]

You need hairpin NATing done mate - look it up. It does not work like that internally. Check on your mobile or another device with outside access.

Thanks Vivek. But I will need some help to set this up on the router. Mine is N66U and I could not find any documentation on how to do that.
Dummy of router page - http://event.asus.com/2012/nw/dummy_ui/en/Advanced_NATPassThrough_Content.html

Below post asked the same question. They fixed it by resetting the router, which I have already done.
http://www.snbforums.com/threads/asus-rt-ac66u-nat-loopback-is-not-working.17760/[DOUBLEPOST=1466252301][/DOUBLEPOST]This is from the router

 

[bobbyprajan]

Here is an explanation

A few examples are given here . Please substitute the values as required.

Btw which firmware are your running ?

 

[mk76]

Here is an explanation

A few examples are given here . Please substitute the values as required.

Btw which firmware are your running ?

Thanks. I will go through the links.

I downgrade to 3.0.0.4.374.43_2-10j9527 . Newer ones were not stable.

 

[bobbyprajan]

Is that Asus Merlin ? I have not seen / used it. I am familiar with Openwrt and have seen little bit of Tomato and DD-WRT

Let us know how it goes.

 

[mk76]

Yes its Asus Merlin. I am trying to figure out the instructions given in 2nd link you shared. Looks like Asus merlin does not have /etc/firewall.user.

What I found out that last time I updated to a diff Fork (380.58) from one I was using John's (374.43). I'm now updating this to latest in same fork. Will post, how it goes.[DOUBLEPOST=1466268354][/DOUBLEPOST]=> iptables -t nat -A prerouting_rule -d 112.196.155.7 -p tcp --dport 5555 -j DNAT --to 192.168.1.44

gives following error. "iptables: No chain/target/match by that name"

 

[bobbyprajan]

Was reading a bit about Asus Merlin, it already has NAT loopback (2 options Asus / Merlin) settings in the firewall section. Now I dont have any idea how that is enabled for a policy / rule.

Can you give it a shot first

 

[mk76]

Nop. doesn't work. I put those commands in jffs/scripts/nat-start. It does get called .. but nothing.[DOUBLEPOST=1466270358][/DOUBLEPOST]This is the firewall section

[DOUBLEPOST=1466271680][/DOUBLEPOST]Ok. Finally it worked (partially).

The iptables commands on this page helped -> http://serverfault.com/questions/205040/accessing-the-dnatted-webserver-from-inside-the-lan
-> But it did not work via the NAT script.
-> I had to run the commands manually in SSH
-> The web server response is very slow. Home page (Apache test page) loaded after 15 sec

Will explore futher