Another wan from lan issue NAT loopback

  • i use as i have a dynamic ip.


    i have 2 IPCAMS / 192.168.x.x / 192.168.x.y

    so port forwarding work fine as expected, as long as im not inside  my own network.

    So i have tried the PureNAT option and it doesnt seem to work, not sure what im missing.

    So upon further reading people are sugesting using SplitDNS. So i try that

    But it doesnt work as i have more than one device using the same ….

    Can anyone let me know what i am missing?

    Using PfSense 2.2RC ( had the same problem on 2.1.5 )

  • LAYER 8 Global Moderator

    well use 2 names blah1.noip and blah2.noip problem solved.  blah1 points to x.x and blah2 points to x.y

  • so then i need one subdomain for firewall
    one for cam1
    one for cam2?

    that seems a bit overkill when you can have one address and use port forwarding…... the issue is with the NAT loopback ... surely thats an internal issue

    but i know ive had it working in the past using pfsense ? but i can for the life of me work out with PureNAT is no longer working, thinking ive missed something..

  • LAYER 8 Global Moderator

    subdomain??  What..  You need multiple host names in your domain  since you have MULTIPLE hosts!!

    So you have if blah is your domain you got from no-ip and  I don't use no-ip any longer because they continue to have you click this email every 30 days or whatever it was for a nag to get you buy.

    I use a domain from afraid.. I have multiple hosts in domain..

    How is proper resolution of a FQDN to an IP overkill??  You know what is over kill is messing with something that shouldn't even be a possible solution if you ask me.  NAT reflection is an abomination ;)

    This is all of 2 seconds of creating a host over ride.. Done for the FQDN your wanting to use.  Lets say I had 3 different cameras I want to get to and I have 1 public IP.  I would set the cameras to use say port 8081, 8082, 8083

    In what ever dynamic dns I am using I would setup cam1.mydomain.tld cam2.mydomain.tld cam3.mydomain.tld all pointing to my publicIP.  Lets call it

    I create my forwards that if you are going to 8081 you send it to 8081, if 8082 send to, if 8083 to

    I set up 3 host over rides for cam1.mydomain.tld, cam2 and cam3.mydomain.tld that point to those 192 address.

    Now I can use fqdn cam1.mydomain.tld:8081 be it I am outside or inside my network..  This takes all of 30 seconds to setup.

  • LAYER 8 Netgate

    If you want it to be the same URL inside and outside you will have to:

    Make two hostnames inside (pointing one at each camera) and two hostnames outside (both pointing at your outside IP).

    Change the camera listening ports so the same port outside goes to the same port inside.

    Then and http:/ (for example) will work from inside or outside.

  • i already had each camera on a different port using the same external address and works fine outside the network…

    So i have logged into my website host and set a subdomin ipcam1 and another called ipcam2.

    forwarded these to my address.

    so they will always be pointing to my external ip . and changed the camera link on my phone to cam1.mywebhost:1234 and cam2.mywebhost:2345

    so now work internal and external using the Split DNS as suggested above.....

    This is a workaround tho , as NAT loopback should work correctly but it doesnt....

  • LAYER 8 Netgate

    NAT reflection is an ugly hack.  Take comfort in knowing you did it right instead of easy.

  • LAYER 8 Global Moderator

    "This is a workaround tho"

    No your idea that you should send traffic from the lan side of your firewall to the public side to be forwarded back in with a source IP that came from your lan side is as stated an UGLY hack!!!

    This can cause asymmetric routing, its pretty much security concern.  So your firewall is allowing traffic when it says it came from internal private network?  Did it really, or was the source spoofed?

    So your client sends traffic to, which is off his network so he sends to gateway..  Shouldn't it be concerned that return traffic came from 192.168.1.x ??  When server at 192.168.1.x sees the inbound traffic that says it came from 192.168.1.y

    Nat reflection is hack that really shouldn't even be there..  Nobody in networking would ever expect that nat reflection should be a viable option..  Only people not knowing what they are doing would expect such a thing to be a solution.

  • You know what I recommend?

    First - Never expose it directly to the internet - use a VPN.

    Second - Address it directly by IP

    Thats what I do.

    Port forwarding to a IP cam from web is begging for a hack.

  • Just try nat+proxy it must do the job

  • @kejianshi:

    You know what I recommend?

    First - Never expose it directly to the internet - use a VPN.

    Second - Address it directly by IP

    Thats what I do.

    Port forwarding to a IP cam from web is begging for a hack.

    as said earlier, my cam is locked down firstly with  a decent password, secondly i only allow my work IP, my mobile phone subnet to access the IP. all other IP trying to connect to that port is blocked by the firewall. so firstly they would need to hack the firewall before they can get to the cams.

    2ndly, cant have VPN on all the time as i access them from work and from my phone, cant have phone on VPN all the time not practical.

    I have a dynamic IP, so using the IP will not work as it changes from time  to time

  • Sounds like it super secure then.  Problem solved.

  • LAYER 8 Global Moderator

    "cant have phone on VPN"

    Who said it had to be on all the the time?  It takes seconds to connect to vpn from the phone.  As to from work - again I vpn into my home network from work all the time.  Nice thing about openvpn is you can bounce off a proxy like many work networks require ;)

  • oh yeah i know its easy to turn off and on, but i have a widget on my home screen, so that means i would have to have it on all the time otherwise the widgets wouldnt work, but its not a major problem.

    And with my work, no need to bounce via proxy ..

Log in to reply