?? Weird: Cannot Connect using Routable IP ??

[Tom Baxter]

Hello all,

Sorry about the cross-posting but I'm not sure of the best group. If you
have any suggestions for a better group, please let me know.

The problem I'm having is easy to describe: I have a home network that's
behind a router. I have set up one of my machines to be a web server and
I've configured the firewall to point to this machine for incoming requests
on port 80. Using a web browser, I can browse to the router's IP address and
sure enough, I'm forwarded to my web server, it works great, but only if I
am NOT on my local network!

For example, if I am at work or at the coffee shop, I *can* browse to my
router's IP address and I see the web page. If, however, I am at home,
behind the firewall, I *cannot * use my router's IP. From home I have to use
the web server's local IP: http://192.168.254.68. Can someone explain what's
going here? Why can I only use the router's IP if I am outside my network?

Here's the configuration:
Web Server Machine:
Virtual machine running Windows Server 2008, IIS 7

Web Browser Machine:
XP Pro running IE 7

Thanks very much.

 

[Bill Grant]

That is the way it works. Always has.

If you are on the local network, you make a direct connection to the server
using its local IP. You do not go out through the router to its public NIC
and then be redirected back to the web server.

If it worries you, set up a host file to point your web server's name to
its local IP and use http://servername . (Or do this through DNS if you are
running a local DNS).

 

[Kristofer Gafvert]

Hi,

It seems that your router does not support this feature. Some routers do,
some don't.

 

[Tom Baxter]

That is the way it works. Always has.

Ahh, now I undertand...

If you are on the local network, you make a direct connection to the
server using its local IP. You do not go out through the router to its
public NIC and then be redirected back to the web server.

If it worries you, set up a host file to point your web server's name to
its local IP and use http://servername . (Or do this through DNS if you
are running a local DNS).

 

[Dragon Without Wings]

Hi,

It seems that your router does not support this feature. Some routers do,
some don't.

Are you sure about that????? What does a router do? Answer: It routes
network traffic from ONE subnet to ANOTHER subnet. Bill Grant has explained
pretty well about the problem which is realated to DNS not routing. Either
create an entry in a LMHOST file, or if you have a DNS server just create
another A record for the web server with the router's IP address.

 

[Uncle Kenny]

: "Kristofer Gafvert" wrote:
:
: > Hi,
: >
: > It seems that your router does not support this feature. Some routers
do,
: > some don't.
: >
:
: Are you sure about that?????

Yes, my router supports this feature.

 

[Uncle Kenny]

: Can someone explain what's
: going here? Why can I only use the router's IP if I am outside my network?

Because your router's web interface is on port 80, perhaps?

 

[Tom Baxter]

: Can someone explain what's
: going here? Why can I only use the router's IP if I am outside my
network?

Because your router's web interface is on port 80, perhaps?

Yes, my router Iinterface is indeed on port 80, but that is on the local
subnet. My router config as at http://192.168.1.254:80. My web site is also
port 80 but the IP address is the router's external address. I think it
makes a difference, right?

 

[Uncle Kenny]

:
:
:
: "Uncle Kenny" <news.microsoft.com> wrote in message
: : >: Can someone explain what's
: > : going here? Why can I only use the router's IP if I am outside my
: > network?
: >
: > Because your router's web interface is on port 80, perhaps?
: >
:
:
: Yes, my router Iinterface is indeed on port 80, but that is on the local
: subnet. My router config as at http://192.168.1.254:80. My web site is
also
: port 80 but the IP address is the router's external address. I think it
: makes a difference, right?
: --


So you mean you enter the external IP from within the local network and you
get... not what you want?

 

[Tom Baxter]

:
:
:
: "Uncle Kenny" <news.microsoft.com> wrote in message
: : >: Can someone explain what's
: > : going here? Why can I only use the router's IP if I am outside my
: > network?
: >
: > Because your router's web interface is on port 80, perhaps?
: >
:
:
: Yes, my router Iinterface is indeed on port 80, but that is on the local
: subnet. My router config as at http://192.168.1.254:80. My web site is
also
: port 80 but the IP address is the router's external address. I think it
: makes a difference, right?
: --


So you mean you enter the external IP from within the local network and
you
get... not what you want?

Yes, exactly correct. If I enter http://99.141.170.98:80 (that's the
router's external IP, although it's dynamic so don't bother trying to hit
the server) from within my local network I do *NOT* get to the web server.
If I enter the same URL from Starbucks I *DO* get to the web server. In
order to hit the web server from my local network I need to use the local IP
of the web server itself: http://192.168.1.68

I know the pattern of what's happening: It's just what Bill Grant said in
the original response: "You do not go out through the router to its public
NIC and then be redirected back to the web server." This is the behavior I'm
seeing so in that sense, Bill's right. But no one has really been able to
explain why this behavior happens or if it's something I can byass or
disable.

 

[Kristofer Gafvert]

Hello,

From what i can read in the original post, the IP address is used every
time. Nowhere can i read about a domain name being used. Hence i do not
think that the original problem is DNS, but it may be solved by name
resoultion (either DNS or LMHOSTS file) by resolving the domain name to
different IP addresses depending on where you are. Do note however that you
use different IP addesses to access the website.

The problem is bascially this:

The router device has two IP addresses, a WAN IP address and a LAN IP
address. When you try to access the WAN IP address from your LAN, the
request goes to the LAN NIC and then stops at the WAN NIC, because it does
not go thru the "forwarding rule". What needs to happen is that the request
must loopback and go "thru" the external NIC and apply the forwarding rule.

Some routers support this, others don't. There is very little to do about
it, unless the router has a settings that can enable this feature (which it
probably do not have, because it would then most likely already be enabled).
The manufacturer has just simply decided they want the router to work this
way.

The only thing i can think of is to check if there is a firmware update that
enables this behavior. If not, either work around it or get a router/NAT
device that supports it.

 

[James Egan]

I know the pattern of what's happening: It's just what Bill Grant said in
the original response: "You do not go out through the router to its public
NIC and then be redirected back to the web server." This is the behavior I'm
seeing so in that sense, Bill's right. But no one has really been able to
explain why this behavior happens or if it's something I can byass or
disable.

If the port forwarding (redirection) was performed on the LAN
interface as well as the WAN interface it still wouldn't work.

The server would get the initial connection okay but the server's
response would go directly from server to client (since they are both
on the same subnet) bypassing the router on the return journey. The
router doesn't have the chance to reverse the translation so the
client receives a response from the server it is not expecting and
drops it.


Jim.

 

[James Egan]

The router device has two IP addresses, a WAN IP address and a LAN IP
address. When you try to access the WAN IP address from your LAN, the
request goes to the LAN NIC and then stops at the WAN NIC, because it does
not go thru the "forwarding rule". What needs to happen is that the request
must loopback and go "thru" the external NIC and apply the forwarding rule.

Some routers support this, others don't. There is very little to do about
it, unless the router has a settings that can enable this feature (which it
probably do not have, because it would then most likely already be enabled).
The manufacturer has just simply decided they want the router to work this
way.

The only thing i can think of is to check if there is a firmware update that
enables this behavior. If not, either work around it or get a router/NAT
device that supports it.

Hello,

How does the return traffic get routed through the router unless the
web server is isolated onto a different lan subnet?


Jim.

 

[Phillip Windell]

It doesn't have anything to do with "routing". It doesn't have anything to
do with anything higher than **Layer2**

When you try to make a U-Turn through a NAT Device it creates a sitaution
where the Sourec MAC and the Destiantion MAC in the Layer2 poition of the
packet are the same address,...so it has an identity crisis,...shoots itself
in the head,...or jumps off the roof. It is a limitation in the way a
Reverse-NAT functions.

Proxy Servers do not have this problem because they are not "NAT"ing.
Some NAT Firewalls may have overcame it by proprietary means in their
firmware that sort of "patches" the NAT functionality.

ISA Server, which can simultaneously operate both as a proxy and as a NAT
box, for example will let you do it both exiting ways.

1. Do a "Server Publish" to a web server (NAT based) and it will fail

2. Do a Web Publishing based on the CERN Compliant Web Proxying of ISA
and it will function fine.

Here's the official and v ery details explaination of the whole things based
on useing ISA as the example:

You have to get about half way down into it to see the MAC situation
explained.

14120 Errors; Discussion and Solution
http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Phillip Windell]

I know the pattern of what's happening: It's just what Bill Grant said in
the original response: "You do not go out through the router to its public
NIC and then be redirected back to the web server." This is the behavior
I'm seeing so in that sense, Bill's right. But no one has really been able
to explain why this behavior happens or if it's something I can byass or
disable.

Bill is correct.
I explained the details of why in a post futher up in the thread.

The *correct* way to handle this is:

1. Stop using IP#s in the Browser's URL,...use the FQDN
2. Use Split-DNS so that the FQDN of the site resolves to the Public IP# for
the users "out of the Internet". But at the same time the FQDN resolves to
the Private IP# of the Web Server itself when the User is "on the LAN" whic
allows them to go directly tot he web server without involving the "NAT
firewall".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Phillip Windell]

Sorry for the "typos".

ISA Server, which can simultaneously operate both as a proxy and as a NAT
box, for example will let you do it both exiting ways.

Meant to say "exciting ways"

Here's the official and v ery details explaination of the whole things
based on useing ISA as the example:

Meant to say:

Here's the official and very detailed explaination of the whole thing based
on using ISA as the example:


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Dragon Without Wings]

I know the pattern of what's happening: It's just what Bill Grant said in
the original response: "You do not go out through the router to its public
NIC and then be redirected back to the web server." This is the behavior I'm
seeing so in that sense, Bill's right. But no one has really been able to
explain why this behavior happens or if it's something I can byass or
disable.

This is by the design in order to prevent looping which is quiet similar to
spanning tree protocol in switches.

 

[Tom Baxter]

Okay, this is a great response. This is the detail I was looking for rather
than just, "It's always been that way".

Thanks very much.

 

[Phillip Windell]

Okay, this is a great response. This is the detail I was looking for
rather than just, "It's always been that way".

Yea, it's always been that way :-}

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------