Tuesday, August 7, 2007

Zyxel NAT loopback and dyndns in-lan access problems

retrieved from:

The problem:

I'm using Zyxel 650R-31 [...] ...

I try to access local web service using my DynDNS address from my PC, which is behind the router, and all I got was the router login page instead of the web page itself.

I asked many ppl that also use ADSL router and they keep telling me that this is normal T_T

Million thanks for the useful tips!

The solution:

Step #1:

My colleage used ZyXEL Prestige 650R-31 as the main ADSL router for his company. It works very well and so stable. Last week he asked me to help him setup a server placed behide the ADSL router to be accessible anywhere from Internet. The main service is e-mail so I just added port forwarding via web-based configuration. It was so easy and worked like a charm. However, the connection could not establish if he sat inside the NAT. The problem is so called "NAT loopback". I found this kind of problem in D-Link also.

Fortunately, ZyXEL allows to enable NAT loopback via commandline interface. What I do to solve this problem is just 4 steps.

  1. Telnet to the router and enter administrative password
  2. Go to menu 24 and then 8
  3. Run command "ip nat loopback on"
  4. Type "exit" and then 99 to quit from the management screen

Thanks ZyXEL and cpbotha for this very useful hidden command. It would be better if it can be altered via web interface.


I also found the following tip about the "ip nat loopback on" bit

ras> ip nat loopback on

This will turn it on but if you reboot the setting will go back to default (i.e. `off').

To make the 660 keep the setting telnet in to 24 , 8

  • Type:

    sys edit autoexec.net

  • Press "i", then type "ip nat loopback on"

  • Press "x" to save the configuration.

To verify the changes took place correctly type:

sys view autoexec.net

Scroll up to the _first_ line displayed by the above command and you should be seeing the `ip nat loopback on' bit.

Step #2:

Double-check that port-forwarding is appropriately set in your router to forward the http-port to the lan-server you want (your pc or whatever).

In addition to the above it would also be useful to change the default http, ftp, telnet ports for remote management to something else than the default ones - theoretically there is no need for this but `just-in-case'. The port-changes can be done easily through the web-configuration interface.

Also note that the above is only _one_ of the issues one has to tackle in setting up a home-http-server.

The `blocked-ports' issue with some ISPs (including OteNET):

As of the time of this writting there are some problems with OteNET's policy regarding port 80. It seems it's only possible to run an http server only if it's binded to port number equal to or higher than 1023 (at least) - it appears that all ports from 1 up to and including 1022 are blocked for all services (http, ssh, ftp) by OteNET at least for costumers having dynamic IPs. Other ISPs are known to follow a similar policy.

Changing the default ports on servers behind the router to ports >= 1023 seems to be the only way over this second obstacle.

No comments: