Subscriber Discussion

Local Loopback / NAT Loopback Issue With Recorder?

UI
Undisclosed Integrator #1
Feb 09, 2016

The age old local loopback issue - has anyone found a solution for this?

Despite loads of Googling, we have yet to discover a solution. Here's a quick recap of this typical scenario : Customer has a <insert brand here> DVR at 192.168.1.200 and DDNS : http://mysite.ddns.com - Port forwarding is set up no problem and remote access works great via the DDNS domain. But when we configure the Mobile app, the customer has to choose between the local IP 192.168.1.200 or the DDNS domain name. The problem is, the local IP only works when they are on their network, and the DDNS domain only works when they are off their network.

Just add two "sites" to the app, you say? Nope - this causes a constant error message to pop up on whichever site doesn't apply (when at home, the DDNS site errors and when at Starbucks the local site errors).

This is not a problem unique to one DVR manufacturer of couse - every brand of IP device or NVR has the same issue. Some modems from certain ISP's seem to allow "local loopback" and the DDNS domain works locally - but most do not. There doesn't seem to be a way to turn local loopback on or off. Anyone have any luck finding a solution to this issue?

U
Undisclosed #2
Feb 09, 2016

"Just add two "sites" to the app, you say?"

Never been problem for me

(1)
UI
Undisclosed Integrator #1
Feb 09, 2016

Depends on the VMS and mobile app. Maybe the one you're using fails gracefully . Mine pops up an error saying it can't connect - and if you have a local IP as one of the sites, you will always get this error when you're not on your local network.

Avatar
Ethan Ace
Feb 09, 2016

In my router, I set up a DNS entry for the DVR. So I forward mydvr.dydns.org to 192.168.1.98, for example. It works fine, but there's one caveat: it's going to send all traffic to that one address on the LAN. So if you have more than one DVR, or a DVR and a PC, for example, with different external ports forwarded to each, you won't be able to reach all of them from inside the LAN.

This isn't a problem for me because it's the only device I reach via dyndns, anyway, but could be for some. You could get around it by making a new dynamic dns host, but that's a bit clunky.

(1)
UI
Undisclosed Integrator #1
Feb 09, 2016

I don't think most home routers (ISP provided, Linksys or Dlink) will allow you to add a DNS entry, will they?

Avatar
Ethan Ace
Feb 09, 2016

I'm using the stock Verizon FiOS router. I'm not sure if it's available on all routers but this thing never struck me as particularly more capable than others.

MI
Matt Ion
Feb 09, 2016

Not really a question of "how capable" the router is; NAT loopback isn't a particularly advanced or esoteric function, it's just one that traditionally hasn't been needed much, so it's not high on the feature list, at least not for many older routers. On DD-WRT firmware, it can be implemented with a four-line firewall rule.

U
Undisclosed #3
Feb 09, 2016
IPVMU Certified

...when at home, the DDNS site errors and when at Starbucks the local site errors...

Why does the DDNS site error at home?

UI
Undisclosed Integrator #1
Feb 09, 2016

Because at home you are on the same network as the DVR, so going to mydvr.dyndns.org is a request out to the internet back to your own network - or a "local loopback" and it won't work. This is the problem I'm trying to solve.

1. On home network, going to local IP 192.168.x.x = works great

2. Away from home network (at Starbucks) going to local IP 192.168.x.x = will not work (not on home LAN anymore)

3. Away from home network (at Starbucks) going to DDNS domain = works great (via DDNS and port forwarding)

4. On home network, going to DDNS domain = local loopback = will not work on most ISP's

U
Undisclosed #3
Feb 09, 2016
IPVMU Certified

So maybe I'm one of the lucky ones with an ISP that supports local loopback. This is what I did, tell me if we are talking about the same thing.

  1. Enabled 'respond to WAN ping' on my router.
  2. Went to whatismyip.com to find current outside ip
  3. Ping it from local network - no problem
  4. tracert it - showed going one hop to cox.blah.blah.blah

Does this fail in your scenario?

if it does, where exactly does the packet get dropped, at the modem? What does tracert show?

U
Undisclosed #2
Feb 09, 2016

Hmm,

I did setup few times 2 entries on customer ph

1.local (Home or office)

2.DDNS

and explain when to use it

UI
Undisclosed Integrator #1
Feb 09, 2016

Yes exactly - you described the problem we are trying to solve : Needing to set up two entries in the mobile app and explaining to the customer when to use each one. Then fielding their tech support calls when they forget, or fail to understand the difference between wifi at home and wifi at Starbucks.

"They're both just Wi-fi, what's the difference?"

BS
Bob Schenck
Feb 09, 2016
IPVMU Certified

Supply your own router as part of the install?

If the ISP has a combo modem/router set it to bridge mode. Ubiquiti Edgerouter for $59 can do NAT hairpinning or custom DNS entries for internal clients.

(1)
(1)
U
Undisclosed #3
Feb 09, 2016
IPVMU Certified

Do you have a DLINK router, or one where you can enable independent endpoints, like so:

(1)
UI
Undisclosed Integrator #1
Feb 10, 2016

Awesome thanks for all the help! Next time I come across this, I'll try it.

Avatar
Luis Carmona
Feb 09, 2016
Geutebruck USA • IPVMU Certified

Bob and Ethan's solutions are the correct ones. This is a limitation of the router, it's not a problem with the DVR. Whatever you use to resolve DNS entries internally on the network, if you're able to, you need to set a static A record that essentially says something like:

DVR.mydns.org -> 192.168.1.200

Then set your app to look to DVR.mydns.org. When you are inside the network, the internal DNS service (whether it be an internal DNS server or on the router), should override what the outside DDNS service says and should point you to the correct IP address on the inside. When you are outside the network, the DDNS service should point you to the appropriate public IP address.

We don't use DDNS as we have static IP addresses and our own domain name server, so I make the entries on our internal DNS server for inside name to IP resolution and our domain name registrar's (ie GoDaddy, Network Solutions, Register.com, etc) DNS server for outside name resolution so I only have to make one DNS address entry.

If your customer doesn't have sophisticated enough systems to do that, they'll just have to upgrade. Partner with an IT company if you don't know how, because it can be a mess to setup if you don't know what you are doing.

(1)
U
Undisclosed #3
Feb 09, 2016
IPVMU Certified

Bob and Ethan's solutions are the correct ones.

Will setting the NAT filtering to endpoint independent (if possible) not work, as shown above?

U
Undisclosed #3
Feb 09, 2016
IPVMU Certified

Comprehensive list of common routers, whether they support NAT loopback by default, and how to make them when they don't.

(1)
(4)
MI
Matt Ion
Feb 09, 2016

Well I see Luis and U3 beat me to the answer: it's a limitation of the router, and the only sure way around it, if the router doesn't have the option, is to replace the router with a suitable one.

Well, not necessarily "replace"... there may be other possibilities, depending on the setup. My home network uses a cable modem operating as a standard gateway, and a router with DD-WRT firmware as my primary "control" unit. The cable modem provides a separated guest network and unfettered connection for my son (he's a gamer, ping time is god), while the router handles all the DHCP, firewall, PXE control, etc. for all other "mission control" operations :) The cable modem itself doesn't support loopback, but when my internal router's WAN IP is set as a DMZ, that doesn't seem to matter.

If it's a supported router, you could always look at flashing a custom firmware, such as DD-WRT, OpenWRT, Tomato, etc. I can't speak for the others, but DD-WRT will do NAT loopback with a short firewall rule (copy-and-paste from their wiki).

Fortunately, if you do end up having to replace the router, this isn't a function that's limited to the expensive high-end models - as I noted to Ethan above, it's not something overly advanced or esoteric, it's just uncommon because the need for it has traditionally been uncommon. But as U3's link shows, it is available in a number of lower-cost routers.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions