?? Weird: Cannot Connect using Routable IP ??

Discussion in 'Server Networking' started by Tom Baxter, Apr 5, 2008.

  1. Tom Baxter

    Tom Baxter Guest

    Hello all,

    Sorry about the cross-posting but I'm not sure of the best group. If you
    have any suggestions for a better group, please let me know.

    The problem I'm having is easy to describe: I have a home network that's
    behind a router. I have set up one of my machines to be a web server and
    I've configured the firewall to point to this machine for incoming requests
    on port 80. Using a web browser, I can browse to the router's IP address and
    sure enough, I'm forwarded to my web server, it works great, but only if I
    am NOT on my local network!

    For example, if I am at work or at the coffee shop, I *can* browse to my
    router's IP address and I see the web page. If, however, I am at home,
    behind the firewall, I *cannot * use my router's IP. From home I have to use
    the web server's local IP: http://192.168.254.68. Can someone explain what's
    going here? Why can I only use the router's IP if I am outside my network?

    Here's the configuration:
    Web Server Machine:
    Virtual machine running Windows Server 2008, IIS 7

    Web Browser Machine:
    XP Pro running IE 7

    Thanks very much.
     
    Tom Baxter, Apr 5, 2008
    #1
    1. Advertisements

  2. Tom Baxter

    Bill Grant Guest

    That is the way it works. Always has.

    If you are on the local network, you make a direct connection to the server
    using its local IP. You do not go out through the router to its public NIC
    and then be redirected back to the web server.

    If it worries you, set up a host file to point your web server's name to
    its local IP and use http://servername . (Or do this through DNS if you are
    running a local DNS).
     
    Bill Grant, Apr 5, 2008
    #2
    1. Advertisements

  3. Hi,

    It seems that your router does not support this feature. Some routers do,
    some don't.
     
    Kristofer Gafvert, Apr 5, 2008
    #3
  4. Tom Baxter

    Tom Baxter Guest

    Ahh, now I undertand... :)

     
    Tom Baxter, Apr 5, 2008
    #4
  5. Are you sure about that????? What does a router do? Answer: It routes
    network traffic from ONE subnet to ANOTHER subnet. Bill Grant has explained
    pretty well about the problem which is realated to DNS not routing. Either
    create an entry in a LMHOST file, or if you have a DNS server just create
    another A record for the web server with the router's IP address.
     
    Dragon Without Wings, Apr 5, 2008
    #5
  6. Tom Baxter

    Uncle Kenny Guest

    : "Kristofer Gafvert" wrote:
    :
    : > Hi,
    : >
    : > It seems that your router does not support this feature. Some routers
    do,
    : > some don't.
    : >
    :
    : Are you sure about that?????

    Yes, my router supports this feature.
     
    Uncle Kenny, Apr 6, 2008
    #6
  7. Tom Baxter

    Uncle Kenny Guest

    : Can someone explain what's
    : going here? Why can I only use the router's IP if I am outside my network?

    Because your router's web interface is on port 80, perhaps?
     
    Uncle Kenny, Apr 6, 2008
    #7
  8. Tom Baxter

    Tom Baxter Guest


    Yes, my router Iinterface is indeed on port 80, but that is on the local
    subnet. My router config as at http://192.168.1.254:80. My web site is also
    port 80 but the IP address is the router's external address. I think it
    makes a difference, right?
     
    Tom Baxter, Apr 6, 2008
    #8
  9. Tom Baxter

    Uncle Kenny Guest

    :
    :
    :
    : "Uncle Kenny" <news.microsoft.com> wrote in message
    : : >: Can someone explain what's
    : > : going here? Why can I only use the router's IP if I am outside my
    : > network?
    : >
    : > Because your router's web interface is on port 80, perhaps?
    : >
    :
    :
    : Yes, my router Iinterface is indeed on port 80, but that is on the local
    : subnet. My router config as at http://192.168.1.254:80. My web site is
    also
    : port 80 but the IP address is the router's external address. I think it
    : makes a difference, right?
    : --


    So you mean you enter the external IP from within the local network and you
    get... not what you want?
     
    Uncle Kenny, Apr 6, 2008
    #9
  10. Tom Baxter

    Tom Baxter Guest

    Yes, exactly correct. If I enter http://99.141.170.98:80 (that's the
    router's external IP, although it's dynamic so don't bother trying to hit
    the server) from within my local network I do *NOT* get to the web server.
    If I enter the same URL from Starbucks I *DO* get to the web server. In
    order to hit the web server from my local network I need to use the local IP
    of the web server itself: http://192.168.1.68

    I know the pattern of what's happening: It's just what Bill Grant said in
    the original response: "You do not go out through the router to its public
    NIC and then be redirected back to the web server." This is the behavior I'm
    seeing so in that sense, Bill's right. But no one has really been able to
    explain why this behavior happens or if it's something I can byass or
    disable.
     
    Tom Baxter, Apr 6, 2008
    #10
  11. Hello,

    From what i can read in the original post, the IP address is used every
    time. Nowhere can i read about a domain name being used. Hence i do not
    think that the original problem is DNS, but it may be solved by name
    resoultion (either DNS or LMHOSTS file) by resolving the domain name to
    different IP addresses depending on where you are. Do note however that you
    use different IP addesses to access the website.

    The problem is bascially this:

    The router device has two IP addresses, a WAN IP address and a LAN IP
    address. When you try to access the WAN IP address from your LAN, the
    request goes to the LAN NIC and then stops at the WAN NIC, because it does
    not go thru the "forwarding rule". What needs to happen is that the request
    must loopback and go "thru" the external NIC and apply the forwarding rule.

    Some routers support this, others don't. There is very little to do about
    it, unless the router has a settings that can enable this feature (which it
    probably do not have, because it would then most likely already be enabled).
    The manufacturer has just simply decided they want the router to work this
    way.

    The only thing i can think of is to check if there is a firmware update that
    enables this behavior. If not, either work around it or get a router/NAT
    device that supports it.
     
    Kristofer Gafvert, Apr 6, 2008
    #11
  12. Tom Baxter

    James Egan Guest

    If the port forwarding (redirection) was performed on the LAN
    interface as well as the WAN interface it still wouldn't work.

    The server would get the initial connection okay but the server's
    response would go directly from server to client (since they are both
    on the same subnet) bypassing the router on the return journey. The
    router doesn't have the chance to reverse the translation so the
    client receives a response from the server it is not expecting and
    drops it.


    Jim.
     
    James Egan, Apr 6, 2008
    #12
  13. Tom Baxter

    James Egan Guest

    Hello,

    How does the return traffic get routed through the router unless the
    web server is isolated onto a different lan subnet?


    Jim.
     
    James Egan, Apr 6, 2008
    #13
  14. It doesn't have anything to do with "routing". It doesn't have anything to
    do with anything higher than **Layer2**

    When you try to make a U-Turn through a NAT Device it creates a sitaution
    where the Sourec MAC and the Destiantion MAC in the Layer2 poition of the
    packet are the same address,...so it has an identity crisis,...shoots itself
    in the head,...or jumps off the roof. It is a limitation in the way a
    Reverse-NAT functions.

    Proxy Servers do not have this problem because they are not "NAT"ing.
    Some NAT Firewalls may have overcame it by proprietary means in their
    firmware that sort of "patches" the NAT functionality.

    ISA Server, which can simultaneously operate both as a proxy and as a NAT
    box, for example will let you do it both exiting ways.

    1. Do a "Server Publish" to a web server (NAT based) and it will fail

    2. Do a Web Publishing based on the CERN Compliant Web Proxying of ISA
    and it will function fine.

    Here's the official and v ery details explaination of the whole things based
    on useing ISA as the example:

    You have to get about half way down into it to see the MAC situation
    explained.

    14120 Errors; Discussion and Solution
    http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 7, 2008
    #14
  15. Bill is correct.
    I explained the details of why in a post futher up in the thread.

    The *correct* way to handle this is:

    1. Stop using IP#s in the Browser's URL,...use the FQDN
    2. Use Split-DNS so that the FQDN of the site resolves to the Public IP# for
    the users "out of the Internet". But at the same time the FQDN resolves to
    the Private IP# of the Web Server itself when the User is "on the LAN" whic
    allows them to go directly tot he web server without involving the "NAT
    firewall".

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 7, 2008
    #15
  16. Sorry for the "typos".
    Meant to say "exciting ways" :)
    Meant to say:

    Here's the official and very detailed explaination of the whole thing based
    on using ISA as the example:


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 7, 2008
    #16
  17. This is by the design in order to prevent looping which is quiet similar to
    spanning tree protocol in switches.
     
    Dragon Without Wings, Apr 8, 2008
    #17
  18. Tom Baxter

    Tom Baxter Guest

    Okay, this is a great response. This is the detail I was looking for rather
    than just, "It's always been that way".

    Thanks very much.
     
    Tom Baxter, Apr 8, 2008
    #18
  19. Yea, it's always been that way :-}

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 8, 2008
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.