Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[chertel]

Hello.

I am new to this forum, and I just picked up the router last week. It is great so far.

However, I have been having a few issues.

First, here is my details:

ISP: comcast
Router: DIR-655
Hardware Version: B1
Firmware Version: 2.04NA

QOS:
Enable Traffic Shaping: true
Enable QoS Engine: true
Automatic Classification: true    
Dynamic Fragmentation: true

Firewall:
Enable SPI: true
UDP Endpoint Filtering:Endpoint Independent
TCP Endpoint Filtering:Endpoint Independent

(Note: I heard endpoint independent makes the firewall less strict in another thread, so I thought I would try it)

Currently, I have a machine attached to the router that has a webserver and ssh (fedora linux). The ports are successfully forwarded (in this case, tcp 80, and tcp 22), and from outside of my network I can connect. Also, I use dyndns.com to provide a domain name, instead of using my IP. The dyndns account is NOT managed by the router.

The server I am trying to connect to has a reserved IP address.

My problem is that from inside of my network, using the dyndns domain name, I cannot connect to my site.

Here is a sample url (not my real one):

mysite.dyndns.org

Everything works just fine from outside of my network...

Any thoughts?

[FurryNutz]

Welcome!
What region are you located?

What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?

Is here any configuration needed on the DYNDNS site possibly?

Some things to try:
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking.

[chertel]

Hello.

Using my old router works just fine (WRT54G Linksys Router with dd-wrt installed), so I can hopefully assume the problem is not on the dyndns side of things.

I disabled "Advanced DNS Service", but it did not help. I noticed that the box "Enable DNS Relay" was not click-able until "Advanced DNS service" was disabled... Also, "Enable DNS Relay" is enabled on my router.

I DO NOT have a value in "Local Domain Name"...


Here are my answer to some of the other stuff from the canned response:

• "Region?" Pacific Northwest
• "What ISP Service do you have? Cable or DSL?" CABLE
• "What ISP Modem do you have? Stand Alone or built in router?" STAND ALONE
• "What ISP Modem make and model do you have?" MOTOROLA
• "Setup DHCP reserved IP addresses for all devices ON the router" this is done for the machines I care about... (e.g not iphone or wii, but server and workstations are all set)
• "Ensure devices are set to auto obtain an IP address." DONE
• "Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall" DONE
• "Enable uPnP and Multi-cast Streaming under Advanced/Networking." DONE

[chertel]

I should say too, when I ping the dyndns hostname from inside of my network it gets the correct comcast IP address...

[chertel]

So I did some more research and playing around, and it appears I fixed the problem.

Before, I was using port forwarding (for ssh and HTTP).

Now, I have it setup as virtual server (for both).

I am still confused as to what the difference is and which case should be applied where, but at least it is working. 

[FurryNutz]

Glad you go it working. You'll find information regarding VS and PF in the Archive.

Enjoy.

[chertel]

Hmm... the explanation there is just as confusing.... Any other topics to point me to?

[FurryNutz]

Virtual Server vs. Port Forwarding

Or try searching the web. Search is your friend. 

Enjoy.

[PacketTracer]

Hmm... the explanation there is just as confusing.... Any other topics to point me to?

Hi chertel,

from reading your problem description, I guess the explanation lies in a different NAT "hair pinning" behaviour of your DIR-655 router and hence, in addition to all differences explained elsewhere there is another one:

1) "Port Forwarding" obviously uses a NAT hairpinning behaviour of "Internal source IP address and port" (Edit: or doesn't do hairpinning at all)
2) In contrast "Virtual Server" obviously uses a NAT hairpinning behaviour of "External source IP address and port"

For an explanation of those terms read chapter 6 of RFC4787. In your case X1'=X2' is valid.

This would perfectly explain the observed behaviour. And if this explanation is correct, it also proves that D-Link's NAT implementation in case of "Port Forwarding" does not conform to RFC4787 (and in your case RFC5382 respectively, see Edit below), which clearly states:

(Edit: REQ-9:  A NAT MUST support "Hairpinning")
REQ-9a: A NAT Hairpinning behavior MUST be "External source IP address and port"

In order to allow a communication from your internal computers to your internal HTTP and SSH server within your original configuration using "Port forwarding", you must prevent your clients from using the external address, because in this case your router uses the wrong NAT hairpinning behaviour. To achieve this you must configure your clients in a way, that the dyndns name of your server gets resolved to its internal address, e. g. by configuring HOSTS files. This would lead to a direct communication between your clients and your server without any participation of your router.

PT

Edit: Sorry, I referenced the wrong RFC which explains NAT behaviour for UDP. But there is another one explaining NAT behaviour for TCP: Read chapter 7.2 in RFC5382 which states the same requirement for NAT Hairpinning behavior now numbered REQ-8 and REQ-8a respectively.

[FurryNutz]

Awesome info PT. 

[chertel]

PacketTracer, thanks for the info. Hope this helps some people in the future

Maybe they will even fix the behavior