I have a simple network in my company, where I use my ISP's ADSL Router. The LAN is 192.168.1.0/24. Router's IP is 192.168.1.1. It also has DHCP enabled, which ranges from 2 to 250.
I have a Digital Video Recorder (DVR) configured with static IP address, with the following LAN configuration:
IP : 192.168.1.254
MASK: 255.255.255.0
GW : 192.168.1.1
DNS1: 192.168.1.1
HTTP: 8080
SRVR: 6036
I also need to configure connection ports – in this case, DVR's HTTP port is 8080 and Server port is 6036. I made the adjustments on my router to forward the ports to the DVR.
So I downloaded the phone APP and configure it to connect 192.168.1.254 – it works. Therefore, DVR network configuration is correct. Then, I configured the DVR's DDNS and reconfigured the APP on my cellphone… and here is where the problem happens:
When I'm outside my work network (ie. 3G or at my house), it works. It connects to my DVR using the DDNS. However, if I'm in the network it doesn't work.
Lets say my network's public address is 200.30.20.10. So, from my phone are coming out packets with destination address 200.30.20.10 to both ports (8080 and 6036). So it's trying to connect correctly as expected (because I can connect to the DVR from my house, so I know both DDNS and port-forward are correct)
My reasoning: when I'm inside the network, the packet reaches my router, matches only the default route and goes out the gateway. However, now the packet will have both source and destination address equal to 200.30.20.10 … so the gateway network will just drop my packet?
I thought adding a static route to my routing table would fix this, but as my public IP always changes, that won't be every efficient…
My conclusion so far: you can't connect to your network using your public address.
(Why I wanna solve this: the way it is now, all phones need two configurations: one to connect to the DVR when we are here, and another one for when we are not here.)
My question: what exactly is happening and why?
Best Answer
Your thinking is correct. One term you may want to search is "hairpin". Basically the idea that a packet makes a U-turn and heads right back inside where it came from. Different routers and firewalls configure this differently, so you'll have to look up yours.
I've also seen it called "NAT loopback," but I think hairpin is the more common term.
Edit: This is in essence what hairpinning does for you.
Imagine you've configured the external IP on the phone app.
Your phone (example 192.168.1.5) sends a packet to 200.30.20.10. If you only change the destination IP (DNAT) then when the packet hits the DVR it will look like: 192.168.1.5 -> 192.168.1.254. The DVR will reply directly to the phone since they are on the same subnet. Your phone will drop the reply packet because as far as it's concerned, it didn't send anything to 192.168.1.254, it sent a packet to 200.30.20.10! So you'll have to change the source address (SNAT) as well in that case so the packets go back to the firewall and then back to your phone.
So in the end:
PHONE ON THE OUTSIDE
z.z.z.z -> 208.30.20.10
Router sees this packet and changes it to: z.z.z.z -> 192.168.1.254
PHONE ON THE INSIDE (phone configured the same way)
192.168.1.5 -> 200.30.20.10
Router sees this packet and needs to change it to: 192.168.1.1 -> 192.168.1.254