NAT loopback
NAT loopback, also known as
NAT hairpinning or
NAT reflection,
[6] is a feature in many consumer routers
[7] which allows a user to connect to his/her own public IP address from inside the LAN. This is especially useful when, for example, a website is hosted at that IP address. The following describes an example network:
- Public address: 203.0.113.1 (this is the address of the WAN interface on the router)
- Internal address of router: 192.168.1.1
- Address of the server: 192.168.1.2
- Address of a computer: 192.168.1.100
If a packet is sent to the public address (203.0.113.1) by a computer at 192.168.1.100, the packet would normally be routed to the
default gateway (the router),
unless an explicit route is set in the computer's routing tables. A router with the
NAT loopback feature detects that 203.0.113.1 is the address of its WAN interface, and treats the packet as if coming from that interface. It decides based on DNAT (port forwarding) rules on the destination for the packet. For example, if the data were sent to port 80 and there is a DNAT rule for port 80 directed to 192.168.1.2, then the host at that address will receive the packet.
If no applicable DNAT rules are available, the router's firewall drops the packet. An
ICMP Destination Unreachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in the packet. The computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1. When the server replies the process is identical as for an external sender. Thus, two-way communication is possible between hosts inside the LAN network via their public IP address.
NAT loopback is especially useful when the server hosts a domain name that resolves to a public address. When the router does not perform NAT loopback, any connection attempts to that IP address fail.