This is an issue since each region has to specify an IP address for the client to connect. Connecting to the local IP address (such as 192.168.2.40) of that same machine works fine. behind your DSL router/modem) cannot connect to a forward facing IP address (such as 199.149.252.44) of a machine that it also on your local network. This means that a machine on your local network (e.g. Many DSL routers/modems prevent loopback connections as a security feature. What is NAT Loopback and why is it needed to host a public Opensimulator Region?Ĭurrently (as at August 2010), a hosted region on a home connection with a broadband router needs, what is known as NAT Loopback functionality.
#NAT LOOPBACK MERLIN WINDOWS#
8 Windows XP, Windows 7, 8, 8.1, 10 Loopback Adapter Install:.6.1 SETTING UP A LINUX COMPUTER TO ACT AS A ROUTER.Not impossible, but not the sort of engineering and debugging that goes into most routers and certainly fraught with peril. The rule would have to be tailored to match ONLY the loopback traffic, which is slightly more tricky and probably involves marking packets. WiFi network to Wired network), which would make a WiFi router frustratingly broken. I would point out that this rule would affect not only to NAT-loopback traffic, but also to bridge traffic (e.g. SNAT really should only be used in one direction unless you're willing to put a lot of time and care into crafting and maintaining a NAT ruleset that won't bite you.Īnd to preempt anyone who says how about this: iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j MASQUERADE Now, you ask, why doesn't the router SNAT the connection from Computer1 to the router's internal IP when it DNATs it to Computer2? Because the SNAT rule would make a mess of all the rest of the traffic which doesn't follow the pattern above. Addresses don't match, connection failure, RST packet sent back. Router to Computer2 Ĭomputer2 attempts to respond to the packet by sending to the source IP.Ĭomputer2 to Computer1 Ĭomputer1 was expecting a reply from 99.99.99.99, got one from 10.0.0.4 instead. Router uses DNAT to change the destination to 10.0.0.4 and pushes it back to the local network: Outside IP: 99.99.99.99, forwarded to Computer2Ĭomputer1 to Router Captured from my Buffalo ddwrt moments ago just to verify. This isn't hypothetical, just run tcpdump on your own computer and you'll see it happen right now. Most consumer grade routers don't have any prohibition against it, it just doesn't work. (If you hadn't guessed, my router does not support NAT loopback.) To be honest, up until now I have always assumed that failure to support NAT loopback was simply a failure in the hardware/firmware, not a 'security feature'?! It's omission is a far greater problem IMHO. Many DSL routers/modems prevent loopback connections as a security Have adopted an approach that security is very important and as withĮnterprise class routers, loopback is not permitted. These will not allow loopback due to the inherent security issues. On the same interface (Loopback), as this is a security risk.Īnd further down the same page, from the same user:Īs a network engineer I work with Cisco and Brocade routers daily and Most routers will not send out and receive data Without NAT loopback you must use the internal IP address of the device when on the LAN.ĮDIT: The mentions of security are admittedly from unofficial sources, which is why I would like to clarify this. where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN).
Is NAT loopback really a security issue? And if so, how is this exploited? Security is sometimes cited as the reason.
0 kommentar(er)
