Thursday, October 8, 2009

Loopback Connections

A common problem that some customers encounter when using a NAT router is that they want to be able to access their web site from within their local network, but their NAT router does not support "loopback" connections. This prevents them from being able to reach their own services, even though external visitors are able to connect.
The Problem

Let's say, for example, that we have a local network consisting of two machines behind a NAT router with the router in turn connected to a DSL or Cable modem. Each of the two machines will be assigned an IP address by the NAT router within a "local" IP space such as the 192.168 block. The NAT router in turn is assigned an IP address by the ISP within the "public" space. When you setup a host or domain within our system, it is this public IP address that the host/domain points to.

The following diagram shows the example network's two computers behind a NAT router:
Simple network diagram

Simple network diagram

In this diagram, the "public" address is 65.54.43.32 and the NAT router has a LAN/"private" address of 192.168.0.1. The other computers on the network are assigned numbers within this private space.

Now, let's say that we have registered the domain "example.com" with the host "www.example.com" mapped to this public IP address. When somebody out on the internet attempts to connect to www.example.com, they end up connecting to the WAN interface on the NAT router. The NAT router in turn "routes" the packets to an internal machine based on the port that the connection came in on.

The loopback problem arises when somebody using the "Work Station" computer wants to access the "Web Server" computer. If they try to access the computer via the hostname www.example.com, the NAT router will attempt to route this out its WAN interface and then back in. In most cases this will either fail or return the web interface for the router itself because the router doesn't understand what the user is trying to do.
The Solutions
Configure port forwarding

First, before trying any other solutions, you should configure port forwarding on your router. Some routers experience loopback errors until the correct ports are forwarded, especially when running a webserver. By adding an entry on port 80, your router will be correctly configured to allow access to your webserver. You can learn more about routers and port forwarding here, and visit PortForward.com for detailed guides on how to configure your router's forwarding features.
Check security settings

Some routers also have security options that cause the loopback error to occur. Check your router's settings for references to local connections, loopback connections, NAT redirection, and so on, then toggle them to see if this fixes the issue. The WRT54G, for example, has a variety of security checkboxes on its Security tab, one of which disables NAT redirections - and therefore causes loopback errors.
Modify your HOSTS file

If you have ensured the port forwarding in your router is correct and have enabled loopback redirections in the router's configuration, the device may be incapable of performing loopback connections properly. If this is the case, you can edit your HOSTS file on the local computers in your network to circumvent the problem. The HOSTS file is a legacy file from the days of ARPANET, before DNS existed, where users had to download latest list of networked machines. (You can learn more here.)

On a standard UNIX/Linux system (including Apple's Mac OS X) the HOSTS file will generaly be found at

/etc/hosts

On Windows systems the location of this file varies.

* Windows 9x - (x):\Windows\Hosts
* Windows XP - (x):\Windows\System32\Drivers\etc\Hosts
* Windows 2000 - (x):\WinNT\System32\Drivers\etc\Hosts

Regardless of the system, the format of this file should be essentially the same. Using the above network example you would want to add the following lines to this file:

192.168.0.1 router.example.com
192.168.0.2 www.example.com
192.168.0.3 foo.example.com

Now, any time you use a web browser or any other application to connect to www.example.com, the hostname will resolve locally via the HOSTS file instead of resolving via the DNS and you'll connect via the local IP address. At the same time, anyone not on your network will continue to use DNS to resolve this hostname and will connect via the public IP address.

(Note: If you use Spybot-Search & Destroy or other anti-spyware applications, you may notice hundreds or even thousands of entries in your HOSTS file set to 127.0.0.1. These entries protect you from accidentally visiting malicious websites by redirecting your connection to your own machine instead of the potentially dangerous external server. You may safely ignore these entries.)