7

I purchased a static IP for a server I run at my home. I can access it outside the home, but I cannot reach my server with my static IP address when connected to the home network.

It just works with a local IP, and it is not possible to access directly with the domain.

I am using a TP-Link Archer VR1200 AC 1200 router on Debian 11 in Workstation Pro on Windows 10.

What could be the reason for this?

Emre6
  • 171
  • 1
  • 3
  • 2
    Please edit your question to provide details on what the exact make and model of your router and modem are as well as what OS you are on. – Giacomo1968 Dec 25 '21 at 17:57
  • 1
    Being unable to use your own public IP address, from within your own intranet network, is actually pretty typical. Why are you trying to use the public IP address instead of your intranet IP address for the device? – Ramhound Dec 25 '21 at 19:18
  • 1
    @Ramhound Because a static IP address is tied to a domain. – Emre6 Dec 25 '21 at 21:18
  • 1
    Suggestion: Set up local DNS server with your desired domain name and its local IP, forwarding all other requests to e.g. your ISP. Then have your router use that DNS server. Local devices should then be able to resolve the domain without messing with `hosts` files for each device. The drawbacks are a (potentially) a bit of a learning curve and that the DNS server needs to be turned on for any domain resolution (i.e. internet access). – Anaksunaman Dec 26 '21 at 02:57
  • Shouldn't the router be able to configure this _(SNAT, DNAT, or DNS)_, as this is the purpose of a router after all? It would make more sense to access this across the LAN intranet versus LAN → WAN → LAN, since doing the latter will limit the connection throughput to the upload throughput of the ISP plan being used, as well as increase latency. – JW0914 Dec 26 '21 at 14:33

1 Answers1

12

This is very common and it means your router does not do hairpinning SNAT, usually requiring a specific configuration on the router, depending on which router platform you have. Some router platforms do not support hairpinning (I think my own D-Link required a firmware upgrade, some time ago).

  • The "proper" solution (as @RonMaupin correctly points out) would be for the network to have its own DNS resolver so the domain, from the intranet, is resolved to its real intranet address; this setup isn't usually available in a SOHO/Home setup and is offloaded to the modem-router, where instead of doing DNS resolution, it routes the packets back after de/NATting them.
  • A somewhat kludgy "workaround" is to modify your static DNS resolver [/etc/hosts or %WinDir%\SYSTEM32\drivers\etc\hosts] and map the external resolved domain name [www.yoursite.com] to the internal IP address [e.g. 192.168.2.253]; you should then be able to access the site using www.yoursite.com, and if the site runs name-based virtual hosting, it will work and you'll be able to use the various developer tools that wouldn't work with the numeric IP address.
  • Some firmwares [OpenWRT, etc.] also have the option of doing DNS caching and resolving [overriding] some hosts internally, usually done to cut out some ad-sites by mapping them to 127.0.0.1, but if used, it can override that one domain name with the internal IP address.

The best you can reasonably hope for, unless you set up an internal DNS, is to reconfigure the router yourself, or speak to the ISP and have them set up hairpinning properly.

JW0914
  • 7,052
  • 7
  • 27
  • 48
LSerni
  • 8,335
  • 1
  • 28
  • 47
  • 9
    Actually, hairpin routing is the kludge, wasting bandwidth on the LAN interface for bot in and outbound traffic, and wasting router resources for NAT. The proper way is to use split DNS so that local traffic remains local, with direct host-to-host communication, not bothering the router. – Ron Maupin Dec 25 '21 at 20:50
  • 2
    I disagree that split-horizon DNS is any less of a kludge than hairpin NAT is. – Joseph Sible-Reinstate Monica Dec 26 '21 at 18:49
  • @Ron You’re assuming that L2 routing is somehow more efficient than L3/L4, which is only true for cheap consumer gear. And even the cheapest Ethernet switch chips often have a handful of slots for “If dst IP and port match, send to physical port 4”. It’s just that the default software is too crappy to configure the hardware. – Navin Jan 02 '22 at 13:57
  • @Navin, layer-2 is not routing, it is bridging, and it goes directly from the source host through the bridge to the destination host. On the other hand, hairpin routing goes from the source host, throgh the bridge to the router using bandwidth in the router LAN interface and router resources to strip off the layer-2 frame, route the packet to the WAN interface, NAT, reroute back to the LAN interface, un-NAT, nuild a new layuer-2 frame for the packet, send it back to the bridge, where it gets bridged to the destination host. That is very inefficient and unnecessary. – Ron Maupin Jan 02 '22 at 15:21
  • @Ron That’s how it worked a few decades ago, yes. Today a single switch chip can check any field in a packet. Even in consumer hardware (where the switch chip doesn’t have enough slots to do NAT by itself so it is only used for L2), you can add a rule that matches destination IP and port number instead of matching destination MAC address. Some vendors call these rules “ACLs” since they allow Ethernet switches to act as firewalls. – Navin Jan 02 '22 at 15:33
  • @Navin, layer-2 bridging is done in hardware. You want to add a lot more to that. You are confused about how things actually work. Direct host-to-host bridging is far more efficient than routing. You do not route frames, you route packets. The frame has the source layer-2 address and the destination layer-2 address (either the destination host for the same network, or the router layer-2 address for a different network). The router needs to remove the layer-2 frame that is destined to it, and build a new frame for the next destination. You will also need to fix the NAT (very resource intensive) – Ron Maupin Jan 02 '22 at 15:43