You are not logged in.
I am trying to set up my SSH server so I can access it from the open internet. (Don't worry, I forced public key access, and enforced some maxstartups value, and I'm setting up fail2ban as I write this.) I have it working fine, but I have what I think this is probably a basic networking question:
Do providers/modems specifically disable connecting to yourself via external IP address when you are on the same local network?
I found a thread from the linux questions subreddit that seems to answer my question kind of, and which is why I've phrased the question as such.
Here's what I've found from experimenting with my own setup:
I port forwarded port 22 from my router to my server, which is also assigned a static ip. I noticed that if I try to connect to my server from my laptop, while on my home network, and via the external IP, the connection attempt times out.
For example, doing this while on my home network, will tell me the connection timed out. Or if I use the ipv6 address, it will refuse the connection immediately.
ssh -v cory@[external IP]
The ssh connection completes successfully if I connect using the internal ip of the ssh server and am on the home network, OR, if I go out to an external network and connect using the external IP address.
Thanks!
Offline
Not generally but you're (most likely) looking for
https://en.wikipedia.org/wiki/Network_a … T_loopback
https://community.tp-link.com/en/home/s … etail/1726 (this is interesting because of the port - you might fail DNAT if 22 is open on the router itself for LAN hosts)
Online
As seth mentions this occurs because your router doesn't provide loopback NAT.
You have AFAIK three possible mitigations:
- Enable loopback NAT. This may not be an option in your router. In fact most of the routers I know simply do it or don't.
- Switch to a router model that does provide loopback NAT.
- Use "split brain" DNS. Create an DNS record for your external IP. Only inside your home network resolve this DNS name to the internal IP address.
Offline
Yes, that's exactly what I needed, thanks! So looks like my ISP disables NAT loopback on its supplied routers, which I am using, so that's why it's not working.
My mental model of how the request works was off, looks like. I did not think there would be a special feature needed if you want to ping the external ip of your own network, but I guess something about the DNS resolution protocol doesn't work if the destination and source address are the same? The NAT hairpin/lookup links you posted are really helpful. So a router with NAT loopback enabled can recognize if the destination address corresponds to its WAN address and short circuit the request to remain inside the network. Interesting.
- Use "split brain" DNS. Create an DNS record for your external IP. Only inside your home network resolve this DNS name to the internal IP address.
Oh this is interesting. I have avahi set up so I can refer to my computers by their <hostname>.local aliases. I can look into this and see if re-use this to do that.
Last edited by Cory Parsnipson (2024-09-15 09:22:24)
Offline