?? Weird: Cannot Connect using Routable IP ??

?? Weird: Cannot Connect using Routable IP ??

am 05.04.2008 07:42:15 von Tom Baxter

Hello all,

Sorry about the cross-posting but I'm not sure of the best group. If you
have any suggestions for a better group, please let me know.

The problem I'm having is easy to describe: I have a home network that's
behind a router. I have set up one of my machines to be a web server and
I've configured the firewall to point to this machine for incoming requests
on port 80. Using a web browser, I can browse to the router's IP address and
sure enough, I'm forwarded to my web server, it works great, but only if I
am NOT on my local network!

For example, if I am at work or at the coffee shop, I *can* browse to my
router's IP address and I see the web page. If, however, I am at home,
behind the firewall, I *cannot * use my router's IP. From home I have to use
the web server's local IP: http://192.168.254.68. Can someone explain what's
going here? Why can I only use the router's IP if I am outside my network?

Here's the configuration:
Web Server Machine:
Virtual machine running Windows Server 2008, IIS 7

Web Browser Machine:
XP Pro running IE 7

Thanks very much.
--
Tom Baxter

Re: ?? Weird: Cannot Connect using Routable IP ??

am 05.04.2008 08:16:46 von Bill Grant

That is the way it works. Always has.

If you are on the local network, you make a direct connection to the server
using its local IP. You do not go out through the router to its public NIC
and then be redirected back to the web server.

If it worries you, set up a host file to point your web server's name to
its local IP and use http://servername . (Or do this through DNS if you are
running a local DNS).

"Tom Baxter" wrote in message
news:%23YYrT$tlIHA.4244@TK2MSFTNGP06.phx.gbl...
> Hello all,
>
> Sorry about the cross-posting but I'm not sure of the best group. If you
> have any suggestions for a better group, please let me know.
>
> The problem I'm having is easy to describe: I have a home network that's
> behind a router. I have set up one of my machines to be a web server and
> I've configured the firewall to point to this machine for incoming
> requests on port 80. Using a web browser, I can browse to the router's IP
> address and sure enough, I'm forwarded to my web server, it works great,
> but only if I am NOT on my local network!
>
> For example, if I am at work or at the coffee shop, I *can* browse to my
> router's IP address and I see the web page. If, however, I am at home,
> behind the firewall, I *cannot * use my router's IP. From home I have to
> use the web server's local IP: http://192.168.254.68. Can someone explain
> what's going here? Why can I only use the router's IP if I am outside my
> network?
>
> Here's the configuration:
> Web Server Machine:
> Virtual machine running Windows Server 2008, IIS 7
>
> Web Browser Machine:
> XP Pro running IE 7
>
> Thanks very much.
> --
> Tom Baxter
>

Re: ?? Weird: Cannot Connect using Routable IP ??

am 05.04.2008 09:14:01 von Kristofer Gafvert

Hi,

It seems that your router does not support this feature. Some routers do,
some don't.


--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


"Tom Baxter" skrev i meddelandet
news:%23YYrT$tlIHA.4244@TK2MSFTNGP06.phx.gbl...
> Hello all,
>
> Sorry about the cross-posting but I'm not sure of the best group. If you
> have any suggestions for a better group, please let me know.
>
> The problem I'm having is easy to describe: I have a home network that's
> behind a router. I have set up one of my machines to be a web server and
> I've configured the firewall to point to this machine for incoming
> requests on port 80. Using a web browser, I can browse to the router's IP
> address and sure enough, I'm forwarded to my web server, it works great,
> but only if I am NOT on my local network!
>
> For example, if I am at work or at the coffee shop, I *can* browse to my
> router's IP address and I see the web page. If, however, I am at home,
> behind the firewall, I *cannot * use my router's IP. From home I have to
> use the web server's local IP: http://192.168.254.68. Can someone explain
> what's going here? Why can I only use the router's IP if I am outside my
> network?
>
> Here's the configuration:
> Web Server Machine:
> Virtual machine running Windows Server 2008, IIS 7
>
> Web Browser Machine:
> XP Pro running IE 7
>
> Thanks very much.
> --
> Tom Baxter
>

Re: ?? Weird: Cannot Connect using Routable IP ??

am 05.04.2008 09:16:45 von Tom Baxter

"Bill Grant" wrote in message
news:%23EVVYSulIHA.2368@TK2MSFTNGP03.phx.gbl...

> That is the way it works. Always has.

Ahh, now I undertand... :)


> If you are on the local network, you make a direct connection to the
> server using its local IP. You do not go out through the router to its
> public NIC and then be redirected back to the web server.
>
> If it worries you, set up a host file to point your web server's name to
> its local IP and use http://servername . (Or do this through DNS if you
> are running a local DNS).
>
> "Tom Baxter" wrote in message
> news:%23YYrT$tlIHA.4244@TK2MSFTNGP06.phx.gbl...
>> Hello all,
>>
>> Sorry about the cross-posting but I'm not sure of the best group. If you
>> have any suggestions for a better group, please let me know.
>>
>> The problem I'm having is easy to describe: I have a home network that's
>> behind a router. I have set up one of my machines to be a web server and
>> I've configured the firewall to point to this machine for incoming
>> requests on port 80. Using a web browser, I can browse to the router's IP
>> address and sure enough, I'm forwarded to my web server, it works great,
>> but only if I am NOT on my local network!
>>
>> For example, if I am at work or at the coffee shop, I *can* browse to my
>> router's IP address and I see the web page. If, however, I am at home,
>> behind the firewall, I *cannot * use my router's IP. From home I have to
>> use the web server's local IP: http://192.168.254.68. Can someone explain
>> what's going here? Why can I only use the router's IP if I am outside my
>> network?
>>
>> Here's the configuration:
>> Web Server Machine:
>> Virtual machine running Windows Server 2008, IIS 7
>>
>> Web Browser Machine:
>> XP Pro running IE 7
>>
>> Thanks very much.
>> --
>> Tom Baxter
>>
>

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 00:00:00 von DragonDance

"Kristofer Gafvert" wrote:

> Hi,
>
> It seems that your router does not support this feature. Some routers do,
> some don't.
>

Are you sure about that????? What does a router do? Answer: It routes
network traffic from ONE subnet to ANOTHER subnet. Bill Grant has explained
pretty well about the problem which is realated to DNS not routing. Either
create an entry in a LMHOST file, or if you have a DNS server just create
another A record for the web server with the router's IP address.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 01:27:36 von unknown

"Dragon Without Wings" wrote in message
news:296B3A54-34F6-4DDD-BC89-886EAF9776C6@microsoft.com...
: "Kristofer Gafvert" wrote:
:
: > Hi,
: >
: > It seems that your router does not support this feature. Some routers
do,
: > some don't.
: >
:
: Are you sure about that?????

Yes, my router supports this feature.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 01:28:22 von unknown

: Can someone explain what's
: going here? Why can I only use the router's IP if I am outside my network?

Because your router's web interface is on port 80, perhaps?

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 03:10:41 von Tom Baxter

"Uncle Kenny" wrote in message
news:OfRl8S3lIHA.1208@TK2MSFTNGP03.phx.gbl...
>: Can someone explain what's
> : going here? Why can I only use the router's IP if I am outside my
> network?
>
> Because your router's web interface is on port 80, perhaps?
>


Yes, my router Iinterface is indeed on port 80, but that is on the local
subnet. My router config as at http://192.168.1.254:80. My web site is also
port 80 but the IP address is the router's external address. I think it
makes a difference, right?
--
Tom Baxter

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 04:02:27 von unknown

"Tom Baxter" wrote in message
news:udL%23PM4lIHA.6032@TK2MSFTNGP03.phx.gbl...
:
:
:
: "Uncle Kenny" wrote in message
: news:OfRl8S3lIHA.1208@TK2MSFTNGP03.phx.gbl...
: >: Can someone explain what's
: > : going here? Why can I only use the router's IP if I am outside my
: > network?
: >
: > Because your router's web interface is on port 80, perhaps?
: >
:
:
: Yes, my router Iinterface is indeed on port 80, but that is on the local
: subnet. My router config as at http://192.168.1.254:80. My web site is
also
: port 80 but the IP address is the router's external address. I think it
: makes a difference, right?
: --


So you mean you enter the external IP from within the local network and you
get... not what you want?

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 05:37:17 von Tom Baxter

"Uncle Kenny" wrote in message
news:eHZ3Cp4lIHA.5024@TK2MSFTNGP06.phx.gbl...
>
> "Tom Baxter" wrote in message
> news:udL%23PM4lIHA.6032@TK2MSFTNGP03.phx.gbl...
> :
> :
> :
> : "Uncle Kenny" wrote in message
> : news:OfRl8S3lIHA.1208@TK2MSFTNGP03.phx.gbl...
> : >: Can someone explain what's
> : > : going here? Why can I only use the router's IP if I am outside my
> : > network?
> : >
> : > Because your router's web interface is on port 80, perhaps?
> : >
> :
> :
> : Yes, my router Iinterface is indeed on port 80, but that is on the local
> : subnet. My router config as at http://192.168.1.254:80. My web site is
> also
> : port 80 but the IP address is the router's external address. I think it
> : makes a difference, right?
> : --
>
>
> So you mean you enter the external IP from within the local network and
> you
> get... not what you want?
>

Yes, exactly correct. If I enter http://99.141.170.98:80 (that's the
router's external IP, although it's dynamic so don't bother trying to hit
the server) from within my local network I do *NOT* get to the web server.
If I enter the same URL from Starbucks I *DO* get to the web server. In
order to hit the web server from my local network I need to use the local IP
of the web server itself: http://192.168.1.68

I know the pattern of what's happening: It's just what Bill Grant said in
the original response: "You do not go out through the router to its public
NIC and then be redirected back to the web server." This is the behavior I'm
seeing so in that sense, Bill's right. But no one has really been able to
explain why this behavior happens or if it's something I can byass or
disable.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 09:24:26 von Kristofer Gafvert

Hello,

From what i can read in the original post, the IP address is used every
time. Nowhere can i read about a domain name being used. Hence i do not
think that the original problem is DNS, but it may be solved by name
resoultion (either DNS or LMHOSTS file) by resolving the domain name to
different IP addresses depending on where you are. Do note however that you
use different IP addesses to access the website.

The problem is bascially this:

The router device has two IP addresses, a WAN IP address and a LAN IP
address. When you try to access the WAN IP address from your LAN, the
request goes to the LAN NIC and then stops at the WAN NIC, because it does
not go thru the "forwarding rule". What needs to happen is that the request
must loopback and go "thru" the external NIC and apply the forwarding rule.

Some routers support this, others don't. There is very little to do about
it, unless the router has a settings that can enable this feature (which it
probably do not have, because it would then most likely already be enabled).
The manufacturer has just simply decided they want the router to work this
way.

The only thing i can think of is to check if there is a firmware update that
enables this behavior. If not, either work around it or get a router/NAT
device that supports it.

--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


"Dragon Without Wings" skrev i meddelandet
news:296B3A54-34F6-4DDD-BC89-886EAF9776C6@microsoft.com...
> "Kristofer Gafvert" wrote:
>
>> Hi,
>>
>> It seems that your router does not support this feature. Some routers do,
>> some don't.
>>
>
> Are you sure about that????? What does a router do? Answer: It routes
> network traffic from ONE subnet to ANOTHER subnet. Bill Grant has
> explained
> pretty well about the problem which is realated to DNS not routing. Either
> create an entry in a LMHOST file, or if you have a DNS server just create
> another A record for the web server with the router's IP address.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 10:31:30 von James Egan

On Sat, 5 Apr 2008 22:37:17 -0500, "Tom Baxter"
wrote:

>I know the pattern of what's happening: It's just what Bill Grant said in
>the original response: "You do not go out through the router to its public
>NIC and then be redirected back to the web server." This is the behavior I'm
>seeing so in that sense, Bill's right. But no one has really been able to
>explain why this behavior happens or if it's something I can byass or
>disable.
>

If the port forwarding (redirection) was performed on the LAN
interface as well as the WAN interface it still wouldn't work.

The server would get the initial connection okay but the server's
response would go directly from server to client (since they are both
on the same subnet) bypassing the router on the return journey. The
router doesn't have the chance to reverse the translation so the
client receives a response from the server it is not expecting and
drops it.


Jim.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 06.04.2008 10:40:05 von James Egan

On Sun, 6 Apr 2008 09:24:26 +0200, "Kristofer Gafvert"
wrote:

>The router device has two IP addresses, a WAN IP address and a LAN IP
>address. When you try to access the WAN IP address from your LAN, the
>request goes to the LAN NIC and then stops at the WAN NIC, because it does
>not go thru the "forwarding rule". What needs to happen is that the request
>must loopback and go "thru" the external NIC and apply the forwarding rule.
>
>Some routers support this, others don't. There is very little to do about
>it, unless the router has a settings that can enable this feature (which it
>probably do not have, because it would then most likely already be enabled).
>The manufacturer has just simply decided they want the router to work this
>way.
>
>The only thing i can think of is to check if there is a firmware update that
>enables this behavior. If not, either work around it or get a router/NAT
>device that supports it.

Hello,

How does the return traffic get routed through the router unless the
web server is isolated onto a different lan subnet?


Jim.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 07.04.2008 15:40:29 von Phillip Windell

It doesn't have anything to do with "routing". It doesn't have anything to
do with anything higher than **Layer2**

When you try to make a U-Turn through a NAT Device it creates a sitaution
where the Sourec MAC and the Destiantion MAC in the Layer2 poition of the
packet are the same address,...so it has an identity crisis,...shoots itself
in the head,...or jumps off the roof. It is a limitation in the way a
Reverse-NAT functions.

Proxy Servers do not have this problem because they are not "NAT"ing.
Some NAT Firewalls may have overcame it by proprietary means in their
firmware that sort of "patches" the NAT functionality.

ISA Server, which can simultaneously operate both as a proxy and as a NAT
box, for example will let you do it both exiting ways.

1. Do a "Server Publish" to a web server (NAT based) and it will fail

2. Do a Web Publishing based on the CERN Compliant Web Proxying of ISA
and it will function fine.

Here's the official and v ery details explaination of the whole things based
on useing ISA as the example:

You have to get about half way down into it to see the MAC situation
explained.

14120 Errors; Discussion and Solution
http://www.isaserver.org/articles/14120_Errors_Discussion_an d_Solution.html

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Dragon Without Wings" wrote in message
news:296B3A54-34F6-4DDD-BC89-886EAF9776C6@microsoft.com...
> "Kristofer Gafvert" wrote:
>
>> Hi,
>>
>> It seems that your router does not support this feature. Some routers do,
>> some don't.
>>
>
> Are you sure about that????? What does a router do? Answer: It routes
> network traffic from ONE subnet to ANOTHER subnet. Bill Grant has
> explained
> pretty well about the problem which is realated to DNS not routing. Either
> create an entry in a LMHOST file, or if you have a DNS server just create
> another A record for the web server with the router's IP address.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 07.04.2008 15:45:22 von Phillip Windell

"Tom Baxter" wrote in message
news:eo3aJe5lIHA.5024@TK2MSFTNGP06.phx.gbl...
> I know the pattern of what's happening: It's just what Bill Grant said in
> the original response: "You do not go out through the router to its public
> NIC and then be redirected back to the web server." This is the behavior
> I'm seeing so in that sense, Bill's right. But no one has really been able
> to explain why this behavior happens or if it's something I can byass or
> disable.

Bill is correct.
I explained the details of why in a post futher up in the thread.

The *correct* way to handle this is:

1. Stop using IP#s in the Browser's URL,...use the FQDN
2. Use Split-DNS so that the FQDN of the site resolves to the Public IP# for
the users "out of the Internet". But at the same time the FQDN resolves to
the Private IP# of the Web Server itself when the User is "on the LAN" whic
allows them to go directly tot he web server without involving the "NAT
firewall".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Re: ?? Weird: Cannot Connect using Routable IP ??

am 07.04.2008 16:05:50 von Phillip Windell

Sorry for the "typos".

> ISA Server, which can simultaneously operate both as a proxy and as a NAT
> box, for example will let you do it both exiting ways.

Meant to say "exciting ways" :-)

> Here's the official and v ery details explaination of the whole things
> based on useing ISA as the example:

Meant to say:

Here's the official and very detailed explaination of the whole thing based
on using ISA as the example:


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Re: ?? Weird: Cannot Connect using Routable IP ??

am 08.04.2008 03:50:02 von DragonDance

"Tom Baxter" wrote:

>
>
>
> I know the pattern of what's happening: It's just what Bill Grant said in
> the original response: "You do not go out through the router to its public
> NIC and then be redirected back to the web server." This is the behavior I'm
> seeing so in that sense, Bill's right. But no one has really been able to
> explain why this behavior happens or if it's something I can byass or
> disable.
>
This is by the design in order to prevent looping which is quiet similar to
spanning tree protocol in switches.

Re: ?? Weird: Cannot Connect using Routable IP ??

am 08.04.2008 04:07:31 von Tom Baxter

Okay, this is a great response. This is the detail I was looking for rather
than just, "It's always been that way".

Thanks very much.

--
Tom Baxter



"Phillip Windell" wrote in message
news:exOg$VLmIHA.1188@TK2MSFTNGP04.phx.gbl...
> It doesn't have anything to do with "routing". It doesn't have anything
> to do with anything higher than **Layer2**
>
> When you try to make a U-Turn through a NAT Device it creates a sitaution
> where the Sourec MAC and the Destiantion MAC in the Layer2 poition of the
> packet are the same address,...so it has an identity crisis,...shoots
> itself in the head,...or jumps off the roof. It is a limitation in the
> way a Reverse-NAT functions.
>
> Proxy Servers do not have this problem because they are not "NAT"ing.
> Some NAT Firewalls may have overcame it by proprietary means in their
> firmware that sort of "patches" the NAT functionality.
>
> ISA Server, which can simultaneously operate both as a proxy and as a NAT
> box, for example will let you do it both exiting ways.
>
> 1. Do a "Server Publish" to a web server (NAT based) and it will fail
>
> 2. Do a Web Publishing based on the CERN Compliant Web Proxying of ISA
> and it will function fine.
>
> Here's the official and v ery details explaination of the whole things
> based on useing ISA as the example:
>
> You have to get about half way down into it to see the MAC situation
> explained.
>
> 14120 Errors; Discussion and Solution
> http://www.isaserver.org/articles/14120_Errors_Discussion_an d_Solution.html
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Dragon Without Wings" wrote in message
> news:296B3A54-34F6-4DDD-BC89-886EAF9776C6@microsoft.com...
>> "Kristofer Gafvert" wrote:
>>
>>> Hi,
>>>
>>> It seems that your router does not support this feature. Some routers
>>> do,
>>> some don't.
>>>
>>
>> Are you sure about that????? What does a router do? Answer: It routes
>> network traffic from ONE subnet to ANOTHER subnet. Bill Grant has
>> explained
>> pretty well about the problem which is realated to DNS not routing.
>> Either
>> create an entry in a LMHOST file, or if you have a DNS server just create
>> another A record for the web server with the router's IP address.
>
>

Re: ?? Weird: Cannot Connect using Routable IP ??

am 08.04.2008 17:50:00 von Phillip Windell

"Tom Baxter" wrote in message
news:%23nqWY1RmIHA.5368@TK2MSFTNGP04.phx.gbl...
> Okay, this is a great response. This is the detail I was looking for
> rather than just, "It's always been that way".

Yea, it's always been that way :-}

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------