Best practice for NAT loopback/reflection/hairpinning behind router/fritzbox/etc?

Hello @all and thanks for letting me join the community!

I think of replacing my debian linux firewall with IPFire. The firewall (IPFire) will be behind a router (FritzBox) as exposed host (all traffic which is not for the FritzBox itself gets routed to this ‘exposed host’) and the FritzBox will get a dynamic public IP. There is no acceptable way to change this (at least for me).

Beside normal routing / blocking tasks I have one special requirement: I need a NAT loopback to access local servers by it’s public IP. Setting up some PortForwarding and SNAT/Masquarading rules is not the real problem (the principle is the same as with my old configuration). The catch is: knowing the external IP (the IP the FritzBox is assigned by the ISP) and reacting to a change of this IP.

Is there any better way than writing a cron job that checks the external IP every some minutes, generate a new firewall.local script if needed and reload this?

(Yes - I know, split-dns is a common solution to deal with the problem but for me this is very uncomfortable since I often have to start and stop VPN tunnels and often need to flush the dns cache manually… )

Thanks in advance

Hi Holger,
I have no tech contribution/hint to provide, only a base common sense rule: if your toolbox change, sometimse change the way to use wrenches, screwdrivers and some more… need to change.

And Firewalls are… lot more flexible than wrenches and screwdrivers, but most of the time they’re built “in the developers way”, which could be the same you’re used to do things, rather than not.
After a lot times working on Zyxel appliances (the crowd can booh me how much wants, it’s fair) I’m more and more getting used to create a lot of “useless” objects before creating any settings. Wasting time before, saving times after.

Welcome to our community. Is Fritzbox capable of using a Dynamic DNS provider?

1 Like

Hi Pike,

thanks for replying…

…and yes - you are absolutely right and this post is about figuring out, if there is a better “developers way” to reach the goal :wink:

I never used IPFire but since my old solution is about to die, I have to decide to just repair it or to switch to something new. Sure - I can do everything by my own and use/create fancy scripts to do everything I want - but that’s like “reinventing the wheel” (and as an engineer you know, there is nothing worse than that :wink: ) So I’m checking, which “tools” are available and ended up with PFSense/Opensense and IPFire. I’m quite familiar with Linux, so IPFire is my first choice so far. It has several limitations but I can go with it. The great advantage is the less amount of time I have to spend for administration and keeping everything up to date. The ease to use other features like public blacklist and bandwidth limiting / QOS is a great bonus, too.

So I’m “wasting time” to figure out if it’s worth to give IPFire a serious try :wink:


Hi @cfusco ,

thanks for contributing!

yes - but I use one from a Synology NAS behind the firewall. So there is a public DNS record always pointing to the public IP. (I only use IPv4, by the way.)

1 Like

Is this the kind of thing you are looking for.

@hvacguy, OP intends to set up IPFire behind a FritzBox with a server further behind IPFire. The goal is for devices within the LAN to access the server using its PUBLIC IP (instead of the local IP), known as hairpin or loopback NAT. Instead of using split DNS (a local zone in unbound using the “host” setup in the WUI) or relying on a static IP, OP seeks an alternative to a script that continuously monitors the public IP and updates the NAT rules in IPFire to redirect traffic from the public IP to the server.

The problem is how to get the information to IPFire without running a cron job, which is the requirement. I was thinking if there is a way to take advantage of script that updates the dydns, to also communicate to IPFire script the updated IP address. The problem is that I do not know how. The vague idea that I was forming was to use inotify to monitor when a file containing the public IP address would change to trigger an action leading to this update. The problem is, which file? And where? Sorry @holger , I got nothing.

1 Like

There is a box to Guess the real ip box.
Not sure how that works for pc in green to server in green network.
Would a static route to server in green work with DNS name. Net work ?

Thank you very much for taking the time to think about my question!

Inotify is a smart idea but since the dynamic DNS client runs on a different host, there is no chance.

Another idea was to bring the NAT loopback back to the FritzBox - but new versions of the fritzos do not have the iptables command installed. There is a workaround available but this won’t survive a firmware update and I don’t like those modification… (In old version of the fritzos the nat loopback worked out of the box)

I think, I will go with my cron scripts - they worked for years and calling a script every 5 minutes won’t produce much load. I just would prefer a smarter solution :wink:

I just wonder, if my requirements are a result of some rare configuration and how do others deal with e.g. a NAS behinds a dynamic IP router. Do all use DNS switching? Or just use the internal IP for internal access… It’s a mystery to me, that there’s no well defined solution already :wink:

1 Like

…well, I’m not familiar with IPFire and have no idea what this “guess real IP” thing does :slight_smile:

A static route with a hostname does not work with netfilter/iptables, because it’s translated to an IP when added to a chain/table. But maybe it would be sufficient to just reload the rules when an IP change is detected. This detection has to be scripted by hand but maybe there is no need to modify the rules. This depends on how IPFire stores the rules entered in the WGUI (does it store the hostname or the corresponding IP - do you have any information on that?).


Not exactly sure what your trying to do. Not an Expert.
Should not mater if IPFire guess real ip or Fitzbox does.
Remote user should be able to connect using Domain name .net
Fitzbox should forward to IPFire.
If you have a mail server that must respond with Glodal IP?
I can’t help there.

In my experience, I don’t use split DNS and NAT loopback works seamlessly for me. The only special configuration I’ve done is setting up a port forwarding rule. Importantly, my IPFire acts as the primary router and firewall, connecting directly to my ISP’s router. From there, it obtains a static IP via DHCP.

1 Like

Imagine you’ve set up a web server at your home and have an associated domain name to ease access. When you’re at work, you access this server, the DNS provides your public IP, and IPFire port forwards to your web server. But what about when you’re at home? You’re on your laptop, trying to reach your server, with both devices behind IPFire. You have three options:

  1. Use the browser to access the server via the local IP, bypassing the domain name.
  2. Access the server using the domain name, which returns the local IP.
  3. Use the domain name, but obtain the public IP.

Let’s examine option 3, what transpires when you initiate a connection? Your packets, aimed at IPFire’s public interface, are sent to IPFire. IPFire should then discern that the end destination is the server and accordingly route the traffic. This mechanism is known as NAT loopback and this was OP goal.

Option 2 instead is called DNS split (or DNS switching), because when you are at home the DNS will not return the public IP of your domain but the local one.

What is the benefit of option 3 over option 2?

OP said this:

I am not sure I understand exactly what is the problem though.

In my case, I did not use 2 because 3 worked effortlessly. Less work for me.

I am using option 2 because that is how I set it up at the time and I didn’t know about option 3 at that time. So I am happy leaving everything working on my system. I only have very minimal stuff accessed from red. Anything critical uses VPN.


to be fair, option 2 is simple and direct. I like simple. Option 3 makes my head spin a little bit.

EDIT: It is conceptually similar to people calling on the phone someone standing 1 meter away from where they are.

1 Like

If not extensively used via Green… services/servers could be also put into orange segment.

1 Like

This is what I did, but the problem still stands. Orange is still NOT in the public IP, but in the LAN space.

1 Like

So option 3
Example. My vpn connects to wan with global Domain name ""
So when I’m away in the wan it works great.
But when I’m home it will not connect to green lan.
So with DNS hair pin it should work?
How is this accomplished?