Wireless Networking → NAT loopback on 3600HGV quit working - problem resolved

Using 2-Wire RG and have security DVR system that I like to access with my iPad via hostname.dvrname.net. The problem I am recently having is that I cannot see my cameras when I am at home on my iPad. I am able to see them on computers, etc, and on monitor connected to DVR but these are really inconvenient. I can carry my iPad around with me and check what's going on outside. The problem with swapping from internal ip to wan ip on the iPad is that the software does not recognize changes - not sure if it is an iOS issue, an app issue or what, but to swap these I have to delete current device, delete app and re-download app from iTunes which requires using a hotspot when I am not home. Its a poorly crafted app but it is all there is. Same exact problem is happening now on a Samsung Galaxy tab pro running a much newer version of the app.

NAT loopback is supposed to be enabled in firmware version 6.9.1.42-plus.tm

It's very annoying that it quit. I recently had to contact u-verse support who just told me that they would reset my gateway and before I could say do not do this, she did it anyway and weird stuff happened afterward, including the assignment to static IPs without any help from me to a handful of my devices. I hate to have to clear all the devices again since forwarding ports on this pos is a pita. Any ideas how to get my NAT loopback to work again?

I cannot find any settings in my RG. I did notice that the CSR I had on the phone changed other settings I had made, including which channel I use, and the removal of all the ports I had forwarded for my MyBookLive as well as my security camera dvr system.

create 2 different profiles, one for lan, and 1 for wan, this is what i have done with iphone users with dvr's

Are you saying that I need to add two devices in my list of devices on my iPad? I did that already. I created one device, called it SwannLAN and put in the currently assigned ip address that I got off the DVR. Then, I created another device, called it Swann WAN and used my hostname.swanndvr.net + my open port.

This did not work since my RG issued another IP to it, and does so daily. So I have no idea what the IP is without firing up my computer. Why bother to have a local peek at it if I have three laptops plus a view via connected monitor? So I deleted the local one which never worked anyway.

All that however is moot because my RG just arbitrarily, while I was not home, removed the two forwarded ports from the DVR and reassigned them to 0.0.0.0. I called tier 1.5 (no more tier 2 apparently, all there is is connect tech) and we worked together to reset the RG, then I powered the DVR again and the damn RG gave it a static ip. So I cannot even put it in DMZplus to avoid the port deleting issue. Not only that, rather than assigning a DHCP from the private pool it gave every single thing in my house that I turned on a static ip like my laptop, my iPad, and my BluRay player.

Note I am not talking about a public static ip address. I am say that the DHCP allocation inside my RG is doing this:
192.168.1.65
IP Address Allocation Static
IP Address Type Private (NAT)

I do not even know HOW to do that. We reset the RG back to factory.
Since I have veered way off my original topic I won't continue but at this point I have worse issues than being able to use my iPad in my house to view my front porch.

i have done swann devices in the past. they have worked fine for me.

that said when you are on the local network, the wan profile does not work, since the router doesn't do loopback which is fine.

you need to set a static ip either on the dvr or via the router, but your so all over the board not sure where to start

Hi Bill,
The stuff I have tried would fill a Manhattan phone book.
Here is one example of the shenanagins of this device.

My swann dvr, which as you are probably aware, is connected to a wireless bridge. As is my directv dvr. I use the same device basically on both. One is a linksysWET600n single lan port on the swann and the other linksysWES600n with four ports on the directv.

My RG sees both of these. The one on the directv always works. It has a DHCP assigned private IP from the pool. I can see the MAC of both the DVR and the router. It works out of the box in bridge client mode. All one needs to do is plug in into the dvr, turn on the TV connected to the dvr, click on the network page, search for the ssid and enter the network key. Bingo. Set it up 5 years ago, still going strong. Never had to reset or reboot or try to figure out what the hell is worng.

But I cannot say the same for the Swann. The swann dvr is just like the directv dvr in that it is always on. So, plug in the router to power, then connect the ethernet to the swann and voila the damn 2wire instantly decides to assign a static ip. I thought this may be a router difference so I swapped them. I just flipped off the powerstrip behind the tv and moved it to the swann and moved the one from the swann to the tv, plugged it in and flipped the switch back. The directv dvr never noticed a difference. It connected right up and I checked it by doing a short on-demand test of my favorite tv show. No problems.

Then I moved the single port one to the Swann. As soon as I did that I got yet another static ip assigned. And, not only that this thing assigned a static private IP from the pool to every device we have, including two tablets, two phones, two ipods, a wii, a blu-ray player and probably something else.

Well, I went into the homeportal page, found the Swann device behind the NATed router, forwarded the two requisite ports. Checked it with my local software, and then from neighbors Comcast wifi using my ipad. Worked like a charm...for about 24 hrs. So then I tried forwarding the ports on the router. Cannot do both. Worked for a short time.

Husband came home from work and turned on his laptop. Gateway took the port from the Swann's router and assigned it to the laptop. As static.

Hope that all makes sense. I may just go buy a really decent router and put the RG into as best as I can bridge mode.

The RG does not support upnp. This is by design. I even tried putting the linksys router in dmz mode and the RG will not allow a static private IP to be in DMZ mode.

I do have upnp enabled on the swann and I do have the proper host name in the mobile devices. Ever since tier 1.5 rebooted the RG the Swann is not visible at all on my LAN. Cannot log in to it via the Windows application.

alot of terms being thrown around here, not sure they are all correct

what is an RG?

what is a 2 wire? and what is assigning a static ip, way too much confusion going on for me

RG is an industry standard abreviation for Residential Gateway. Since this is a uverse internet forum, and uverse gives its customers a device that is a combo modem and router, and it calls the device a Residential Gateway, and I assumed by your presence here in this uverse forum that you would know that. Sorry for that confusion.

2 Wire is the brand name of the Residential Gateway leased to uverse internet customers who do not have IPTV (internet protocol tv) or voice services over internet. They also issue some Motorola RGs. I have a 2 Wire 3600HGV. No voice and no tv.

The modem portion of the device does what any modem does.
The router portion of the device is responsible for assigning a pool of private ip addresses to each wired and wireless device on a network and translating them to the public ip issued to the user. Each uverse customer gets a single public dynamic ip address, a pool of private IP addresses and a router that allocates from the pool an ip to each device as it connects to the access point. These change dynamically.
A user can log into his RG and find that his dvr's private ip is 192.168.1.68, and with that information, open ports on that device allowing internet traffic to flow to those ports on that device. If the DHCP server (the boss of private IP assignments) takes that IP address and gives it to another device, the ports are no longer forwarded on the original device. For that reason, it is suggested that users who wish to have ports opened use a router that implements UpNp. This is a protocol that dynamically opens and closes the correct port, negating the need to manually do it. However in their wisdom, ATT has prohibited the implementation of this protocol.

What I need is for my swann dvr to have two ports open at all times. One is the web port (default is 85) which allows http access via active x and internet explore to the recordings and live viewing on the swann dvr. The other port is a server port. Default is 9000. It does what a server port does - serves data to a proprietary application interface. The iPhone app is Swann Link. The Samsung app is also called Swann Link. The app for the iPad is called Swann View Pro. There is a desktop application for windows computers called MyDVR. All these access port 9000 to view cameras live and to playback recordings.

When a Swann DVR owner is not at home and wishes to see what is going on at home, he can use an iPhone using 4G or he can use a wifi access point. He enters his hostname (NOT ip address, since it may have changed since he left home) into the device, the user name, the port and the password. He is then taken to his dvr via the swann host dynamic dns look up (the dvr tells swanndvr.net what the public ip address is. Not sure how often). That is a free service swann offers. So, by using the hostname, the dns server routes the device to the correct public IP.

The nightmare begins when the device, iPhone, computer or whatever gets as far as the public ip address, and it tries to access the port associated with the private ip of the dvr. Problem is, there is a DHCP allocation process that shuffles around the private IPs. The proper port is not open if the DHCP service changes the private address of the Swann dvr. As a result, the device attempting to connect to the dvr basically reaches a dead end.

The reason for issuing a private IP on the RG in the first place is so the process of looking up the ip via swanndvr.net takes the user to the correct IP address externally and then internally through NAT. But if the RG is randomly removing port assignments and reassigning them to 0.0.0.0. and then takes the private IP that the user set to be the dvr and gives it to a laptop there is no access. Plain and simple.

I knew none of this 3 days ago. My swann dvr ceased to be accessible via the two ports. I could see the feeds on the local LAN which may be great if I were a security guard sitting at a desk in the lobby of an office building watching the halls and back doors. But I am not a security guard, and I don't sit at home all day watching anything. I do want to see what is happening here when I am in another country and be able to record what is happening when a camera is triggered in the event of another break in. We have had several intruders and several car break ins and so have our neighbors. Vandalism is becoming common as well. The cameras may be a deterrent to a degree, but a nice video tape will and has resulted in a conviction.

As far as the NAT loopback, this occured when I used my laptop to view my camera feeds to see if there were any trigger events to play back. Since my iPad's app is by design set to go first to the hostname.swanndvr.net site, and then back to my local ip, a loop is created - from here to Australia, and back. From the orginating IP back to the originating IP stopping along the way in Australia. For several years this worked perfectly. Then it stopped. Then the RG started removing port assignments, and assigning static IP addresses to mobile devices, and assigning dynamic ip addresses to things like bluray players with no logical pattern I can discern.

So there we have it. I am stumped.

This is NOT the uverse forum, this is a generic wireless forum.

RG is not a standard for anything. the abbreviation in my job means something completely different.these only change when a device is no longer using said IP, are you leaving the DVR powered up the whole time? the router should not be giving its ip to another machine.this only happens if the DVR does not ask to renew its ip, which it does if its turned on and set to DHCP mode.as i have said, this only happens if the device gives up the ip, or the router reboots and loses track of what device had what Iprouter should definitely not be moving stuff to 0.0.0.0. i am assuming its forget the Ip that was setThis is NOT Nat loopback. its a bit difficult to explain , but you are not doing natloopback since you are using the swanndvr.net site. Your doing just a normal DNS lookup, just like everything else on the network. yes its a loop, but its not NAT Loopback, just be careful you will confuse people

wow, that was long

that said and and i said before.

set a STATIC IP on the DVR, outside of the DHCP range, or use one in the middle, then manually set the port forwarding in the router to that IP. at that point the router can't give the IP (dynamically) to someone else, if the router changes the port forwarding ip without you, then it sounds like the RG has a hardware issue and should be replaced

Hi and thanks for the tons of information. i cannot believe I posted this in the wrong forum and then berated you for not knowing what I was talking about.

I'm writing back on my iPad and that makes block quotes impossible so I am just going to keep this simple.

About the RG etc. accept my apology.
About the NAT deal. Two people told me it WAS indeed loopback. A SwannDVR tech support person and a DynDDS forum member whose name I forgot.

The system was completely reset last night and I cleared all the devices. I turned them on one by one except for the ones I would have to physically unplug like our WII and our Sony Blu-Ray.

Every device that was added back INITIALLY was given a static IP by the DHCP server. After a while, each one was changed to be DHCP.

EXCEPT the gaming bridge adapter that the Swann is using.

I see the Linksys WES600N on my LAN. I forwarded the two ports on it.

The dvr behind that device does not show up on the list at all. I cannot change the bridging client to an IP outside the range. It looks like this:

Current Address 192.168.1.66
Device Status Connected Static IP
Firewall
Address Assignment Static IP No DHCP assignment
WAN IP Mapping
Cascaded Router: No

There is a drop down next to address assignment. There are no entries on that drop down.

I also tried to put the Linksys into DMZ mode, and got an error that a static ip cannot be in that mode. There is no apparent way to get past that.

But I can see the cameras from outside my house on my neigbors wifi, and from my phone. I just have to wait out the 24 hrs.

One problem I have is that the entire 1Wire support forum here is dead since uverse has rolled out the new Motorola modems. There is a rumor circulating that uverse is basically trying to get rid of people who do not have combined service and are using these old legacy devices for those who refuse to get one of their other services. We have POTS and no intention of giving that up. And we have directv and we use other carriers for wireless.

Thanks again for giving me some ideas that I can google for more information.

I have never heard of NAT Loopback (though now I understand why they call it that it's just a route back to your personal network), and from the topic it looks like you are using a dynamic DNS to your RG. Which is fine.

I am guessing what you may have had was maybe your router listed in DMZ+ mode possibly and the ports as needed open on it?

david, don't confuse the matter, your kind of off on everything you said.

good wife, some of your comments are still confusing,

if an IP is STATIC, it means the device has been set manually with an ip, subnet, and gateway. it does not receive a DYNAMIC ip from the DHCP server.

the models of these bridge adapters your giving me must be wrong, please find me a link to one online.

if its working good. im not sure what this 24 hours thing is going to do

This is the definition of NAT Loopback I got from my research. It means a machine on a local network tries to connect to a forward facing IP of a machine on the same local network and cannot if it is blocked by the ISP's configuration of the router in question.

Now, to make it specific to my situation.
A machine on my local network is my iPad. It connects to a ddns server at the address of www.myhostname.swanndvrnnet.

The ddns server resolves that hostname to my public IP address and then connects to my local public IP and then to the connected computer on my network. Open simulator.org reports that this works on some older 2-Wire products (2701hgB and hgD) which if I recall were used in dsl but not vdsl/adsl Since it actually works I think I can confirm that from a laptop in my house, using internet explorer I can connect to swanndvr.net and "see" another computer on my network. I believe this proves its implemented and I believe this fits the true definition of NAT loopback, aka hairpin aka paperclip. Apparently it is deemed a security issue.

Theoretically an emphatic yes, this is true. What you are not getting is that the device was put into static mode BY THE ROUTER and not by me and it cannot be changed as there is no user interface to do so.

Here is a link to a tidbit of info on the 2-Wire RG:
»Manual or user guide for 3600HGV?

Here is a link to the manual for the bridge:
»support.linksys.com/en-u ··· /wes610n

don't take this the wrong way but thats impossible, a router can't force a static ip on a device, it just does not have the ability

i will take a look at the links in bit

which device are you saying this is happening with? the wes610n?

Just to offer my (useless) 00000010bits on this...This is probably more commonly described -- at least to us guys in the technical trenches -- as NAT
hairpinning rather than NAT loopback. Try this link for an example and the RFC describing it.

My next question is where you got this information fromas while there's an RFC for this, not everyone implements this, and not necessarily in the same way.

Also, here's a mental map I'm using to follow your setup Good Wife , do I have the layout, devices,
and makes / models right?

uverse
|
V
3600HGV <-> WES600n wireless bridge -> ethernet cable -> directv dvr | works no problem
^
|
V
WET610n wireless bridge -> ethernet cable -> Swann DVR
 

As a dumb question, if you move the Swann DVR to where your directv DVR is connected, do you have any problems?

Last question (for now), so you're saying where this breaks down is AFTER you forward ports 85 and 9000 ON THE 3600HGV
TO the swann DVR's internal 192.168.x.x IP address, it works for about 24hours, then suddenly breaks by reverting to
a 0.0.0.0 config?

Can you post a screenshot of where you configure the port forwarding for ports 85 and 9000? And this "0.0.0.0" config you mention?

Regards

Yes your diagram is pretty close to accurate. I don't recall where I posted it, but since I cannot swap the two DVRs I swapped the two media connectors.

So essentially, for sake of argument you got it correctly.

Since I wrote this, another user in another thread chimed in on this topic, and explained that the way the 2-Wire gateways work, they first assign a static ip from the pool, then probe the device and then start to assign dhcp ip addresses. I saw this with everything after i reset the gateway. Every device first appears as Unknownxxxxxxx where xxxxxx is the MAC address. Depending on the device it takes an hour to 4 hours for that to be replaced with things like iPad, Android, Dell etc.
In the case of either the linksys devices however, the 2Wire can never seem to get past that probe step and figure out what the thing actually is. At least now. When we set it up a year ago, it showed up as SwannDVR in the list with a private ip from the pool.

One person told me to open ports on the static IP and that is what created the boondoggle of the reassigned ports. That problem is gone.

We had an hour long power interruption yesterday and everything came up like normal. I never got an ip assigned for the linksys but its working and the hairpin function, as you put it, which I learned was synonymous with NAT loopback, is fully operational.

So this seems to be solved. I put the WES610N back up on the Swann DVR and returned the WET610N to its home by the Directv receiver in the bedroom. I just ordered a CCK W deca for the Directv DVR and I am going to move the single port device to the Swann, since I do not need ports and I am going to move the multiple port model to put behind my Cradlepoint 4GLTE router in my motor home, since I need more ports mobile living.

Thanks for your interest! I am not sure if I can find that 0.0.0.0. line item in the logs. I am getting hammered by attempted connections on several ports not in use (in the 30,000+ range) and the log got very lenghty so i cleared it.

Adding a port involves four or five pages so I am going to send you a link to the How To Do it, and trust me on this, there is no way to no do it correctly and I have been forwarding ports on this POS since we got it in 2005.

Linky here: »www.att.com/esupport/art ··· 5ly5etB8

.

I am going to try really hard to restate this one more time.

The request is coming from inside the lan from a mobile device connected to the 2wire gateway by me, sitting inside my house connected to my gateway holding my ipad in my hand. I initiate the request pointing toa a ddns hostname that points right back to my router's public ip which is infront of the ipad in my hand.

I am doing this in my home. Not out in the wild. I can see my camera feeds on my ipad this way only unless I change my wifi from my own wifi to my cell phone's hotspot. But the hostname.swann.dvr does not change. The only time the system breaks is if the stupid dhcp server changes the ports on my dvr.

But you know what? Its all moot, and I really don't care what anyone wants to call it at this point. It is implemented, I have determined that by getting the scoop on my model of gateway.

@hellfire:
here is the segment of the log:
INF 2014-05-30T08:03:01-07:00

lmd: rnat0: Deleted pinhole[2]: nat_addr=76.220.79.15, dest_addr=192.168.1.68, proto=6, alg=0, port=9000

INF 2014-05-30T08:03:01-07:00

lmd: rnat0: Added a pinhole[3]: nat_addr=76.220.79.15, dest_addr=0.0.0.0, proto=6, alg=0, port=9000

WRN 2014-05-30T08:03:58-07:00

named: forward start (errno=1)

WRN 2014-05-30T08:09:29-07:00

named: Previous log entry repeated 5 times

INF 2014-05-30T08:09:41-07:00

lmd: rnat0: Deleted pinhole[3]: nat_addr=76.220.79.15, dest_addr=0.0.0.0, proto=6, alg=0, port=9000

INF 2014-05-30T08:09:41-07:00

lmd: rnat0: Added a pinhole[4]: nat_addr=76.220.79.15, dest_addr=192.168.1.68, proto=6, alg=0, port=9000

I could be reading the problem you're having entirely wrong, but...

...as LittleBill indicated earlier, so long as a) the Swann DVR has a known (by you) or
a statically assigned 192.168.x.x LAN address, b) the 3600HGV has the proper port forwarding of
ports 85 and 9000 to the aforementioned Swann DVR's internal IP address, c) the 3600HGV can do
NAT hairpinning, as you say you found it supports, then you shouldn't be having problems.

The fact that you mentioned the ISP "reset the modem," and that you had a power failure a couple
days ago tells me the 3600HGV's losing its configuration -- in which case, a) does the 3600HGV
support backing up its config, and are you doing so?, and b) you may want to invest in a UPS
battery backup for the 3600HGV so as to avoid power losses causing it to lose its config in the
first place.

My final thought, you mention that you see UNKNOWN[mac address] on what I'm guessing is the
3600HGV's DHCP table and/or arp table. Start by finding what the Swann DVR's MAC address is,
so that rather than waiting for the 1hr for the 3600HGV to figure out what the device is, you
can just find the MAC address and determine what internal 192.168.x.x IP address is being assigned
and if it changed or not.

If DHCP is handing out the wrong address to the Swann, either set a static DHCP lease, as suggested
earlier, or should be a fairly trivial matter to change the port forwarding assignment.

BTW, I've read over the port forward guide supplied, maybe it's just me, but it's not that different
from the other hundreds of port forwarding steps on other home networking gear out there. But I do
hear and agree with you, when it loses the right "setup" without telling you, it's a PITA to deal
with.

My 00000010bits

Regards