NAT loopback aka. Hairpin NAT?

I've been playing with Wifi routers of late, running stock, Tomato, DD-WRT, Merlin.

Something I cannot for the life of me do, is get any of them to do NAT loopback correctly. Specifically, I want accesses to port 80 on the public (internet facing) IP address to be looped back through an established port-forward to an internal web server. And I want that web server to see them as COMING FROM THE INTERNET, not the LAN.

Most of them pretend to do it for LAN clients, but the web server just sees the requests as coming from the LAN IP of the router, not from an external IP (eg. the public IP).

Okay, fine, I can live with that.

But what we really need, is for the "guest WiFi" clients to be able to access that same web server. None of the firmwares do this, and my best attempts thus far at just adding the standard PREROUTING/POSTROUTING rules have no effect whatsoever.

Anyone out there grok this stuff? I certainly don't.

I usually use a static DNS entry that gives the machines behind the router the local IP address. YMMV

I've worked at enterprise-level software companies that couldn't do hairpin turns like that on their routers. I think you're looking for something pretty high level.

I don't know much about this, but I've seen that Ubiquity's Edgerouter series supports that. Even the LITE series which are less than $100. Of course, those don't have a WiFi access point built in...

Yeah, perfect support for this thing is definitely a rare beast.

My own motivation for pursuing it is our guest Wifi -- it can access anything on the internet, but not the webserver in the same room as the user. Doh!

I think I can fix this with a combination of router re-configuration and some firewall rules on the webserver itself.

Cheers

I used some firewall rules to make the server accessible on its internal IP from the guest network, and (optionally) split horizon DNS to make the name resolve differently for internal vs. guest clients.

But does the server then know that the connections are less-trusted "external" ones, or does it think they are coming from semi-trusted internal machines?

Can it tell the difference?
That's where all of the solutions I've found thus far fall down.