How to enable NAT Loopback when modem connects to router


I want to see my hosted pages using my public address from inside and outside my network, but so far I can only from outside.

The thing is that I recently changed ISP, and they brought me a ZTE-F660. It has routing capabilities, but I use a Cisco E3200 (running tomato) as my router where I manage my network. The ZTE-F660 is kind of limited in functionality, so I port-forward everything to the E3200, and manage it from there.

Now, It seems my previous ISP modem had NAT loopback enabled, but so far the ZTE-F660 doesn't seem to support it. Yet the E3200 does.

The thing is that I've been unable to get it to work. I think it's because the ZTE-F660 modem is doing something to prevent the E3200 router from translating the public IP to a local IP.

If I run iptables -n -L -v -t nat i get:

 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)   pkts bytes
 target     prot opt in     out     source               destination   

     0     0 SNAT       all  --  *      vlan2             to:  
     0     0 SNAT       all  --  *      br0      to: is the E3200 Router IP assigned by the ZTE-F660 modem, and is the E3200 Router IP assigned for the home network.

If I type I get the response I get from typing my Public IP from outside the network.

I'm sure there is something I'm missing, or not understanding.

Any help or insight will be greatly appreciated.

Jose Rafael Perez Balen

Posted 2016-02-14T22:08:58.160

Reputation: 13

NAT loopback happens on the ZTE, so the configuration on the E3200 won't help (assuming the iptables output above is from tomato). Do you have the option to put the zte in bridge mode? That way, you are in complete control as it will just act as a layer 2 device, and the public IP will be on the Cisco. – Paul – 2016-02-14T23:46:04.163

Thanks. I thought something like that might be happening. No, I can't put the zte in bridge mode (If there is a way to do it, I can't find it). – Jose Rafael Perez Balen – 2016-02-15T03:40:34.453

Ok, so you'll need to do a NAT for the public IP on the ZTE and loop it back there. But of course, that would require that the public ip is static - is it? – Paul – 2016-02-15T03:51:23.963

Yes, it is static. How do I do a NAT for the public IP on the ZTE? – Jose Rafael Perez Balen – 2016-02-15T06:02:33.743



You can add a loopback NAT to your Cisco router, so that when going to the public address, it never gets to the ZTE:

iptables -t nat -A PREROUTING  -i br0 -s -d <static ip> -p tcp --dport 80 -j DNAT --to-destination 192.168.2.x

This is prerouting, so the first step. If says, if the source is from the internal network going to the static IP of your server on port 80, then make the destination IP the internal IP of the server.

As this is prerouting, routing happens next - it will see the destination IP is the internal network, and route the packet back out of br0.

An alternative approach would be to install a DNS server internally. You could then have DNS name for your server that resolves to the public address when external, but resolves to the internal address when internal. Then you wouldn't need any NAT.


Posted 2016-02-14T22:08:58.160

Reputation: 52 173