Behind the Irony curtain

So, work has a filter to prevent us looking at unsuitable content. This is fair, it’s a school full of children and they really shouldn’t be looking at dodgy websites or chatting on Facebook.

However, the filter applies to everyone in school and it is a bit “over protective”, using a rather rubbish keword system. Sometimes it bans news websites if they mention too many key words. After reading about China’s internet firewall I tried to do a bit of research, you know it might be interesting to tell my students about – they think it unfair they can’t go on Bebo in lessons, well at least their entire country isn’t sealed off.

However… the Great Firewall of China is so secretive and dangerous I wasn’t allowed to view its Wikipedia page at work!

Trying to view wikipedia page about the Great Firewall of China

Port Forwarding and NAT Loopback on a Zyxel ADSL Router

If you’re trying to answer the question “How do I connect to hosts inside my network using my Internet connection’s IP address, and not the local IP address” or maybe “How do I test my port forwarding works from within my network” then you need to enable NAT Loopback on your router or firewall. To see why, keep reading. Otherwise go and Google.

Users of Zyxel routers (P-660HW-T1 v2 etc), you need to connect to the CLI and type in a command. Irritatingly the command is not saved when the power goes out so you will need to re-enter it every time the router is power cycled. Also, with Zyxel routers it will be necessary to enable a LAN / LAN Router firewall rule to explicity forward ‘any’ connection to the local IP address of the Zyxel router. Without doing this all admin (web and Telnet CLI) control of the router is lost.

Telnet into your router and issue the command ip nat loopback on. Here’s an example.

james@smeg:~$ telnet
Connected to
Escape character is ‘^]’.

Copyright (c) 1994 – 2007 ZyXEL Communications Corp.
P-660HW-T> ip nat loopback on
P-660HW-T> exit
Connection closed by foreign host.

Why? Keep reading…

With an ADSL or other NAT based router/firewall it is possible to use port forwarding and other firewall rules to get from the Internet (WAN) to the local network (LAN). Once configured, hosts on the Internet are able to reach your internal machines by visiting your Internet IP address.

Imagine you have an Internet connection that goes through a firewall. Behind the firewall is a laptop, desktop and a server. On the server is webserver software and the popular Subversion repository software.

Using port forwarding it is possible to allow people on the Internet to access both the web and SVN server, but prevent them from accessing the laptop or the desktop computers. Internally the desktop, laptop and server can all communicate with each other, the firewall having no control over this.

So a user on the desktop PC can browse the webserver by simply connecting to its internal IP address – So can the laptop. The Internet users could connect to this using the port forwarding set up and use the router’s Internet address – Note how there are two addresses for everything now – the actual internal IP address and the external Internet address provided by port forwarding.

Having two addresses is no problem for most things. It can just become a little confusing or impractical. Imagine the laptop user wants to check out sourcecode from a Subversion repository. They install the excellent TortoiseSVN and, while connected to the internal network, check out source from ‘’. Suppose now they want to go outside the network and continue with access to the repository. Port forwarding allows them access, but due to the way SVN works they will now need to check out a second copy of the source.

And now things are confusing. It seems impractical and overly complex to need two copies of something just because the address of the computer has changed. This is where NAT Loopback comes in. It allows the laptop user to enter the Internet address of the SVN server into their client and use that from both within the local network and out on the Internet.