Apr 23

DD-WRT NAT Loopback Issue

NAT loopback is what your router performs when you try to access your external IP address from within your LAN. For instance, say your router forwards port 80 to a web server on your LAN. From an outside network, you could simply visit your external IP address from a browser to access the web server. Internally, if NAT loopback is disabled or blocked, you would not be able to access this the same way.

There are any number of valid reasons why you’d want to allow NAT loopback on your network. If you’re like me, you simply want internal and external access to operate in the same way. NAT loopback is needed to accomplish this, and it is simple and safe. Don’t be fooled by the plethora of forum posts crying that NAT loopback is disabled on routers purposefully, that it opens up dangerous security holes, or that it will destroy your network and ultimately your livelihood as you know it. Like the vast majority of scare tactic-based content on the internet, it’s false. Your router will not stab you in your sleep if you allow NAT loopback … although it may emit higher levels of radiation, lace your lipstick and food with carcinogens (compliments of the government, of course), and kill Brad Pitt. Again. Coincidentally, the posts never specify why the claims might be true, lack credible sources, and are rarely found outside of back alley forums. We’re still talking about NAT loopback, right? The internet has made us so gullible …

The primary reason for the security concern is that some consumer routers appear to intentionally disable NAT loopback by default, and there is no way around this with stock firmware. However, this is not an intentional barrier, it’s just a constraint of limited stock firmware. Nothing new there. The simplest solution to this is, as usual, to flash DD-WRT to your router. Then, follow this tutorial to allow NAT loopback.


Before proceeding, ensure NAT loopback actually doesn’t work with your version of DD-WRT. Different versions of DD-WRT implement NAT with slight variances, so it’s possible your version of DD-WRT may not actually need the special rules below.

To check if NAT loopback is working on your router, you’ll need your external IP address. If you don’t know your external IP address, just Google “what is my ip”. Now, open a Command Prompt and ping your external IP address. If the command times out, NAT loopback is not working.

In the DD-WRT Control Panel, navigate to the “Administration” tab and click on “Commands”. Add the following rules, then click “Save Firewall” to ensure the rules execute even after the router is rebooted.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` \\
-j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


That’s it! Now, try pinging your external IP again from the Command Line. This time you should receive packets.

DD-WRT is a always evolving. The developers have stated that they aren’t planning on fixing this issue, but if this procedure doesn’t work for you, leave a comment below and I’ll check to see if something has changed in the latest version of DD-WRT. I’ll try to always keep the tutorial updated with instructions for the latest DD-WRT build.

Also, if you previously followed my DD-WRT Guest Wireless tutorial, this fix should work for both interfaces.

  • Peter

    Top of the list and right on the ball. Thank you for this 🙂

  • Rayed78

    Thanks Alex, I plug the script in and it worked!

  • Pingback: DD-WRT Guest Wireless - The Internet Home of Alex Laird()

  • da_n

    Thanks, this worked great. Don’t understand why this is not being considered by the dd-wrt devs, seems like a basic networking requirement for users who need more advanced home networking. I have a Raspberry Pi running things like Baikal (for CardDav, CalDav) and want to have access both at home and outside my LAN, NAT loopback is therefore essential. Anyway thanks again for the post.

    • Nick

      I’m pretty sure this actually was fixed in the new builds. Under security, uncheck the Filter WAN NAT Redirection box and apply/save. That should enable loop back without the iptables rules now.

      • This is only a solution to part of the problem, and not a solution to the primary issue this post addresses. The “Filter WAN NAT Redirection” option has been in the dd-wrt build for years, but in revision r15760 the implementation was modified to remove some firewall rules that unchecking the box addressed, so the checkbox does not function as you would expect.

        Most people consider this a bug, but the ticket on dd-wrt’s Trac database has been marked as “wonfix” for a few years now. So, until the development team chooses to reintegrate these rules, unchecking “Filter WAN NAT Redirection” will not actually fix the problem described in this post for most people.

        • Nick

          I had the problem in this post myself earlier this year. After an update…
          Build numbers:
          14929 = Loopback worked
          16785 = Loopback broke
          21061 = Loopback working
          21676 = Loopback working.
          I am pretty sure it is fixed. I took the iptables rules out after updating to build 21061 and loopback was working. I updated again last night as apparently SSH was broken in 21061.

      • da_n

        The iptables rule worked for me, but I started to get really weird issues like not being about to connect to an external FTP server, ssh inside the lan was timing out, crashes and more. I have reverted to stock for now, weirdly the stock firmware is now doing NAT loopback without any issues. This router is messing with my mind. Thanks again though anyway and appreciate the update.

  • Lluis

    My NAT is working, if my DD-WRT is conected to a free wifi i have internet in my laptop. But if i try to connect to a WEP protected wifi ap i d’ont have internet. I put the correct passphrase in Security section…. but i no have internet.
    Only works with open AP.
    Whats brong ?
    My DD-WRT have xxx.xxx.2.21 IP then i connect by wire from LAN port to an AP with a IP as xxx.xxx.2.50
    I can see first ip address on my laptop and i see the external AP connected on wireles status section….. but internet is not working.
    Gateway is my DD-WRT
    Can you help me ?

  • I need NAT loopback to access my home webserver with WAN IP inside my local network. I followed these instructions, but after the router rebooted, I still can’t ping my WAN IP. Filter WAN NAT Redirection box unchecked.
    Asus WL-520gC, Firmware: DD-WRT v24-sp2 (04/07/12) micro-plus-ssh.

  • I think the reason for the disabled NAT loopback is to prevent DNS rebinding attacks. This DefCon talk by Craig Heffner explains it nicely: https://www.youtube.com/watch?v=Zazk0plSoQg.

    There’s an option to enable “No DNS rebind” in DD-WRT though. Maybe that prevents this exploit?

  • Zdenek22

    The issue has since been long fixed, but thanks for this article anyway. I was being curious what that weird MARK with MASQUERADE did. Now I know.
    The MASQUERADE target is capable of performing the whole NAT for all, but it has a bad habit of obscuring the source IP for the internal servers, so SNAT is preferred nowadays.