Accessing a server using its global IP from the same subnet?

[ReikokuKo]

Just like the title says, why does this not work? I was helping out a customer and I can't figure out why this does not work. The customer was on the same network as the server so he basically has the same global IP as the server he is trying to access. The server is using specific ports and he was not able to use the global IP and port combination to get to it.

I just can't wrap my head around why it won't work. When it goes out the default gateway, does it not route when the source and destination IP are the same?

[Scubar]

You need to provide more explanation. Can you provide the IP Addresses involved and how the customer is trying to connect to the server and by what means.

Are there any firewalls involved ?

When you say same network I take it you mean they are on the same Local Area Network.

[AruisDante]

I mean the global IP corresponds to the gateway network (AKA it's the IP of your cable modem). So you need the router to be port-forwarding the specific ports you're trying to access to the specific subnet IP.

For example, I have a linux box that I use as a remote host for user sessions. I tunnel to it using SSH, which uses port 22. The server's subnet IP is 192.168.1.169. Lets say my cable modem's global IP is 1.2.3.4.

First I have to set up the SSH server on my host machine. Since I'm on linux, I'm using OpenSSH. I'm using RSA public key encryption to protect the SSH tunnel, so there's some more setup I have to do for each client that wants to access the machine, but we'll ignore that for now. The SSH server is now set up and listening to port 22 on the host machine.

I then go into my router's settings and set it up to forward requests to port 22 to local IP 192.168.1.169, my host's subnet IP.

On my client machine, I install a SSH client. For windows, PuTTY is probably the most widely used terminal client and supports a lot of very nice features that make setting up SSH tunnels easy. As the address to connect to I put in the global IP of my network, 1.2.3.4. I press connect, and volla, I have an SSH'd terminal into my linux box.

But what if I need more than a terminal? This is where SSH tunnels come in. SSH supports a really nifty feature where it can 'tunnel' ports over its SSH connection. This makes it so your client machine thinks it has a direct access to the port on the host machine, but you only need to expose the SSH port 22 to the open internet, which greatly improves security. In addition, since any traffic over the SSH tunnel is encrypted, any application's data that is sent over the SSH tunnel, such as a remote desktop client like RDP (Window's Remote Desktop) or VNC is automatically encrypted even if those programs do not themselves support encryption. Setting up SSH tunnels differs from client to client, but the end result is that on the client machine when making the remote desktop call instead of doing Host_IP:Port you simply call localhost:Port.

There is another step that is often necessary when you have a dynamic global IP, as most residential and standard business grade connections do. You have to set up a Dynamic DNS domain with a registrar. There are many many free services for this. I personally use No-IP, but DynDNS and others are very popular. This obviously assigns a DNS name (your-host.DNSService.com) to your global IP, but more importantly they provide a software service which installs on your host machine (or may be built in support in your router) that periodically calls their service and updates the IP associated with the DNS domain, so that you do not have to worry about making sure you know the new global IP to your network. Once you have this set up you simply need to use the registered domain as the target for your SSH client, and it will take care of the rest.

And finally, no, if you use the global IP as a target instead of the subnet IP it does not know they are the same, because it can't see through the NAT layer. It's basically routing all calls out to the internet and then back to your router when you address it that way. You should always use your local subnet IP as the target when you're on your host's network if possible for optimal performance.

Additional Comment:

Also, if the customer is simply trying to use some software that exposes ports and isn't practical to SSH into, at the very least you need to set up the router to port-forward the ports the software needs to the host machine's subnet IP. If you're using Windows on the server, make sure it's set up to request a static IP from the router, otherwise the port forwarding will not be reliable (linux by default uses a static IP).

[ReikokuKo]

So say the server's internal address is 1.2.3.4 and the host is 1.2.3.5, the server has remote access set up on port 8866 and it is forwarded through the firewall and the global address is 4.3.2.1. Remote access works but when the 1.2.3.5 hosts uses 4.3.2.1:8866 it does not work. That host has to use 1.2.3.4:8866 to get access. But when that host (a laptop) migrates away from that network, it can use 4.3.2.1:8866.

I was just wondering as to why exactly that the 1.2.3.5 host cannot use the 4.3.2.1 address. I understand that the source and destination address will be 4.3.2.1 in that request, but as that request is coming in an on a specific port that is forwarded, why can it not get to the server?

[ReikokuKo]

In a more simple explanation: I'm hosting a webserver on my network, and I am trying to access it through its FQDN which resolves to the public IP of the network that the server is on; however, the web request has the same public IP as well and I am not able to access it. Is this some kind of IPS feature on SOHOs to prevent some sort of IP spoofing? Basically the request has the same public IP as the destination and source addresses.