Private Network to private network reach over public IP address


we have a situation, explained below, not able to get an idea how this can be achieved.

private network =>

Web server private IP => Port 80

Public IP => x.x.x.x mapped to domain

now when private machines trying to reach they receive public IP x.x.x.x and get connection refused as public IP is not able to service the request coming from inside network to translated network.

how can this be achieved without doing manual changes on local computers.


Have a look at hairpin NAT.

As the other respondent said you need to employ “hairpin NAT”, which basically involves two things:

  • a destination NAT – that applies to traffic sourced from inside your private network, but destined to the server public IP, which you’ll DNAT to the server private IP; (this will generate a nat / PREROUTING -j DNAT iptables rule;)
  • a source NAT – that applies to the same traffic as above, by replacing the source address with the router’s own IP; (although I think any non-local IP would do;) (this will generate a nat / POSTROUTING -j MASQUARADE iptables rule;)

For the destination NAT you match traffic based on the destination IP being the public one, meanwhile for the source NAT you match traffic based on the destination IP being the private one of the server. (I don’t think you are required to add any source addresses and outbound interfaces to the source NAT rule as the documentation states.)

Note however that if the web server needs to take into account the IP address of the client, it will only see the IP address of the router.