New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#1334 - port forwarding not working #6275
Comments
jow-: Please provide your /etc/config/firewall or a screenshot of your LuCI portforward page. |
robertmuth: cat /etc/config/firewall config defaults config zone config zone config forwarding config rule config rule config rule config rule config rule config rule config rule config rule config rule config include config include 'miniupnpd' config include 'bcp38' config redirect |
robertmuth: Note sure if these experiments done from inside the router are meaningful, wget http://192.168.1.111:8877 index.html 100%[==================================>] 2.65K --.-KB/s in 0s 2018-02-08 01:06:24 (45.3 MB/s) - 'index.html' saved [2711/2711] BUT: wget http://---wan-ip---:8877 |
arjendekorte: Remove the line
from your redirect rule. It is unrealistic to expect that web clients connect from port 8877 when they make a connection to port 8877 unless you specifically tell them to do that (which you probably don't). |
jow-: Is the target server (192.168.1.111) using your router as default gateway? |
robertmuth: Re: Arjen de Korte good catch! config redirect config redirect |
robertmuth: RE: Jo-Philipp Wich You could be on to something here On that machine I have: auto lo auto eth0 auto enp4s0f0 However, for debugging I have also set up port forwarding Same problem: internally wget http://192.168.0.111:8877 index.html.1 100%[==================================================>] 2.65K --.-KB/s in 0s 2018-02-08 07:22:28 (336 MB/s) - ‘index.html.1’ saved [2711/2711] externally (192.168.1.116 is router B's wan IP): wget http://192.168.1.116:8877 |
jow-: That setup will not work. You must ensure that the host your forward traffic to responds directly and not via another (natting) machine - this will lead to unexpected response packets which will get discared at the router. You have two possibilities to fix the issue.
To implement solution #2 you need two additional SNAT rules to complement the DNAT. The first SNAT rule rewrites the source ip of incoming wan traffic to the routers internal LAN ip, so forwarded traffic hitting the internal server will appear to come from the router itself which will cause the server to respond to the router directly instead of using the default route. The second SNAT rule rewrites response traffic from the lan server destined to the router back to the routers wan IP where the stateful connection tracking will take care of routing the packets to the original remote client. In my example below, the both SNAT rules use the IP address of the LAN server as well as the protocol and port number to identify traffic needing rewrites. To avoid rewriting internal LAN traffic using this particular port, a negated subnet match is used to exclude the LAN range. The rules use symbolic interface notation for the
Downside of this approach is that you loose the information about the actual foreign client IP on the LAN server, so anti-bruteforce measures like fail2ban are useless since all requests will appear to come from the router itself. |
robertmuth: changing the default route did the trick. I really appreciate your prompt help! |
robertmuth:
TP-Link Archer C7 v2
LEDE Reboot SNAPSHOT r5464-5a8e9846af / LuCI Master (git-17.342.53118-6d086bf)
Steps to reproduce:
wget http://:
this fails
I un-systematically tried other lede versions - none of which worked.
The text was updated successfully, but these errors were encountered: