New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#1645 - NAT reflection/loopback fails with multiple zones #7950
Comments
TexasDex: Note: This was reported as a bug in LuCI, but closed because the issue was not just with UI: openwrt/luci#1560 |
jow-: This is by design. The setup of NAT loopback rules is currently tied to the zone of the target host. I might look into introducing a new option "reflection zones" or similar to change set but I can't promise that it'll happen anytime soon. |
TexasDex: It took a lot of figuring out, but adding the following rule to the 'Firewall - Custom Rules' pane in LuCI seems to have fixed it for now:
Making this an official feature would be appreciated, though. |
dfberger: I found this report while investigating the same problem - I fixed it in a similar way and would also appreciate it being more directly supported. in my case I have a plex media server in the lan zone, accessible from the internet, and a set of devices in an untrusted zone that I want to be able to stream from it. I ended up doing this on OpenWrt 18.06.1, r7258-5eb055306f:
. /lib/functions.sh
. /lib/functions/network.sh
(as an aside for anyone trying to replicate my results, I found that these rules don't appear after reboot until I do a firewall restart, but I haven't yet figured out why.) |
neontty: Upvote I experienced the same problem. Thank you, Dan and Dex, for posting your solutions here. It seems like a pretty common situation for people to have a DMZ'd zone hosting a webserver that they would want to access via a zone-to-zone nat loopback. edit: @dan, I think your problem where you need to do the firewall restart is related to this: https://dev.archive.openwrt.org/ticket/20249.html . When the firewall reloads (instead of restarts) your custom firewall.user rules are not also reloaded, but they depend on a chain that is created in /etc/config/firewall so I think your rules get flushed too. That article explains that you can set a variable in your firewall config to also execute your firewall.user script on reloads as well. I realize that this thread is super old, but I thought I would post this for anyone else who came across it. |
phqzgunsfjror: I also vote for the feature. I opened a new ticket since it was closed: |
TexasDex:
I have multiple internal VLANs, and multiple firewall zones (e.g. a guest network, a DMZ LAN) with separate IP ranges and locked-down routing in between. I've found that if I forward a port to a web server in my DMZ zone the 'NAT Loopback' option has no effect on hosts outside of that zone (e.g. in my LAN or GuestLAN zones).
LEDE:
curl https://mywebsite.com
curl: (7) Failed to connect to mywebsite.com port 443: Connection refused
On DMZ:
$ curl https://mywebsite.com
<title> ...The port forward works fine on hosts outside my network.
I've looked into adding custom rules to fix this, since a Linux sysadmin with a little bit of iptables experience, but I'm not having much luck figuring out the LEDE firewall.
Using LEDE Reboot (17.01.4, r3560-79f57e422d) on x86 (QOTOM J1900 embedded PC).
The text was updated successfully, but these errors were encountered: