OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Steve Ramage - 18.11.2018

FS#1959 - Port forwards do not work with Static Routes

Supply the following if possible:
- Device problem occurs on

[DEVICE]

NetGear WNDR 3700v2

[Software Version]

- Software versions of OpenWrt/LEDE release, packages, etc.

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.1'
DISTRIB_REVISION='r7258-5eb055306f'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'
DISTRIB_TAINTS=''

[Network Setup]

Internet ⇐===⇒ OpenWRT (WAN 17.17.17.17/LAN 192.168.1.1) With NAT ⇐=⇒ (192.168.1.0/24) ⇐=⇒ Router (no NAT, 192.168.1.2/10.0.0.1) ⇐=⇒ (10.0.0.0/16) ⇐=⇒ Server (10.0.0.2)

OpenWRT Settings (/etc/config/network):

config route
 option interface 'lan'
 option target '10.0.0.0'
 option netmask '255.255.0.0'
 option gateway '192.168.1.2'
 option metric '1'

Port Forward (/etc/config/firewall):

config redirect
 option target 'DNAT'
 option src 'wan'
 option dest 'lan'
 option proto 'tcp'
 option name '443'
 option dest_port '443'
 option src_dport '443'
 option dest_ip '10.0.0.2'

[ Problem ]

Connections from the internet, or from nodes on 192.168.1.0/24 can connect to 17.17.17.17 on port 443, they make the connection to 10.0.0.2 port 443. However nodes on 10.0.0.0/16 cannot.

If I look at iptables-save I see the following:

iptables-save | grep "443"
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -s 192.168.1.0/24 -d 17.17.17.17/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j DNAT --to-destination 10.0.0.2:443
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443" -j DNAT --to-destination 10.0.0.2:443

The NAT rule is specifying only the local LAN address.

[Work Around ]

If as a custom start up script I run:

iptables-save | sed -r 's:^(.+) 192.168.1.0/24 (.+)$:\1 192.168.1.0/24 \2\n\1 10.0.0.0/16 \2:' | iptables-restore

Then 10.0.0.0/16 can access it without issue, however this script doesn’t always get executed when making changes within the OpenWRT UI (at least in 12.09, I just upgraded today).

[Potential Solutions]

I think that every route should have their iptables rules set up automagically, however I’m not 100% sure.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing