You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Device problem occurs on
====[DEVICE]====
NetGear WNDR 3700v2
====[Software Version]====
Software versions of OpenWrt/LEDE release, packages, etc.
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.1'
DISTRIB_REVISION='r7258-5eb055306f'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'
DISTRIB_TAINTS=''
====[Network Setup]====
Internet <=====> OpenWRT (WAN 17.17.17.17/LAN 192.168.1.1) With NAT <===> (192.168.1.0/24) <===> Router (no NAT, 192.168.1.2/10.0.0.1) <===> (10.0.0.0/16) <===> Server (10.0.0.2)
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name '443'
option dest_port '443'
option src_dport '443'
option dest_ip '10.0.0.2'
===[ Problem ]====
Connections from the internet, or from nodes on 192.168.1.0/24 can connect to 17.17.17.17 on port 443, they make the connection to 10.0.0.2 port 443. However nodes on 10.0.0.0/16 cannot.
Then 10.0.0.0/16 can access it without issue, however this script doesn't always get executed when making changes within the OpenWRT UI (at least in 12.09, I just upgraded today).
===[Potential Solutions]===
I think that every route should have their iptables rules set up automagically, however I'm not 100% sure.
The text was updated successfully, but these errors were encountered:
SJrX:
Supply the following if possible:
====[DEVICE]====
NetGear WNDR 3700v2
====[Software Version]====
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.1'
DISTRIB_REVISION='r7258-5eb055306f'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'
DISTRIB_TAINTS=''
====[Network Setup]====
Internet <=====> OpenWRT (WAN 17.17.17.17/LAN 192.168.1.1) With NAT <===> (192.168.1.0/24) <===> Router (no NAT, 192.168.1.2/10.0.0.1) <===> (10.0.0.0/16) <===> Server (10.0.0.2)
OpenWRT Settings (/etc/config/network):
config route
option interface 'lan'
option target '10.0.0.0'
option netmask '255.255.0.0'
option gateway '192.168.1.2'
option metric '1'
Port Forward (/etc/config/firewall):
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name '443'
option dest_port '443'
option src_dport '443'
option dest_ip '10.0.0.2'
===[ Problem ]====
Connections from the internet, or from nodes on 192.168.1.0/24 can connect to 17.17.17.17 on port 443, they make the connection to 10.0.0.2 port 443. However nodes on 10.0.0.0/16 cannot.
If I look at iptables-save I see the following:
iptables-save | grep "443"
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -s 192.168.1.0/24 -d 17.17.17.17/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j DNAT --to-destination 10.0.0.2:443
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443" -j DNAT --to-destination 10.0.0.2:443
The NAT rule is specifying only the local LAN address.
===[Work Around ]===
If as a custom start up script I run:
iptables-save | sed -r 's:^(.+) 192.168.1.0/24 (.+)$:\1 192.168.1.0/24 \2\n\1 10.0.0.0/16 \2:' | iptables-restore
Then 10.0.0.0/16 can access it without issue, however this script doesn't always get executed when making changes within the OpenWRT UI (at least in 12.09, I just upgraded today).
===[Potential Solutions]===
I think that every route should have their iptables rules set up automagically, however I'm not 100% sure.
The text was updated successfully, but these errors were encountered: