Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1959 - Port forwards do not work with Static Routes #6861

Open
openwrt-bot opened this issue Nov 18, 2018 · 0 comments
Open

FS#1959 - Port forwards do not work with Static Routes #6861

openwrt-bot opened this issue Nov 18, 2018 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

SJrX:

Supply the following if possible:

  • Device problem occurs on
    ====[DEVICE]====
    NetGear WNDR 3700v2

====[Software Version]====

  • Software versions of OpenWrt/LEDE release, packages, etc.
    DISTRIB_ID='OpenWrt'
    DISTRIB_RELEASE='18.06.1'
    DISTRIB_REVISION='r7258-5eb055306f'
    DISTRIB_TARGET='ar71xx/generic'
    DISTRIB_ARCH='mips_24kc'
    DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'
    DISTRIB_TAINTS=''

====[Network Setup]====

Internet <=====> OpenWRT (WAN 17.17.17.17/LAN 192.168.1.1) With NAT <===> (192.168.1.0/24) <===> Router (no NAT, 192.168.1.2/10.0.0.1) <===> (10.0.0.0/16) <===> Server (10.0.0.2)

OpenWRT Settings (/etc/config/network):

config route
option interface 'lan'
option target '10.0.0.0'
option netmask '255.255.0.0'
option gateway '192.168.1.2'
option metric '1'

Port Forward (/etc/config/firewall):

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name '443'
option dest_port '443'
option src_dport '443'
option dest_ip '10.0.0.2'

===[ Problem ]====

Connections from the internet, or from nodes on 192.168.1.0/24 can connect to 17.17.17.17 on port 443, they make the connection to 10.0.0.2 port 443. However nodes on 10.0.0.0/16 cannot.

If I look at iptables-save I see the following:

iptables-save | grep "443"
-A zone_lan_postrouting -s 192.168.1.0/24 -d 10.0.0.2/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -s 192.168.1.0/24 -d 17.17.17.17/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j DNAT --to-destination 10.0.0.2:443
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443" -j DNAT --to-destination 10.0.0.2:443

The NAT rule is specifying only the local LAN address.

===[Work Around ]===

If as a custom start up script I run:

iptables-save | sed -r 's:^(.+) 192.168.1.0/24 (.+)$:\1 192.168.1.0/24 \2\n\1 10.0.0.0/16 \2:' | iptables-restore

Then 10.0.0.0/16 can access it without issue, however this script doesn't always get executed when making changes within the OpenWRT UI (at least in 12.09, I just upgraded today).

===[Potential Solutions]===

I think that every route should have their iptables rules set up automagically, however I'm not 100% sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant