Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3875 - NAT reflection/loopback fails with multiple zones #8868

Closed
openwrt-bot opened this issue Jun 13, 2021 · 7 comments
Closed

FS#3875 - NAT reflection/loopback fails with multiple zones #8868

openwrt-bot opened this issue Jun 13, 2021 · 7 comments
Labels

Comments

@openwrt-bot
Copy link

phqzgunsfjror:

I just want to reopen the ticket because it was closed (reason EOL of the version where it was created).

It it not a bug but would be a nice feature for everyone who hosts private servers.

Everything can be found here:
https://bugs.openwrt.org/index.php?do=details&task_id=1645&dev=4

@openwrt-bot
Copy link
Author

KiralyCraft:

I can confirm this is indeed something we need. I stumbled across this issue too and I'm now trying to work around it with iptables, it will be messy though

@ShapeShifter499
Copy link

ShapeShifter499 commented Mar 28, 2022

For anyone coming across this now, the formatting got messed up on this issue thread #7950 when the bug tracker was migrated. The below works for me added via LuCI 'Firewall - Custom Rules' page. It works for other services too, just modify the port numbers. These rules are in addition to the "port forward" rule for the one VLAN you set.

. /lib/functions.sh 
. /lib/functions/network.sh
network_get_ipaddr wan wan
network_get_ipaddr lan lan 
webserver=(add your web server IP address here)
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/22 -p tcp -m tcp --dport 80 -j DNAT --to-destination $webserver:80 
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/22 -p tcp -m tcp --dport 443 -j DNAT --to-destination $webserver:443

@jorti
Copy link

jorti commented Aug 26, 2022

Any benevolent soul that can show me how to do this with nftables in 22.03?
Thanks.

@jorti
Copy link

jorti commented Aug 28, 2022

My current workaround for fw4 is to create a hotplug script that updates a custom nft rules file when the WAN address changes. It's not ideal because it's writing to the storage, but I haven't found any way of making use of the WAN address from within the nft file (it'd be great if fw4 defined a variable for it).

/etc/hotplug.d/iface/01-nat-reflection file:

#!/bin/sh

[ "$INTERFACE" == "wan" ] || exit 0
[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0

. /lib/functions/network.sh
network_find_wan WAN_IF
network_get_ipaddr WAN_ADDR "${WAN_IF}"

[ -z "$WAN_ADDR" ] && exit 0

logger -t nat-reflection "Configuring LAN reflection"

webserver="192.168.7.5"
cat > /etc/nftables.d/11-custom-nat-reflection.nft << EOF
chain user_dstnat {
	type nat hook prerouting priority dstnat; policy accept;
	iifname "br-lan" ip saddr 192.168.1.0/24 ip daddr $WAN_ADDR tcp dport 80 dnat ip to ${webserver}:80 comment "!fw4: forward-http (reflection lan)"
	iifname "br-lan" ip saddr 192.168.1.0/24 ip daddr $WAN_ADDR tcp dport 443 dnat ip to ${webserver}:443 comment "!fw4: forward-https (reflection lan)"
}
EOF

@jow-
Copy link
Contributor

jow- commented Aug 28, 2022

Hmm, both current versions of fw3 and fw4 support list reflection_zone ... - are you sure that workaround is even needed?

Example:

config redirect
	option name 'SSH'
	option proto 'tcp'
	option src 'wan'
	option src_dport '22177'
	option dest 'lan'
	option dest_ip '10.11.12.177'
	option dest_port '22'
	option target 'DNAT'
	list reflection_zone lan
	list reflection_zone guest
	list reflection_zone dmz

@jorti
Copy link

jorti commented Aug 28, 2022

Hmm, both current versions of fw3 and fw4 support list reflection_zone ... - are you sure that workaround is even needed?

Thanks! somehow I missed it.

I've tested it and works as expected, so I guess that this issue can be closed.

@jow-
Copy link
Contributor

jow- commented Aug 28, 2022

Closing this because support has been implemented a while ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants