I am migrating from an older router (DDWRT) to a new one using OpenWRT. And I’m having trouble to configure it in a way that is more convenient, as I will explain in the following lines.
I have several home servers (media, management, file, vpn, etc) that I used to access from the public IP address (FQDN) regardless of being at home (LAN) or Roaming (WAN).
Everything is working fine for WAN access, but not anymore for LAN access.
After changing my network to be managed by OpenWRT, I’m not being able to have this scenario working. I have already researched and tried several procedures from this forum (NAT Loopback, Hairpin), but none of those methods are working. I have also tested some other suggestions which basically assigning my DDNS (something.ddns.net for example) as a hostname to a single IP Address. It does work, but since I have more than one server, this solution does not fit my needs.
My router has a PPPoE connection, and a public IP address is assigned to this interface, which is then mapped to a FQDN using DDNS.
I have performed some tests with a raspberry pi connected in my LAN, using the ftptraceroute tool to try to reach the ports used by my services.
On the port forwarding rule, If I disable NAT Loopback, I can reach the router, but tcptraceroute states the port as closed:
root@raspberrypi:~# tcptraceroute DDNS 4443
Selected device eth0, address 192.168.0.138, port 56365 for outgoing packets
Tracing the path to DDNS (PUBLIC_IP) on TCP port 4443, 30 hops max
1 PUBLIC_IP [closed] 1.414 ms 1.155 ms 1.505 ms
If I enable NAT Loopback (which seems to be the appropriate tool to help in my case) tcptraceroute cannot reach the WAN IP address (using Internal or External as Loopback Source IP)
root@raspberrypi:~# tcptraceroute DDNS 4443
Selected device eth0, address 192.168.0.138, port 56365 for outgoing packets
Tracing the path to DDNS (PUBLIC_IP) on TCP port 4443, 30 hops max
1 * * *
2 * * *
3 *^C
# uci show network; uci show firewall
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd00:ab:cd::/48'
network.@device[0]=device
network.@device[0].name='eth0'
network.@device[0].macaddr='XX'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='pppoe'
network.wan.username='XXX'
network.wan.password='YYY'
network.wan.ipv6='auto'
network.wan.mtu='1492'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
network.@device[1]=device
network.@device[1].name='br-lan'
network.@device[1].type='bridge'
network.@device[1].ports='eth1'
network.@device[2]=device
network.@device[2].name='eth1'
network.@device[2].macaddr='XX'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.docker=interface
network.docker.device='docker0'
network.docker.proto='none'
network.docker.auto='0'
network.@device[3]=device
network.@device[3].type='bridge'
network.@device[3].name='docker0'
network.WG=interface
network.WG.proto='wireguard'
network.WG.listen_port='51820'
network.WG.addresses='192.168.2.1'
network.WG.private_key='X'
network.WG.mtu='1420'
network.WG.defaultroute='0'
network.@wireguard_WG[0]=wireguard_WG
network.@wireguard_WG[0].public_key='X'
network.@wireguard_WG[0].allowed_ips='192.168.2.2/32'
network.@wireguard_WG[0].route_allowed_ips='1'
network.@wireguard_WG[0].persistent_keepalive='25'
network.@wireguard_WG[0].description='Cleiton-Samsung'
network.@wireguard_WG[1]=wireguard_WG
network.@wireguard_WG[1].public_key='X'
network.@wireguard_WG[1].allowed_ips='192.168.2.5/32'
network.@wireguard_WG[1].route_allowed_ips='1'
network.@wireguard_WG[1].persistent_keepalive='25'
network.@wireguard_WG[1].description='Cleiton-iPhone'
network.@wireguard_WG[2]=wireguard_WG
network.@wireguard_WG[2].description='Fazenda'
network.@wireguard_WG[2].public_key='X'
network.@wireguard_WG[2].route_allowed_ips='1'
network.@wireguard_WG[2].persistent_keepalive='25'
network.@wireguard_WG[2].allowed_ips='192.168.0.0/16' '172.16.16.0/24'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].masq='1'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='WG'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].network='WG'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='WG'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='WG'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='WG'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wan'
firewall.@forwarding[4].dest='WG'
firewall.@zone[4]=zone
firewall.@zone[4].name='WG_Intranet'
firewall.@zone[4].input='ACCEPT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].network='WG'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='WG_Intranet'
firewall.@forwarding[5].dest='WG'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='WG'
firewall.@forwarding[6].dest='WG_Intranet'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='TVH'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='29981'
firewall.@redirect[0].dest_ip='192.168.0.69'
firewall.@redirect[0].dest_port='9981'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='TVH'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='29982'
firewall.@redirect[1].dest_ip='192.168.0.69'
firewall.@redirect[1].dest_port='9982'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='SSH_Pi'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='8022'
firewall.@redirect[2].dest_ip='192.168.0.138'
firewall.@redirect[2].dest_port='22'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='ZPiSSH'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='2222'
firewall.@redirect[3].dest_ip='192.168.0.122'
firewall.@redirect[3].dest_port='2222'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].dest='lan'
firewall.@forwarding[8]=forwarding
firewall.@forwarding[8].dest='wan'
firewall.@forwarding[9]=forwarding
firewall.@forwarding[9].src='lan'
firewall.@forwarding[10]=forwarding
firewall.@forwarding[10].src='wan'
firewall.@forwarding[11]=forwarding
firewall.@forwarding[11].dest='lan'
firewall.@forwarding[12]=forwarding
firewall.@forwarding[12].dest='wan'
firewall.@forwarding[13]=forwarding
firewall.@forwarding[13].src='lan'
firewall.@forwarding[14]=forwarding
firewall.@forwarding[14].src='wan'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='HTTPS'
firewall.@redirect[4].src_dport='4443'
firewall.@redirect[4].dest_ip='192.168.0.122'
firewall.@redirect[4].dest_port='4443'
firewall.@redirect[4].src='wan'
firewall.@forwarding[15]=forwarding
firewall.@forwarding[15].dest='lan'
firewall.@forwarding[16]=forwarding
firewall.@forwarding[16].dest='wan'
firewall.@forwarding[17]=forwarding
firewall.@forwarding[17].src='lan'
firewall.@forwarding[18]=forwarding
firewall.@forwarding[18].src='wan'
Can someone point me in the right direction to troubleshoot this? I have tcpdump available, but I have no clue on how to test the traffic sniffing for this case.