Access to LAN hosts through different interfaces partially target router

Hi everyone,
after researching and numerous unsuccessful attempts I seeking for assistance here. Thank you in advance.

Summary of problem: Depending in the interface I am connected to, access to specific hosts by the WAN domain name (Dynamic DNS) either works or redirects to the router.

Network/Interface setup:

  • Router is a Turris Omnia with Turris OS version 5.0.1 based on OpenWrt 19.07
  • router is assigned a dynamic external IP address (a.b.c.d) by my ISP on the WAN interface
  • Dynamic DNS is fully functional: domain.xy -> a.b.c.d
  • Wireguard is used for VPN and also fully functional
  • Interfaces
    • WAN (firewall zone wan)
      • IP address is assigned by ISP, e.g. a.b.c.d
    • LAN (firewall zone lan)
      • IP address of Turris Omnia/interface 'LAN' is 192.168.0.1
      • This network contains
        • Server 1 with IP address 192.168.0.111
        • Server 2 with IP address 192.168.0.222
    • wg0 (for Wireguard VPN) (firewall zone vpn)
      • IP address of Turris Omnia/interface 'wg0' is 192.168.99.1
      • connected clients use IP addresses 192.168.99.n
  • Firewall
    • Port forwards:
      • from any host in WAN via any router IP at port 80 to Server 1 port 80
      • from any host in WAN via any router IP at port 8443 to Server 2 port 8443
    • Zone forwardings
      • lan-> wan, vpn: accept, accept, accept
      • vpn-> wan, lan: accept, accept, accept

Expected and actual behavior:

Scenario Expected Actual Result
Client "somewhere on the internet" accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client as expected OK
Client in LAN (192.168.0.n) accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client as expected OK
Client within wg0 (192.168.99.n) accessing domain.xy:8443 Service from 192.168.0.222:8443 is offered to client Access to Turris Omnia on port 8443 is attempted Problem

The same applies to server 1 and port 80.

The same also applies to an additional guest network when I activate firewall zone forwardings guest-> lan. However, this is deactivated at the moment until I sort this issue out.

In other words: clients connected by Wireguard VPN cannot access hosts using hostname:port because they are always directed to Turris Omnia.
It appears as if the external IP a.b.c.d is "translated" to the internal IP and consequently the port forwarding configuration is without effect.

Further notes:

  • nslookup domain.xy always returns a.b.c.d, independent from the interface
  • access to 192.168.0.111:80 or 192.168.0.222:8443 using the IP address works, independent from the interface
  • I do not want to route all accesses to ports 80 or 8443 initially targeting the router to one of the servers, because I still require access to the Turris Omnia UI while connected to VPN.

Additional research results:

I made a few attempts using different firewall settings.
My zone setup looks as follows (please ignore DMZ, not used at the moment):

image

All LAN interfaces (lan0-4) are associated with the lan zone.
wg0 for Wireguard is associated with zone vpn.

If a move interface wg0 to the lan zone I receive the expected results as mentioned in my previous/initial post. Therefore I assume that I am missing a certain traffic rule or port forward.

Comparing zones lan vs. vpn, the firewall setup is identical with the following exceptions:

  • Forwarding lan -> vpn in lan and vpn -> lan for vpn
  • Associated interfaces/Covered networks (see above)
  • Zone lan is the destination for various port forwards (previous/initial post)
  • One traffic rule allowing DNS requests to the router, but deactivating this rules makes no difference (Incoming IPv4 from vpn to this device port 53: accept input)

Any ideas on how to achieve the same behavior on wg0 as for LAN?

Thanks so much in advance!

Your post isn't related to an officially released OpenWrt version.

It looks like you are missing the port forwarding from vpn zone to the lan hosts.

If this doesn't help, better seek advise from Turris.

2 Likes

https://www.turris.cz/en/support/

Hi,
unfortunately I haven't received replies to the same question there yet ...

The idea of port forwarding from vpn to lan will make the routers web interface inaccessible.
If I forward port 80 requests originating in vpn targeting the device to a specific host in lan, I would not be able to access the routers interface on port 80 any more.

Since:

and you can always use different ports to forward from vpn to lan, e.g 8080 to 222:80
I don't see much of a problem here, but since it is not the OpenWrt firmware I won't go too deep.

Actually this is not my intention. I'd like to be able to access the exact same URL domain.xy:8443 or domain.xy:80 independent from the network (anywhere on the internet, lan, vpn, guest) I use and get the same result

From my point of view Turris OS and OpenWrt have huge similarities, as for example https://gitlab.labs.nic.cz/turris/turris-os-packages forks OpenWrt and then extends it or for example sharing the (L)UCI configuration. Due to these similarities the purpose of posting here is not only to seek assistance for myself, but to also share possible solutions with others.

You're not going to be able to do that without port forwarding. The IP address for 'domain.xy' is that of the router so it'll respond to HTTP/HTTPS requests, unless it knows to forward requests on those ports to a different machine. At the moment it's working exactly as it should.

2 Likes

That is exactly what I thought of already. :slight_smile:
However, to me it is questionable, why it works within LAN (firewall zone lan) without the port forwarding, as domain.xy is resolved to the router's external IP address there as well.

I would guess it's using NAT loopback for the LAN zone. Afaik that's the only supported zone for it.

That looks very much like it. Thank you.
Regarding that I found: https://bugs.openwrt.org/index.php?do=details&task_id=1645&dev=4 .
I will try the solutions posted there later on ...

NAT loopback will work if you have a port forwarding to that zone. You have for lan and it works for lan. You don't have for vpn, it won't work for vpn. Or you can try to run the commands manually to make it work without the DNAT.

The following commands added to Network...Firewall...Custom Rules solved the issue:

iptables -t nat -A prerouting_vpn_rule -s 192.168.99.0/24 -d <WAN-IP>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.111
iptables -t nat -A postrouting_vpn_rule -s 192.168.99.0/24 -d 192.168.0.111/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1

(IP addresses correlate to post above, <WAN-IP> needs to be replaced)

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.