Accessing WAN IP from LAN hits LuCI?

I have a server set up for external access using a redirect in my firewall config. It's working as expected for external users. I also want internal users to be able to access the same server via the same public IP (as given to them by their DNS). However, when I try this I am directed to the router's internal webserver (i.e. uhttpd serving LuCI). The uhttpd server then sends a 403 with "Rejected request from RFC1918 IP to public server address" (which is fine, I understand what that is).

I've tried with/without the reflection setting in the redirect (I also believe it's enabled by default) and also with the redirect disabled completely - the result is the same. The behaviour I see appears not to be conencted to the redirect.

I don't know what I might be missing. I don't know why it's going to the internal uhttpd server at all?

Any pointers appreciated. I am running LEDE Reboot 17.01.4 r3560-79f57e422d (yes, I know... :wink: )

Might be easiest to move LuCI to another port.

uci show network; uci show firewall

You can create a hostname entry to resolve the public fqdn to the private address. This way you won't need to go to the internal server via the router.

3 Likes

I'd like to get it to work without having to add hosts entries if I can.

Network config


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'


config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.0.188'
	option netmask '255.0.0.0'
	option ip6assign '60'
        option ip6hint '10'

config interface 'wan'
	option proto 'pppoe'
        option ifname 'ptm0.101'
	option username 'xxx'
	option password 'xxx'
	option ipv6 '0'

config device 'wan_dev'
	option name 'ptm0'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
	option proto '6in4'
	option mtu '1480'
	option peeraddr 'xxx.xx.xx.xx'
	option ip6addr 'xxxx:xxx:xxxx:xxx::x/64'
	option ip6prefix 'xxxx:xxx:xxxx::/48'
	option tunnelid 'xxxxxx'
	option username 'xxxx'
	option updatekey 'xxxxxxxxxxxxxxxxxxxx'

config interface 'trusted'
	option type 'bridge'
	option ifname 'eth0.4'
	option proto 'dhcp'
	option 'defaultroute' '0'
	option sendopts 'hostname:router'

config interface 'guest'
	option type 'bridge'
	option ifname 'eth0.5'
	option proto 'dhcp'
	option 'defaultroute' '0'
	option sendopts 'hostname:router'

config interface 'vpn'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

firewall config


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'trusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'trusted'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'dmz'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option name 'HTTP webserver'
	option src 'wan'
	option src_dport '80'
	option dest 'trusted'
	option dest_ip '192.168.27.52'
	option dest_port '80'
	option proto 'tcp'
	option enabled '1'

config redirect
	option name 'HTTPS webserver'
	option src 'wan'
	option src_dport '443'
	option dest 'trusted'
	option dest_ip '192.168.27.52'
	option dest_port '443'
	option proto 'tcp'
	option enabled '1'

config rule
	option name 'VPN'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config rule
	option name 'Allow-protocol 41'
	option src 'wan'
	option proto '41'
	option target 'ACCEPT'

config rule
	option name 'Allow-protocol 59'
	option src 'wan'
	option proto '59'
	option target 'ACCEPT'
	option extra '-m length --length 40'

1 Like
uci set firewall.@redirect[0].reflection_src="external"
uci set firewall.@redirect[1].reflection_src="external"
uci commit firewall
/etc/init.d/firewall restart

You also need additional rules if you want to use the redirects from zones other than the destination.

1 Like

I tried that, but it made no difference. I am trying curl http://<wan-ip> from a node in the zone shown below as trusted in the modified config for one of the entries (the other is similar). It goes to uhttpd confirmed by its RFC1918 IP forbidden response. Accessing from outside still works as expected.

I always edit files manually in order to retain comments and formatting. I use service firewall restart after edits.

config redirect
option name 'HTTP webserver'
option src 'wan'
option src_dport '80'
option dest 'trusted'
option dest_ip '192.168.27.52'
option dest_port '80'
option proto 'tcp'
option reflection '1'
option reflection_src 'external'
option enabled '1'

What is the output of iptables-save -t nat -c

1 Like
# Generated by iptables-save v1.4.21 on Tue Sep  1 07:54:54 2020
*nat
:PREROUTING ACCEPT [29:6851]
:INPUT ACCEPT [3:206]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [6:1242]
:postrouting_dmz_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_trusted_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_dmz_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_trusted_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_dmz_postrouting - [0:0]
:zone_dmz_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_trusted_postrouting - [0:0]
:zone_trusted_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[32:6805] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[13:2982] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1:78] -A PREROUTING -i br-trusted -m comment --comment "!fw3" -j zone_trusted_prerouting
[17:3709] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[18:3629] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[5:647] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-trusted -m comment --comment "!fw3" -j zone_trusted_postrouting
[13:2982] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[0:0] -A zone_dmz_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_dmz_rule
[0:0] -A zone_dmz_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_dmz_rule
[5:647] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j SNAT --to-source 10.0.0.138
[13:2982] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client (reflection)" -j DNAT --to-destination 10.0.200.11:5222
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server (reflection)" -j DNAT --to-destination 10.0.200.11:5269
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j DNAT --to-destination 10.0.200.11:57558
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j DNAT --to-destination 10.0.200.11:57558
[0:0] -A zone_trusted_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_trusted_rule
[0:0] -A zone_trusted_postrouting -s 192.168.21.0/24 -d 192.168.27.52/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver (reflection)" -j SNAT --to-source xxx.xxx.xxx.xxx
[0:0] -A zone_trusted_postrouting -s 192.168.21.0/24 -d 192.168.27.52/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver (reflection)" -j SNAT --to-source xxx.xxx.xxx.xxx
[1:78] -A zone_trusted_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_trusted_rule
[0:0] -A zone_trusted_prerouting -s 192.168.21.0/24 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver (reflection)" -j DNAT --to-destination 192.168.27.52:80
[0:0] -A zone_trusted_prerouting -s 192.168.21.0/24 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver (reflection)" -j DNAT --to-destination 192.168.27.52:443
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[13:2982] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[13:2982] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[17:3709] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client" -j DNAT --to-destination 10.0.200.11:5222
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server" -j DNAT --to-destination 10.0.200.11:5269
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver" -j DNAT --to-destination 192.168.27.52:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver" -j DNAT --to-destination 192.168.27.52:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent" -j DNAT --to-destination 10.0.200.11:57558
[5:647] -A zone_wan_prerouting -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent" -j DNAT --to-destination 10.0.200.11:57558
COMMIT
# Completed on Tue Sep  1 07:54:54 2020

The rules are there but there are no hits.
Is the external IP of the iptables the same as the wan IP? Is the trusted network 192.168.21.0/24?
I don't think the reflection_src external is necessary.

The external IP of the iptables rules is the wan ip, the trusted network is 192.168.21.0/24. There is another network 10.0.0.0/8 called 'lan' but that is going to be deleted when a migration is completed, so that should simplify things.

I'll do a bit more digging with wireshark and see if I can see anything...

Reflection only works when the source and the destination are in the same firewall zone.
If you want to access trusted from lan or dmz, you need to create custom DNAT and SNAT rules for each source sone.

1 Like

The server is 192.168.27.52 which doesn't belong to the trusted interface.
What is the output of ip -4 addr ?

1 Like

Sorry no the address is in 192.168.21 (i had changed it in the config I originally posted).

Maybe I need to complete my migration and get rid of lan (10.x) so that it is tidier before I troubleshoot this. I inherited a single 10/8 network (called lan) and am in the middle of migrating things from it into this new trusted 192.168.21.x network. Perhaps I should finish that and come back to this...

Still the iptables point to .27.52 so maybe the mistake is there.
The lan interface is irrelevant to your problem, provided that source and destination traffic is in trusted interface.

That's probably reflection_src=external, it should be either wan or vpn.
The former means your wan has no public IP, the latter means that you may need disable the reflection and create the DNAT and SNAT rules manually.

Are you saying that reflection_src can be the name of a zone? The documentation suggests that external and internal are the only values...?

No, reflection_src=external calculates the WAN IP based on the default route:
https://openwrt.org/docs/guide-developer/network-scripting#get_wan_address
If the VPN redirects the default route, firewall may incorrectly identify the WAN IP.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.