I have a server set up for external access using a redirect in my firewall config. It's working as expected for external users. I also want internal users to be able to access the same server via the same public IP (as given to them by their DNS). However, when I try this I am directed to the router's internal webserver (i.e. uhttpd serving LuCI). The uhttpd server then sends a 403 with "Rejected request from RFC1918 IP to public server address" (which is fine, I understand what that is).
I've tried with/without the reflection
setting in the redirect (I also believe it's enabled by default) and also with the redirect disabled completely - the result is the same. The behaviour I see appears not to be conencted to the redirect.
I don't know what I might be missing. I don't know why it's going to the internal uhttpd server at all?
Any pointers appreciated. I am running LEDE Reboot 17.01.4 r3560-79f57e422d (yes, I know... )
mikma
August 31, 2020, 5:31pm
2
Might be easiest to move LuCI to another port.
uci show network; uci show firewall
trendy
August 31, 2020, 6:51pm
4
You can create a hostname entry to resolve the public fqdn to the private address. This way you won't need to go to the internal server via the router.
3 Likes
I'd like to get it to work without having to add hosts entries if I can.
Network config
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.188'
option netmask '255.0.0.0'
option ip6assign '60'
option ip6hint '10'
config interface 'wan'
option proto 'pppoe'
option ifname 'ptm0.101'
option username 'xxx'
option password 'xxx'
option ipv6 '0'
config device 'wan_dev'
option name 'ptm0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan6'
option proto '6in4'
option mtu '1480'
option peeraddr 'xxx.xx.xx.xx'
option ip6addr 'xxxx:xxx:xxxx:xxx::x/64'
option ip6prefix 'xxxx:xxx:xxxx::/48'
option tunnelid 'xxxxxx'
option username 'xxxx'
option updatekey 'xxxxxxxxxxxxxxxxxxxx'
config interface 'trusted'
option type 'bridge'
option ifname 'eth0.4'
option proto 'dhcp'
option 'defaultroute' '0'
option sendopts 'hostname:router'
config interface 'guest'
option type 'bridge'
option ifname 'eth0.5'
option proto 'dhcp'
option 'defaultroute' '0'
option sendopts 'hostname:router'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
option auto '1'
firewall config
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'trusted'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'trusted'
config zone
option name 'dmz'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'dmz'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'dmz'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option name 'HTTP webserver'
option src 'wan'
option src_dport '80'
option dest 'trusted'
option dest_ip '192.168.27.52'
option dest_port '80'
option proto 'tcp'
option enabled '1'
config redirect
option name 'HTTPS webserver'
option src 'wan'
option src_dport '443'
option dest 'trusted'
option dest_ip '192.168.27.52'
option dest_port '443'
option proto 'tcp'
option enabled '1'
config rule
option name 'VPN'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config rule
option name 'Allow-protocol 41'
option src 'wan'
option proto '41'
option target 'ACCEPT'
config rule
option name 'Allow-protocol 59'
option src 'wan'
option proto '59'
option target 'ACCEPT'
option extra '-m length --length 40'
1 Like
uci set firewall.@redirect[0].reflection_src="external"
uci set firewall.@redirect[1].reflection_src="external"
uci commit firewall
/etc/init.d/firewall restart
You also need additional rules if you want to use the redirects from zones other than the destination.
1 Like
starfry
September 1, 2020, 7:10am
7
I tried that, but it made no difference. I am trying curl http://<wan-ip>
from a node in the zone shown below as trusted
in the modified config for one of the entries (the other is similar). It goes to uhttpd
confirmed by its RFC1918 IP forbidden response. Accessing from outside still works as expected.
I always edit files manually in order to retain comments and formatting. I use service firewall restart
after edits.
config redirect
option name 'HTTP webserver'
option src 'wan'
option src_dport '80'
option dest 'trusted'
option dest_ip '192.168.27.52'
option dest_port '80'
option proto 'tcp'
option reflection '1'
option reflection_src 'external'
option enabled '1'
trendy
September 1, 2020, 7:21am
8
What is the output of iptables-save -t nat -c
1 Like
starfry
September 1, 2020, 8:06am
9
# Generated by iptables-save v1.4.21 on Tue Sep 1 07:54:54 2020
*nat
:PREROUTING ACCEPT [29:6851]
:INPUT ACCEPT [3:206]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [6:1242]
:postrouting_dmz_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_trusted_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_dmz_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_trusted_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_dmz_postrouting - [0:0]
:zone_dmz_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_trusted_postrouting - [0:0]
:zone_trusted_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[32:6805] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[13:2982] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1:78] -A PREROUTING -i br-trusted -m comment --comment "!fw3" -j zone_trusted_prerouting
[17:3709] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[18:3629] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[5:647] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-trusted -m comment --comment "!fw3" -j zone_trusted_postrouting
[13:2982] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[0:0] -A zone_dmz_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_dmz_rule
[0:0] -A zone_dmz_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_dmz_rule
[5:647] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j SNAT --to-source 10.0.0.138
[0:0] -A zone_lan_postrouting -s 10.0.0.0/8 -d 10.0.200.11/32 -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j SNAT --to-source 10.0.0.138
[13:2982] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client (reflection)" -j DNAT --to-destination 10.0.200.11:5222
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server (reflection)" -j DNAT --to-destination 10.0.200.11:5269
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j DNAT --to-destination 10.0.200.11:57558
[0:0] -A zone_lan_prerouting -s 10.0.0.0/8 -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent (reflection)" -j DNAT --to-destination 10.0.200.11:57558
[0:0] -A zone_trusted_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_trusted_rule
[0:0] -A zone_trusted_postrouting -s 192.168.21.0/24 -d 192.168.27.52/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver (reflection)" -j SNAT --to-source xxx.xxx.xxx.xxx
[0:0] -A zone_trusted_postrouting -s 192.168.21.0/24 -d 192.168.27.52/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver (reflection)" -j SNAT --to-source xxx.xxx.xxx.xxx
[1:78] -A zone_trusted_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_trusted_rule
[0:0] -A zone_trusted_prerouting -s 192.168.21.0/24 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver (reflection)" -j DNAT --to-destination 192.168.27.52:80
[0:0] -A zone_trusted_prerouting -s 192.168.21.0/24 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver (reflection)" -j DNAT --to-destination 192.168.27.52:443
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[13:2982] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[13:2982] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[17:3709] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5222 -m comment --comment "!fw3: XMPP client" -j DNAT --to-destination 10.0.200.11:5222
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5269 -m comment --comment "!fw3: XMPP server" -j DNAT --to-destination 10.0.200.11:5269
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP webserver" -j DNAT --to-destination 192.168.27.52:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS webserver" -j DNAT --to-destination 192.168.27.52:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 57558 -m comment --comment "!fw3: BitTorrent" -j DNAT --to-destination 10.0.200.11:57558
[5:647] -A zone_wan_prerouting -p udp -m udp --dport 57558 -m comment --comment "!fw3: BitTorrent" -j DNAT --to-destination 10.0.200.11:57558
COMMIT
# Completed on Tue Sep 1 07:54:54 2020
trendy
September 1, 2020, 9:03am
10
The rules are there but there are no hits.
Is the external IP of the iptables the same as the wan IP? Is the trusted network 192.168.21.0/24?
I don't think the reflection_src external is necessary.
starfry
September 1, 2020, 9:10am
11
The external IP of the iptables rules is the wan ip, the trusted network is 192.168.21.0/24. There is another network 10.0.0.0/8 called 'lan' but that is going to be deleted when a migration is completed, so that should simplify things.
I'll do a bit more digging with wireshark and see if I can see anything...
Reflection only works when the source and the destination are in the same firewall zone.
If you want to access trusted
from lan
or dmz
, you need to create custom DNAT
and SNAT
rules for each source sone.
1 Like
trendy
September 1, 2020, 9:17am
13
The server is 192.168.27.52 which doesn't belong to the trusted interface.
What is the output of ip -4 addr
?
1 Like
starfry
September 1, 2020, 9:44am
14
Sorry no the address is in 192.168.21 (i had changed it in the config I originally posted).
Maybe I need to complete my migration and get rid of lan
(10.x) so that it is tidier before I troubleshoot this. I inherited a single 10/8 network (called lan
) and am in the middle of migrating things from it into this new trusted
192.168.21.x network. Perhaps I should finish that and come back to this...
trendy
September 1, 2020, 10:05am
15
Still the iptables point to .27.52 so maybe the mistake is there.
The lan interface is irrelevant to your problem, provided that source and destination traffic is in trusted interface.
starfry:
192.168.27.52
That's probably reflection_src=external
, it should be either wan
or vpn
.
The former means your wan
has no public IP, the latter means that you may need disable the reflection and create the DNAT
and SNAT
rules manually.
starfry
September 1, 2020, 11:49am
17
Are you saying that reflection_src
can be the name of a zone? The documentation suggests that external
and internal
are the only values...?
No, reflection_src=external
calculates the WAN IP based on the default route:
https://openwrt.org/docs/guide-developer/network-scripting#get_wan_address
If the VPN redirects the default route, firewall may incorrectly identify the WAN IP.
system
Closed
August 25, 2021, 10:31pm
19
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.