Auto-created NAT Loopback rules use wrong SNAT address

BAM · January 16, 2021, 5:47pm

Hi all, new OpenWrt user here.

I have multiple internal routed subnets and was having issues with NAT relfection rules not being applied to these subnets until I found this thread which gave a solution:

NAT loopback/reflection problem: local static routed subnets are not covered by fw3 reflection rules

Based on this, I then explicitly defined all of my internal subnets within the "LAN" zone as described
in the thread above and confirmed that associated DNAT prerouting and SNAT postrouting rule pairs had been created automatically for each of my explicitly defined LAN subnets to accommodate the required relections.

However, the problem is that the auto created SNAT rules are not using OpenWrts internal lan interface IP for the SNAT "--to-source" IP, and instead are using the original source network address?! In the original port foward rule for my webserver ("HTTPS_to_NginX"), in the advanced options, NAT loopback is checked (as per default) and I have selected the Internal IP adddress as as the SNAT address for the relected traffic.

Let me provide specifics:

My OpenWrt internal LAN interface address is 192.168.10.19/24. I have since created the common RFC1918 private subnets in the LAN firewall zone (Zone > Advanced Settings > Covered Subnets) to cover reflection for all possible current and future internal LAN addresses:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

WIth this, the following auto NAT loopback rules are in place (ive manually obfuscated my public WAN IP):

iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.0.0.0/255.0.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 172.16.0.0/255.240.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.0.0/255.255.0.0 -d 82.x.x.x/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j DNAT --to-destination 192.168.0.5:443


iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 192.168.10.19
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.0.0.0/255.0.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 10.0.0.0
iptables -t nat -A zone_lan_postrouting -p tcp -s 172.16.0.0/255.240.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 172.16.0.0
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.0.0/255.255.0.0 -d 192.168.0.5/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_to_NginX (reflection)" -j SNAT --to-source 192.168.0.0

You will notice that the auto created NAT loopback rules for my OpenWrt LAN interface use the correct internal IP for the SNAT, but that the other auto created rules for my additionally defined LAN zone subnets DONT, and instead use the network address corresponding to the original source LAN network. This is my problem.

I have another firewall that sits in front of my webserver and can confirm that it receives inbound HTTPS requests from the incorrectly translated IPs.

Could anyone shed any light on this behaviour as to why the SNAT is not being correctly applied?

Many thanks for any help,

BAM

vgaetera · January 16, 2021, 9:54pm

You can create separate redirects for each source zone.

BAM · January 17, 2021, 1:28am

Hi vgaetera thanks for your help.

I am not sure how to interpret your suggestion, I have tried to create a separate new zone to represent one of my other internal lan subnets and use it in a new port forward rule in the hopes that would create the correct auto loopback rules but unfortuantely it doesnt.

Perhaps I am misinterpreting your meaning of creating redirects for each source zone? Any clarity would be greatly appreciated.

Thanks,

BAM

BAM · January 18, 2021, 1:01pm

So, after playing around with this a bit more, I notice that if I go into the advanced settings of the port forward rule and change the "loopback source IP" from "Use internal IP address" to "Use external IP address", the auto SNAT rules assign the correct OpenWrt WAN IP correctly.

So it seems to me that the internal code/script function for assigning the SNAT IP when "Use internal IP address" is selected may be the culprit as it assigns the original src instead of the OpenWrt LAN IP.

Can anyone else test this to confirm my theory? Im using the latest release via generic x86 build in a VM.

Regarding the correct function when "Use external IP address" is chosen, this would be just fine as a solution except that now OpenWrt is not forwarding the traffic so I assume there must be some other firewall rule requirement to fulfill this but I cant seem to figure out what rule would permit it. I have tried creating a new traffic rule but the issue there is that it would only statically assign the current WAN IP, so that would need recreated every time I get a new WAN IP from my ISP so this is not workable without continued user intervention.

For now I have just created manual iptables rules to do the SNAT portion but it would be great if the auto NAT Loopback rules would assign the correct Internal OpenWrt LAN IP in a future build.

If anyone can corroborate my findings could it be possible to raise a bug report?

BAM.