Configuring firewall for the hairpin loopback

I have a basic power forwarding setup that forwards all queries to my public IP address (assigned by ISP via PPPoE) and port 7777 to my local machine. It works just fine when any external source sends a request.

21:50:25.478929 IP 211.33.244.88.38721 > MY.PUBLIC.IP.HERE.7777: UDP, length 11
21:50:25.479079 IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11
21:50:25.479097 IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11
21:50:25.479109 ethertype IPv4, IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11

But the issue is that for some reason the forwarding does not work when send from my own local machine to my public IP:

21:49:38.325645 IP 192.168.1.2.56782 > MY.PUBLIC.IP.HERE.7777: UDP, length 10
21:49:38.325645 IP 192.168.1.2.56782 > MY.PUBLIC.IP.HERE.7777: UDP, length 10
21:49:38.326009 IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10
21:49:38.326032 IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10
21:49:38.326046 ethertype IPv4, IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10

In this case 192.168.1.1 is the OpenWRT router and 192.168.1.2 is my machine. The tcpdump above literally shows forwarding but nothing arrives. I dont think this is an ISP issue as you can see the data arrives so it is being forwarded by ISP properly. This also only applies to UDP data, TCP is being forwarded just fine

Let me know if you need more information.

Remove that last port forward to 7777-7778 from lan to lan, the firewall automatically creates loopback rules for wan to lan port forwards.

I did, but nothing has changed

Please show the complete definition of the port forward.

I dont recall which commands print this so here is from Luci:



uci export firewall
uci show firewall
cat /etc/config/firewall

Look at your screenshot in your OP, go down to entry 4, delete it, save/apply.

Look at your screenshot in your OP, go down to entry 4, delete it, save/apply.

Done, but it did not effect anything related to the issue.

uci export firewall
uci show firewall
cat /etc/config/firewall

https://paste.gg/p/anonymous/24165f2259304751a63a2b15e78231c7
https://paste.gg/p/anonymous/20831bcb143d4bcca802d0670c0708f7

No ideas? It really baffles me that tcpdump shows packet received but it wont go through to my machine

Just FYI, if you're testing locally, the public IP is assigned to your device, no traffic is coming from the ISP.

With that information, given TCP works, I would suggest to verify the settings on 192.168.1.2 allow UDP traffic.

Yes but verify what exactly?

If the traffic is indeed forwarded correctly as suggested by tcpdump, but you don't see it on the target machine, then possibly that machine's firewall is dropping the traffic.

2 Likes