Configuring firewall for the hairpin loopback

Digika · November 15, 2023, 6:59pm

I have a basic power forwarding setup that forwards all queries to my public IP address (assigned by ISP via PPPoE) and port 7777 to my local machine. It works just fine when any external source sends a request.

21:50:25.478929 IP 211.33.244.88.38721 > MY.PUBLIC.IP.HERE.7777: UDP, length 11
21:50:25.479079 IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11
21:50:25.479097 IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11
21:50:25.479109 ethertype IPv4, IP 211.33.244.88.38721 > 192.168.1.2.7777: UDP, length 11

But the issue is that for some reason the forwarding does not work when send from my own local machine to my public IP:

21:49:38.325645 IP 192.168.1.2.56782 > MY.PUBLIC.IP.HERE.7777: UDP, length 10
21:49:38.325645 IP 192.168.1.2.56782 > MY.PUBLIC.IP.HERE.7777: UDP, length 10
21:49:38.326009 IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10
21:49:38.326032 IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10
21:49:38.326046 ethertype IPv4, IP 192.168.1.1.56782 > 192.168.1.2.7777: UDP, length 10

In this case 192.168.1.1 is the OpenWRT router and 192.168.1.2 is my machine. The tcpdump above literally shows forwarding but nothing arrives. I dont think this is an ISP issue as you can see the data arrives so it is being forwarded by ISP properly. This also only applies to UDP data, TCP is being forwarded just fine

Let me know if you need more information.

jow · November 15, 2023, 7:48pm

Remove that last port forward to 7777-7778 from lan to lan, the firewall automatically creates loopback rules for wan to lan port forwards.

Digika · November 15, 2023, 8:11pm

I did, but nothing has changed

jow · November 15, 2023, 8:12pm

Please show the complete definition of the port forward.

Digika · November 15, 2023, 8:52pm

I dont recall which commands print this so here is from Luci:

RuralRoots · November 15, 2023, 10:03pm

uci export firewall
uci show firewall
cat /etc/config/firewall

Look at your screenshot in your OP, go down to entry 4, delete it, save/apply.

Digika · November 16, 2023, 8:42am

Look at your screenshot in your OP, go down to entry 4, delete it, save/apply.

Done, but it did not effect anything related to the issue.

uci export firewall
uci show firewall
cat /etc/config/firewall

https://paste.gg/p/anonymous/24165f2259304751a63a2b15e78231c7
https://paste.gg/p/anonymous/20831bcb143d4bcca802d0670c0708f7

Digika · November 18, 2023, 8:46pm

No ideas? It really baffles me that tcpdump shows packet received but it wont go through to my machine

lleachii · November 18, 2023, 9:01pm

Just FYI, if you're testing locally, the public IP is assigned to your device, no traffic is coming from the ISP.

With that information, given TCP works, I would suggest to verify the settings on 192.168.1.2 allow UDP traffic.

Digika · November 18, 2023, 9:17pm

Yes but verify what exactly?

antonk · November 18, 2023, 10:18pm

If the traffic is indeed forwarded correctly as suggested by tcpdump, but you don't see it on the target machine, then possibly that machine's firewall is dropping the traffic.