DDNS domain routing problems with OpenWRT

NightFurySL2001 · October 28, 2023, 7:28am

Hi, I am new to the OpenWRT world. My old router is broken in weird ways so now I am trying to set up a Linux server on my domain.

I am using no-ip.com to get a xxx.ddns.net AAAA domain. I plugged in a linux server on one of the LAN port, and then added port forwarding from WAN to LAN.

I have a Apache server on port 80, OpenVPN server on router port 1195 (to internal server port 1194), and SSH to server on router port 12345 (to internal server port 22).

Issue 1:
I am currently facing an issue where I am using JuiceSSH on Android store and trying to access the SSH server at username@xxx.ddns.net:12345, but the app says connection refused. Error log as below:

sh_connect: Socket connecting, now waiting for the callbacks to work
socket_callback_connected: Socket connection callback: 2 (111)
socket_callback_connected: Connection refused

Connecting directly inside the router to 192.168.3.193:12345 does work though.

Issue 2:
The Apache server hosted on the Linux server is accessible through the outside internet (tested with Android + mobile data), but when visiting the domain from LAN inside network, the domain redirected to the router LuCi web interface. i.e. I have connected my pc to the router and visiting xxx.ddns.net redirected me to router LuCi interface, not the hosted webpage.

frollic · October 28, 2023, 7:47pm

Make sure the dyndns FQDN resolves to the 192.168 IP of the server you're forwarding to, when querying the name from your LAN.

NightFurySL2001 · October 29, 2023, 4:46am

Can you provide more information on how to do so? I think xxx.ddns.net resolves to the public IP address and not the internal 192.168 IP. I am using the ddns-scripts, ddns-scripts-noip, ddns-scripts-services and luci-app-ddns packages.

egc · October 29, 2023, 6:14am

It is very early but should the port forwards not redirected to the LAN instead of 'this device' as Destination zone?

NightFurySL2001 · October 29, 2023, 6:38am

The settings for Destination zone is LAN.

The same text also appears here: https://www.wundertech.net/how-to-port-forward-in-openwrt/

frollic · October 29, 2023, 8:03am

It's somewhere in the DNS settings, but I'm traveling, so no device access atm.

Or use https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#hostnames

NightFurySL2001 · November 13, 2023, 1:51pm

This doesn't help if I have 2 servers behind the router. For DD-WRT there is a bug which is mentioned here: https://hax.at/text/41 , is there an equivalent in OpenWRT?

frollic · November 13, 2023, 1:58pm

bug ? why would there be ?

NightFurySL2001 · November 13, 2023, 2:15pm

I'm saying equivalent fix for the same problem (accessing using external hostname doesn't route correctly). My current situation seem suspiciously like that.

frollic · November 13, 2023, 2:17pm

apples and bananas, you can't compare ddwrt with openwrt.

NightFurySL2001 · November 13, 2023, 2:37pm

Do you have any further suggestions to check on this problem? It is frustrating to debug this and the suggestion in https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#hostnames doesn't work if there's two servers that use different ports, it could only redirect internal traffic to one of the server only.

frollic · November 13, 2023, 2:39pm

use two separate FQDNs ?

if you're redirecting browser traffic, you can probably solve it even if there's only one FQDN, based on URL getting requested, by using mod_rewrite or perhaps mod_proxy, but then you'll have to replace uhttpd with lighttpd or apache.

NightFurySL2001 · November 15, 2023, 3:20pm

From How to do NAT loopback with a dynamic WAN address - #5 by BigG it seems I need a new port forward record to do NAT loopback from LAN to the server?

On my Windows machine where accessing xxxx.ddns.net redirects to the gateway router page (192.168.3.1), doing tracert xxxx.ddns.net returns the external WAN address and not the internal 192.168.3.x address which is correct.

frollic · November 15, 2023, 4:20pm

You need your local dnsmasq to resolve those FQDNs with 192 IPs, when queried from the lan side.

Which was the 1st reply you got in this thread.

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#a_and_aaaa_rr

BigG · November 15, 2023, 7:43pm

I do that in 2 port forwards.

	option target 'DNAT'
	option name 'trackmania'
	option src_dport '50000-50010'
	option dest 'trackmania'
	option dest_ip '10.0.6.2'
	option dest_port '50000-50010'
	option reflection '0'
	option src 'wan'
	option src_dip 'wan'
	list proto 'tcp'
	list proto 'udp'

config redirect
	option target 'DNAT'
	option name 'trackmania nat loopback'
	option src 'lan'
	option src_dport '50000-50010'
	option dest_ip '10.0.6.2'
	option dest_port '50000-50010'
	option dest 'trackmania'
	option reflection_src 'internal'
	option src_dip 'wan'
	list proto 'tcp'
	list proto 'udp'

you can't add the firewall rules via luci because for the UI wan is not a valid IP Address while it is for the backend.
Since this config is pretty old and reflections zones got added in the mean time you can do it with a single rule like this if your OpenWRT installation is recent enough.

config redirect
	option target 'DNAT'
	option name 'trackmania'
	option src_dport '50000-50010'
	option dest 'trackmania'
	option dest_ip '10.0.6.2'
	option dest_port '50000-50010'
	option src 'wan'
	option src_dip 'wan'
	list proto 'tcp'
	list proto 'udp'
	list reflection_zone 'lan'

NightFurySL2001 · November 16, 2023, 10:24am

Thank you for your help, however visiting the domain from LAN side still redirects to the LuCi router page. I have the following firewall setup:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'raspi-web'
        option src 'wan'
        option src_dport '80'
        option src_dip 'wan'
        option dest_ip '192.168.3.193'
        option dest_port '80'
        list reflection_zone 'lan'

I think I might be missing something else...

BigG · November 16, 2023, 5:53pm

then maybe you did forget IPv6 because I don't see anywhere IPv6 Firewall rules mentioned while you write you have a AAAA Record.
My guess would be then that it works from the outside because the firewall is closed and it does fallback to IPv4 while the firewall is open from the LAN side uses IPv6 where luci is listening.
Also your dyndns needs to point to the IPv6 of your server and not of your router keep that in mind.

NightFurySL2001 · November 17, 2023, 3:36pm

Ah that's the problem, thank you! What should the src_dip be for IPv6? I tried wan and it crashed the router, had to revert that with failsafe mode. This is the UI for Network - Interfaces. wan_6 seem to be a virtual interface when creating the PPPoE connection and does not show in /etc/config/network.

BigG · November 17, 2023, 6:49pm

First of all your dyndns needs to point to the IPv6 of your Server (that is really important!) and not of your router, there is no NAT with IPv6 normally, that is why you also don't do a port forward and instead you open the firewall for that device and port xyz.
See https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples for examples, if you face problems you can post them here again.

NightFurySL2001 · December 6, 2023, 12:22pm

Thanks! I had a hard time finding the option to use IPv6 of server for DDNS (following https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding) until I noticed my ISP seem to be giving a fixed IPv6 delegation, so I just manually set the IPv6 on the DDNS site. This seem to finally work and I can access the server correctly. Just wondering, is the tutorial above correct?