I have a weird issue and I don't understand where it comes from. I reworked my network to have 2 vlan : LAN (192.168.0.0/24, vlan 99) and DMZ (172.16.0.0/24, vlan 1).
On eth port 1 of my router I have a Proxmox virtualization server. The host itself is configured on the LAN, but I have virtual machines that are on the DMZ. These VMs' network interface is configured with a vlan tag.
One of the VM is 172.16.0.101 and it exposes an http server. So I went into openwrt's firewall > port forwarding and added the following:
Incoming IPv4, protocol TCP from WAN, to /this device/ port 80, forward to DMZ, IP 172.16.0.101
However, when I try to access my public IP, I'm greated with :
Forbidden
Rejected request from RFC1918 IP to public server address
It looks like I'm hitting openwrt webui instead of my host (if I try with https, the certificate is openwrt's issued). So... why?
Now, the even weirder thing: I change my port fowarding to forward to LAN, IP 172.16.0.101... it works! Again... Why? Is it because the VM's host is on LAN?
So yeah, is it normal or did I mess up somewhere? Is OK if I stay with the working configuration where the target zone mismatch the target ip?
Ah indeed, I did not think of testing that. And indeed, it works fine when trying from the internet, and it's when I'm trying from my LAN that there's an issue.
Should I then add a new port forwarding rule that's from LAN to DMZ?
Haha, I did not think it through and I locked myself out of the openwrt's interface by adding a rule to redirect port 80 from LAN to my host in DMZ. Fixed it through ssh.
Is there a way to make it work? I mean to access openwrt's webui via 192.168.1.1 but access my VM's http server via my public ip from my LAN as it did before I added vlan?
What you are trying to do is called hairpin NAT. It is better if you create a hostname for the server and bind it to the internal server IP. Otherwise the router will be a proxy for all the traffic going from lan hosts to the dmz server and might become a bottleneck.
@lleachii : yes, I'm trying to forward port 80 to another server and no, I'm not trying to expose luci
@trendy : my servers already have dedicated hostname/domain names and I'm accessing through these. However the domains point toward my public IP. Your solution would require to setup a dedicated DNS server on my LAN that would resolve these domains with their local IP. Am I right? Did I understand correctly your intention?
If I understood correctly, I'd rather not have a dedicated DNS or dedicated hosts for my server other than the one I usually use.
And I guess my main question is, why did it work before I setup any VLAN?
let's see the complete firewall configuration in text form (and the network file, too, just to make sure we can see the whole story).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
My network and firewall file were provided as link in my first post, but here it is:
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd0d:56a4:b54e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.99'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option vendorid 'neufbox_NB6V-XXXXXXXXXX'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'dmz'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.0.0'
option device 'br-lan.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
list network 'dmz'
option name 'dmz'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'lan'
list src_ip '192.168.1.23'
option dest 'wan'
option target 'DROP'
option name 'Block Fan2'
config rule
option name 'Block Vacuum2'
option src 'lan'
list src_ip '192.168.1.22'
option dest 'wan'
option target 'DROP'
config rule
option name 'Block cam2'
option src 'lan'
list src_ip '192.168.1.87'
option dest 'wan'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option name 'http'
option dest_ip '172.16.0.101'
option dest 'lan'
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option name 'https'
option dest_ip '172.16.0.101'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh-git'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '172.16.0.104'
config forwarding
option dest 'wan'
config forwarding
option src 'wan'
config forwarding
option src 'dmz'
option dest 'wan'
config rule
option name 'Allow-IPSec-ESP-DMZ'
list proto 'esp'
option src 'wan'
option dest 'dmz'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP-DMZ'
list proto 'udp'
option src 'wan'
option dest 'dmz'
option dest_port '500'
option target 'ACCEPT'
config rule
option name 'external-samba-445'
list proto 'tcp'
option src 'dmz'
list src_ip '172.16.0.101'
option dest 'lan'
list dest_ip '192.168.1.101'
option dest_port '445'
option target 'ACCEPT'
config rule
option name 'external-samba-139'
list proto 'tcp'
option src 'dmz'
list src_ip '172.16.0.101'
option dest 'lan'
list dest_ip '192.168.1.101'
option dest_port '139'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'dmz'
And just to remind what I currently have:
port forwarding from WAN to LAN on port 80/443 to IP 172.16.0.101 (even though ip is not in LAN)
And my issue was with :
port forwarding from WAN to DMZ on port 80/443 to IP 172.16.0.101
=> because then, when accessing public IP A.B.C.D from my desktop, it did not forward traffic to 172.16.0.101 but to luci instead. Even though nat loopback was enabled.
(but yes, it worked when I accessed it from the internet)
What I want (and that works with my current weird config with LAN instead of DMZ) :
access 172.16.0.101 when browsing http://A.B.C.D (public address) from the internet, from my LAN vlan or from my DMZ vlan
I'm sorry to have to say this, but could you please read my post more carefully? From the beginning you're asking question or giving solution about things that were already addressed.
As I said, when setting the rule destination to DMZ, I then can no longer access to my server via my public IP while inside my LAN vlan
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option src_ip '192.168.1.0/24'
option name 'REDIRECT_HTTP_LAN'
option dest_ip '172.16.0.101'
option dest 'lan' #<---yes, this is correct, it will route to DMZ and be allowed
Be sure to test from WAN (i.e. the Zone for which you created the rule).
