General questions on options for a redirect rule

manywrt · May 29, 2022, 5:09am

I have some general questions on redirect rules as follows.

In regard to this example:

config redirect
	option name 'WAN12345_LAN2345'
	option target 'DNAT'
	option src 'wan'
	option src_ip '7.7.7.7'
	option src_ip '8.8.8.8'
	option src_mac 'aa:bb:cc:dd:ee:ff:gg'
	option src_mac 'hh:ii:jj:kk:ll:mm:nn'
	option src_dport '12345'
	list proto 'tcp'
	list proto 'udp'
	option dest 'lan'
	option dest_ip '192.168.0.1'
	option dest_port '2345'

Q1. Is it right that, when the same option is repeated two or more times, traffic need only satisfy one of them? In other words,

	option src_ip '7.7.7.7'
	option src_ip '8.8.8.8'

amounts to saying that the source IP must be either the one or the other?

Q2. Is it right that different options must all be satisfied. In other words,

	option src_ip '7.7.7.7'
	option src_mac 'aa:bb:cc:dd:ee:ff:gg'

amounts to saying it must both be the case that source I.P. is 7.7.7.7 and that source MAC is aa:bb:cc:dd:ee:ff:gg?

Q3. Combining Q1 and Q2, the example at the top of this post would mean something like this:

Source IP must be 7.7.7.7 or 8.8.8.8, and source MAC must be aa:bb:cc:dd:ee:ff:gg or hh:ii:jj:kk:ll:mm:nn, and protocol must be TCP or UDP.

Q4. It seems 'src' as in src_ip and src_dport have two different meanings. In src_ip, 'src' refers to the person (machine) out there trying to satisfy the redirect rule in your OpenWrt (thus src_ip is his public IP address). But in src_dport, 'src' means your router's port that the traffic must hit (thus src_dport is your port, i.e. a port in your router). Do I understand this right?

Q5. When the person out there has the usual setup of a computer sitting behind a router, does src_mac refer to the MAC of the computer or the router? (I believe this question amounts to asking which MAC the router sends out to the Internet.)

I'd very much appreciate answers like 'Q1 through Q4 yes, Q5 the router's.' But if I am wrong in any of my ideas, I would appreciate being told what would have been right.

Thanks very much.

trendy · May 29, 2022, 9:48am

~~Yes, you cannot have multiple source IPs to be both of them. But you need a list not option for that to work.~~
Redirects cannot take more than one source IPs. You either must create more redirect rules or use ipsets.

Yes, but you should not use mac address when you expect packets from the internet.

Right.

Correct.

None, mac has local application. Therefore you will only see the mac of the ISP router which connects to your modem/router.

manywrt · May 29, 2022, 12:45pm

Thank you very much.

I believe I understood all parts of your answer except for the above quoted.

Could you elaborate?

I just looked at:

Are you saying my code should look like:

config redirect
	option name 'WAN12345_LAN2345'
	option target 'DNAT'
	option src 'wan'
	list src_ip '7.7.7.7'
	list src_ip '8.8.8.8'
	list src_mac 'aa:bb:cc:dd:ee:ff:gg'
	list src_mac 'hh:ii:jj:kk:ll:mm:nn'
	option src_dport '12345'
	list proto 'tcp'
	list proto 'udp'
	option dest 'lan'
	option dest_ip '192.168.0.1'
	option dest_port '2345'

Oh yes, that must be it. That other post is quite clear. Thanks very much.

pavelgl · May 29, 2022, 4:27pm

Just to clarify, that you cannot use the "list" syntax specifying multiple src_ip in a redirect rule. Restarting the firewall will return a warning, and the rule will be ignored.

Warning: Option @redirect[X].src_ip must not be a list
Warning: Section @redirect[X] (rule_name) skipped due to invalid options

You will need to create a separate rule for each individual source IP address or use an IP set.

manywrt · May 30, 2022, 12:40am

Thank you for not letting me go on with a wrong idea. That was very kind of you.

I presume having to create separate rules applies to multiple MACs?

But not to multiple protocols? (I know this because LuCI used list for multiple protocols).

How is one supposed to know when one could or must

use option with multiple items strung together
use list with one item per list line
create a separate rule per item?

Is there a giant reference manual somewhere? Only by trial and error?

manywrt · May 30, 2022, 12:50am

I want to adopt your answer as "solution," but you were too generous in it to say "yes" to Q1. I believe I was just plain wrong. Could you amend your answer to say the code as I have it would not work because either I must use list or (if you agree with pavelgl) because a single redirect rule cannot accommodate two IP addresses. I believe you agree with pavelgl and "you cannot have multiple source IPs to be both of them" is your way of saying so.

Also to Q3, "Right" is too generous an answer. It would have to say that my code is wrong and would not work.

I am afraid adopting your answer as solution in the current form would mislead future (novice) readers of this post. Thanks.

psherman · May 30, 2022, 2:00am

Just for reference, MAC addresses only apply to your own internal network since they are only visible on L2 (switching). L3 (routing) doesn't use MACs, so you cannot match a MAC address from another network (i.e. on the internet).

trendy · May 30, 2022, 7:20am

I agree and I appended the answer.

It's not about the code, but about the logic which does work if applied in, let's say, an ipset.

pavelgl · May 30, 2022, 8:07am

list src_mac will work, but as mentioned, this is almost useless when you want to redirect requests arriving on the wan port.

I would recommend using LuCI (when you are not sure) and then check the UCI files. As you can see, you can specify multiple source MAC addresses, but only one source IP address in a redirect rule.

manywrt · May 30, 2022, 9:27am

So there was a giant reference manual, but one I couldn't find without your help. Thank you so much!

seff · May 28, 2023, 5:29pm

I have a working redirect (port forwarding 80, 443) and indeed I cannot specify multiple src_ip addresses: I get the following errors on firewall reload:
Warning: Option 'cf_proxy1'.src_ip must not be a list
Warning: Section 'cf_proxy1' skipped due to invalid options
Warning: Option 'cf_proxy2'.src_ip must not be a list
Warning: Section 'cf_proxy2' skipped due to invalid options

How can I go around it? I don't want to create 15 redirects from each and every Cloudflare subnet to my web server...

Any idea?
Many thanks!

lleachii · May 28, 2023, 5:55pm

Add them to an IP set and use that in the rule.

seff · May 28, 2023, 6:11pm

@lleachii thanks. Can you be more specific and provide me with a few examples? I know next to nothing about IP sets in iptables/uci, etc.

lleachii · May 28, 2023, 6:17pm

This adds it to a set (click link):

This is a rule employing a set:

config rule
        option family 'ipv4'
        option ipset 'test'
        option target 'DROP'
        option name 'test'
        option src '*'
        list proto 'all'

seff · May 28, 2023, 6:27pm

I am still puzzled as to how I specify the src_ip in redirect:

ipset create myset hash:net
ipset add myset 14.144.0.0/12
ipset add myset 27.8.0.0/13
ipset add myset 58.16.0.0/15
ipset add myset 1.1.1.0/24

uci -q delete firewall.cf_proxy1
uci set firewall.cf_proxy1="redirect"
uci set firewall.cf_proxy1.name="Allow-Cloudflare-Nginx-80"
uci set firewall.cf_proxy1.target="DNAT"
uci set firewall.cf_proxy1.src="wan"
uci set firewall.cf_proxy1.dest="lan"
uci set firewall.cf_proxy1.proto="tcp"
uci set firewall.cf_proxy1.src_dport="80"
uci set firewall.cf_proxy1.dest_port="21080"
uci set firewall.cf_proxy1.src_ip="myset"
uci set firewall.cf_proxy1.dest_ip="192.168.8.110"
uci set firewall.cf_proxy1.target="ACCEPT"

Or will option ipset "myset" be treated as source IP?
Apologies for my ignorance...

edit:
Now I got it:

uci -q delete firewall.cf_set
uci set firewall.cf_set="ipset"
uci set firewall.cf_set.name="cf_set"
uci set firewall.cf_set.storage="hash"
uci set firewall.cf_set.family="ipv4"
uci set firewall.cf_set.match="src_net"
uci set firewall.cf_set.loadfile="/root/cf_set.txt"

uci -q delete firewall.cf_proxy1
uci set firewall.cf_proxy1="redirect"
uci set firewall.cf_proxy1.name="Allow-Cloudflare-Nginx-80"
uci set firewall.cf_proxy1.target="DNAT"
uci set firewall.cf_proxy1.src="wan"
uci set firewall.cf_proxy1.dest="lan"
uci set firewall.cf_proxy1.proto="tcp"
uci set firewall.cf_proxy1.family="ipv4"
uci set firewall.cf_proxy1.src_dport="80"
uci set firewall.cf_proxy1.dest_port="21080"
uci set firewall.cf_proxy1.ipset="cf_set"
uci set firewall.cf_proxy1.dest_ip="192.168.8.112"

uci -q delete firewall.cf_proxy2
uci set firewall.cf_proxy2="redirect"
uci set firewall.cf_proxy2.name="Allow-Cloudflare-Nginx-443"
uci set firewall.cf_proxy2.target="DNAT"
uci set firewall.cf_proxy2.src="wan"
uci set firewall.cf_proxy2.dest="lan"
uci set firewall.cf_proxy2.proto="tcp"
uci set firewall.cf_proxy2.family="ipv4"
uci set firewall.cf_proxy2.src_dport="443"
uci set firewall.cf_proxy2.dest_port="21443"
uci set firewall.cf_proxy2.ipset="cf_set"
uci set firewall.cf_proxy2.dest_ip="192.168.8.112"