How to make available NAT loopback from VLAN zone

kishirok · December 31, 2022, 7:46am

Hello Everyone.

Last week, I got the device BUFFALO WSR-2533DHP2 having ability to manage VLAN at openwrt and now enjoy hacking.

I made several VLANs and devided to networks as for private and for guests.
It almost works fine but I found that access to web server at local lan zone by grobal IP address assinged to WAN interface from VLANs zone was refused by error below.

"Forbidden
Rejected request from RFC1918 IP to public server address."

As you know, local web server in lan zone is available from internet via wan by setting at "Firewall - Ports forwards".
and also available from clients in lan zone by set "Enable NAT Loopback" options.
But not available from clients in VLANs zone.

Now I'm considering this issue is caused that access from VLAN was never applied DNAT.

I hope you may give me a hint to solve this issue.

I already have workarround to respond DNS response to clients in VLANs zone as private IP address of local web server instead of grobal IP address by configuring DNSMasq.

So I expect hint you'll give me are excepted this.

Here are reference of my config.

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'VLAN1'
	option forward 'ACCEPT'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'VLAN2'
	option forward 'ACCEPT'

config zone
	option name 'vlan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN3'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vlan1'

config forwarding
	option src 'lan'
	option dest 'vlan2'

config forwarding
	option src 'vlan1'
	option dest 'wan'

config forwarding
	option src 'vlan1'
	option dest 'lan'

config forwarding
	option src 'vlan1'
	option dest 'vlan2'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config forwarding
	option src 'vlan2'
	option dest 'lan'

config forwarding
	option src 'vlan2'
	option dest 'vlan1'

config forwarding
	option src 'vlan3'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.0.11'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '192.168.0.11'

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0.1'
	option ipaddr '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option type 'bridge'

config interface 'VLAN1'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '192.168.1.1'
	option gateway '192.168.0.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth0.3'
	option ipaddr '192.168.2.1'
	option gateway '192.168.0.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option type 'bridge'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth0.4'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '4 6t'

Best regards.

pavelgl · December 31, 2022, 9:10am

IMO this is the better solution (not a workaround), but you can try adding the following to your DNAT rules:

    list reflection_zone 'lan'
    list reflection_zone 'vlan1'
    list reflection_zone 'vlan2'
    list reflection_zone 'vlan3'

kishirok · December 31, 2022, 11:04am

Thank you for your reply.

Your message became a great help to me.

As you wrote, I made possible to enable NAT loopback access from VLANs zone by adding like below.

firewall

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
+	list reflection_zone 'lan'
+	list reflection_zone 'vlan1'
+	list reflection_zone 'vlan2'
+	list reflection_zone 'vlan3'
	option src 'wan'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '192.168.0.11'

If I was allowed to ask for more, it might be more better to be able to do this sort of configuration only using LuCI.

You kindly saved me from adding dozens of domain names to hostname session.

Thank you very much and have a good year!

system · January 10, 2023, 11:04am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.