My server is behind OpenWrt but for some reason i cannot get on my servers the client's real ip address

Installing and Using OpenWrt Network and Wireless Configuration
1

i have several nodejs and php applications (on a NGINX web server) on a server that is on a openwrt 20rc3 linksys wrt 3200acm router.
before it was always working, i got the proper REMOTE_ADDR and x-forwarded-for headers, but at some point it stopped working. is it some configurations in the port forwarding in the firewall or what?

please help!

thanks!

1 Like
2

image
image1008×877 60.2 KB

3

image
image920×161 28.6 KB

4

everything seems ok

5

basically in the nginx log it shows the router/the gateway ip address. which is weird. why it not shows the real ip address?

6

another weird is that in the error, you can see the valid client ip address:
2021/05/27 21:16:45 [error] 69414#69414: *313005 access forbidden by rule, client: 35.233.23.228, server: webhook.patrikx3.com, request: "GET /wp-login.php HTTP/1.1", host: "webhook.patrikx3.com", referrer: "http://webhook.patrikx3.com/wp-login.php

7

Did you upgrade or install anything? Did you have any config backups (via the System part of config UI) that you can check against?

8

nope, do not know exactly when it started going bad.

9

reference, similar problem:

10

Source address masquerading can be the result of a firewall SNAT rule:

  • LuCI > Network > Firewall > NAT Rules
11

what does it mean?

13

empty, no nat rule at all

14

iptables-save -c -t nat
Also run the opkg update; opkg install tcpdump; tcpdump -i any -evn tcp port 443 or tcp port 80 to capture some packets, stop with Ctrl-c after you have captured some.

1 Like
19

Detach the LAN network from the zone sygnusvpn and/or disable masquerading on that zone.

20

image
image1043×371 33.3 KB

21

same result, it still thinks it is my router is the client ip, and because of this it always thinks i am in my local network and my domain that are secured by network/ip now all open because of this, given the client ip is 192.168.78.1 instead of the real, so all domains open, so crazy.

22

ok, if i disable the sysgnusvpn zone it works, but the problem is i need to access that sygnusvpn on my lan.
how can i access the sygnusvpn on my lan and make it works with the remote_addr variable?

23

it was working both at once, why is it bad now?

24

Try this:

uci set firewall.@zone[3].masq_dest="!192.168.78.20/32"
uci commit firewall
/etc/init.d/firewall restart
5 Likes
25

thanks so much!
it works now!
perfect!
take care!
you are a GOD @vgaetera !

1 Like