Nat-loopback or firewall issue

Installing and Using OpenWrt
1

Hello,

I'm trying to connect to my server 10.0.0.17:16666 with my computer 10.0.5.1.

It's a game, I refresh the list server and I have this problem :

17:16:34.340559 IP GUILLAUME-PC.home.3074 > pha75-3_migr-82-66-85-105.fbx.proxad.net.16666: UDP, length 12
17:16:34.340652 IP pha75-3_migr-82-66-85-105.fbx.proxad.net > GUILLAUME-PC.home: ICMP pha75-3_migr-82-66-85-105.fbx.proxad.net udp port 16666 unreachable, length 48

My friends can connect to the server, but I can't with my computer in local.

My config :

root@OPENWRT:~# cat /etc/config/firewall

config defaults
        option forward 'REJECT'
        option synflood_protect '1'
        option input 'ACCEPT'
        option output 'ACCEPT'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option forward 'REJECT'
        list network 'wan'

config zone
        option name 'DMZ'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'REJECT'
        list network 'DMZ'

config zone
        option name 'IoT'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        list network 'IoT'

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

config rule
        option name 'WEB RP/OPENWRT'
        list proto 'tcp'
        option src 'DMZ'
        option dest_port '80'
        option target 'ACCEPT'
        list src_ip '10.0.0.5'

config rule
        option name 'ICMP'
        list proto 'icmp'
        option src '*'
        option dest '*'
        option target 'ACCEPT'

config rule
        option name 'HTTPS REVERSE-PROXY'
        list proto 'tcp'
        option dest 'DMZ'
        list dest_ip '10.0.0.5'
        option dest_port '443'
        option target 'ACCEPT'
        option src '*'

config zone
        option name 'GUEST'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config zone
        option name 'HOME'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'REJECT'
        list network 'HOME'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'HTTPS REVERSE-PROXY'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '443'
        option dest_ip '10.0.0.5'
        option dest_port '443'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'SSH EXT'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '80'
        option dest_ip '10.0.0.9'
        option dest_port '66'
        option src_ip '193.49.190.200'

config rule
        option name 'ZABBIX DMZ/IoT'
        list proto 'tcp'
        option src 'DMZ'
        list src_ip '10.0.0.8'
        option dest 'IoT'
        option dest_port '10050'
        option target 'ACCEPT'

config rule
        option name 'ZABBIX IoT/DMZ'
        list proto 'tcp'
        option src 'IoT'
        option dest 'DMZ'
        list dest_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'

config rule
        option name 'SMB'
        option src 'HOME'
        option dest 'DMZ'
        list dest_ip '10.0.0.2'
        option target 'ACCEPT'
        option dest_port '139 445 999'

config forwarding
        option src 'DMZ'
        option dest 'WAN'

config forwarding
        option src 'IoT'
        option dest 'WAN'

config forwarding
        option src 'GUEST'
        option dest 'WAN'

config forwarding
        option src 'HOME'
        option dest 'WAN'

config rule
        list proto 'tcp'
        option src 'HOME'
        option dest 'DMZ'
        option target 'ACCEPT'
        option name 'PC/OFA'
        list src_ip '10.0.1.1'
        list src_ip '10.0.1.200'
        list src_ip '10.0.1.2'
        list src_ip '10.0.1.203'

config rule
        list proto 'tcp'
        option src 'DMZ'
        option target 'ACCEPT'
        option name 'SSH OFA/OPENWRT'
        option dest_port '66'
        list src_ip '10.0.0.9'
        list src_ip '10.0.0.2'
        list src_ip '10.0.2.1'

config rule
        option src 'DMZ'
        option target 'ACCEPT'
        option dest_port '53'
        option name 'DNS DMZ'

config rule
        option src 'HOME'
        option target 'ACCEPT'
        option dest_port '53 67 68'
        option name 'DNS/DHCP HOME'

config rule
        option src 'IoT'
        option target 'ACCEPT'
        option dest_port '53 67 68'
        option name 'DNS/DHCP IoT'

config rule
        option src 'GUEST'
        option target 'ACCEPT'
        option dest_port '53 67 68'
        option name 'DNS/DHCP GUEST'

config rule
        option name 'ALLOW HA/OPENWRT'
        option target 'ACCEPT'
        option src 'IoT'
        list src_ip '10.0.2.1'

config rule
        option src 'DMZ'
        option dest 'IoT'
        option target 'ACCEPT'
        option name 'RTSP CAMERAS IOT'
        list src_ip '10.0.0.2'
        list dest_ip '10.0.2.5'
        list dest_ip '10.0.2.29'
        list dest_ip '10.0.2.1'

config rule
        option target 'ACCEPT'
        option name 'RTSP CAMERAS HOME'
        option src 'IoT'
        list src_ip '10.0.2.1'
        option dest 'RASPBERRY'

config rule
        option name 'SSH OFA/HOME'
        list proto 'tcp'
        option src 'DMZ'
        list src_ip '10.0.0.9'
        option dest_port '66'
        option target 'ACCEPT'
        option dest 'IoT'
        list dest_ip '10.0.2.1'

config rule
        option name 'ZABBIX DMZ/OPENWRT'
        list proto 'tcp'
        option src 'DMZ'
        list src_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'

config rule
        option name 'ZABBIX OPENWRT/DMZ'
        list proto 'tcp'
        option dest 'DMZ'
        list dest_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'

config rule
        option name 'REVERSE-PROXY / ALL'
        option src 'DMZ'
        list src_ip '10.0.0.5'
        option dest '*'
        option target 'ACCEPT'

config rule
        option name 'HOME/HA'
        option src 'HOME'
        option target 'ACCEPT'
        option dest 'IoT'
        list dest_ip '10.0.2.1'

config rule
        option name 'OPENWRT/HA'
        option target 'ACCEPT'
        option dest 'IoT'
        list dest_ip '10.0.2.1'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'SFTP'
        list proto 'tcp'
        option src 'WAN'
        option dest_ip '10.0.0.2'
        option dest_port '66'
        option src_dport '66'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'MINEOS'
        option src 'WAN'
        option src_dport '25565'
        option dest_ip '10.0.0.13'
        option dest_port '25565'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'CERBOT'
        list proto 'tcp'
        option src 'WAN'
        option dest_ip '10.0.0.5'
        option dest_port '80'
        option src_dport '80'
        option enabled '0'

config rule
        option name 'MINECRAFT'
        option src 'HOME'
        option dest 'DMZ'
        list dest_ip '10.0.0.13'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'URGENCY'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '80'
        option dest_ip '10.0.0.254'
        option dest_port '80'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'URGENCY-SSH'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '443'
        option dest_ip '10.0.0.254'
        option dest_port '66'
        option enabled '0'

config rule
        option name 'DHCP DMZ'
        option src 'DMZ'
        option dest_port '67 68'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'SSH HOME/OPWRT'
        list proto 'tcp'
        option src 'HOME'
        list src_ip '10.0.1.2'
        list src_ip '10.0.1.200'
        list dest_ip '10.0.1.254'
        option dest_port '66'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'VPN'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '80'
        option dest_ip '10.0.0.7'
        option dest_port '80'
        option enabled '0'

config rule
        option name 'PLEX'
        list proto 'tcp'
        option src 'HOME'
        option dest 'DMZ'
        list dest_ip '10.0.0.15'
        option dest_port '32400'
        option target 'ACCEPT'

config rule
        option name 'PLEX / GUEST'
        list proto 'tcp'
        option src 'GUEST'
        option dest 'DMZ'
        list dest_ip '10.0.0.15'
        option dest_port '32400'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name '7Ddays'
        option src 'WAN'
        option dest_ip '10.0.0.17'
        option src_dport '26900-26903'

config rule
        option name '7DAYS'
        option src 'HOME'
        option dest 'DMZ'
        list dest_ip '10.0.0.17'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '26900-26903'

config rule
        option name 'RDS DMZ/PC'
        list proto 'tcp'
        option src 'DMZ'
        option dest_port '3389'
        option target 'ACCEPT'
        option dest 'ACCESS'
        list dest_ip '10.0.5.1'

config zone
        option name 'MANAGMENT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'MANAGMENT'

config zone
        option name 'ACCESS'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'ACCEPT'
        list network 'ACCESS'

config forwarding
        option src 'ACCESS'
        option dest 'WAN'

config zone
        option name 'RASPBERRY'
        option output 'ACCEPT'
        list network 'RASPBERRY'
        option input 'REJECT'
        option forward 'ACCEPT'

config forwarding
        option src 'RASPBERRY'
        option dest 'WAN'

config rule
        option src 'ACCESS'
        option target 'ACCEPT'
        option name 'ACCESS / OPENWRT'
        option dest_port '53 66 67 68 80'

config rule
        option name 'DNS/DHCP RASPBERRY'
        option src 'RASPBERRY'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'ACCESS / DMZ'
        option src 'ACCESS'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option dest '*'

config rule
        option src 'DMZ'
        list src_ip '10.0.0.5'
        option dest 'IoT'
        option target 'ACCEPT'
        list dest_ip '10.0.2.1'
        option name 'RP / HA'

config rule
        option name 'HA / SSH'
        list proto 'tcp'
        option src 'IoT'
        list src_ip '10.0.2.1'
        option dest 'DMZ'
        list dest_ip '10.0.0.1'
        list dest_ip '10.0.0.254'
        list dest_ip '10.0.0.14'
        list dest_ip '10.0.0.15'
        option dest_port '66'
        option target 'ACCEPT'

config rule
        option name 'HA / NAS'
        option src 'IoT'
        option dest 'DMZ'
        list dest_ip '10.0.0.2'
        option target 'ACCEPT'

config rule
        option name 'ALLOW OPENWRT / IOT'
        list proto 'tcp'
        option dest 'IoT'
        list dest_ip '10.0.2.1'
        option target 'ACCEPT'

config rule
        option name 'HA / RTSPRASP CAM'
        list proto 'tcp'
        option src 'IoT'
        list src_ip '10.0.2.1'
        option dest 'RASPBERRY'
        option target 'ACCEPT'

config rule
        option name 'RTSP RASP CAM / HA'
        list proto 'tcp'
        option src 'RASPBERRY'
        option dest 'IoT'
        list dest_ip '10.0.2.1'
        option target 'ACCEPT'

config rule
        option name 'ZABBIX RASPB / DMZ'
        option src 'RASPBERRY'
        list dest_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest 'DMZ'

config rule
        option name 'ZABBIX DMZ / RASPB'
        list src_ip '10.0.0.8'
        option dest 'RASPBERRY'
        option dest_port '10050'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option src 'DMZ'

config rule
        option name 'ZABBIX HA / DMZ'
        list proto 'tcp'
        list src_ip '10.0.0.8'
        list dest_ip '10.0.2.1'
        option dest_port '10050'
        option target 'ACCEPT'
        option src 'DMZ'
        option dest 'IoT'

config rule
        option name 'ZABBIX DMZ / HA'
        list proto 'tcp'
        option src 'IoT'
        list src_ip '10.0.2.1'
        option dest 'DMZ'
        list dest_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'

config rule
        option name 'SSH CALCIFER / RASPB'
        list proto 'tcp'
        option src 'DMZ'
        list src_ip '10.0.0.9'
        option dest 'RASPBERRY'
        option dest_port '66'
        option target 'ACCEPT'

config rule
        option name 'SYSLOG'
        list proto 'tcp'
        option src '*'
        option dest 'DMZ'
        list dest_ip '10.0.0.10'
        option dest_port '514'
        option target 'ACCEPT'

config rule
        option name 'MESHCENTRAL HOME'
        list proto 'tcp'
        option src 'HOME'
        option dest 'DMZ'
        list dest_ip '10.0.0.6'
        option dest_port '4430'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'COD'
        option src 'WAN'
        option dest_ip '10.0.0.17'
        option reflection_src 'external'
        option src_dport '16666'
        option dest_port '16666'

config rule
        option name 'COD / ACCESS'
        option src 'DMZ'
        list src_ip '10.0.0.17'
        option dest 'ACCESS'
        list dest_ip '10.0.5.1'
        option target 'ACCEPT'


root@OPENWRT:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:9daf:db85::/48'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'HOME'
        option proto 'static'
        option ipaddr '10.0.1.254'
        option netmask '255.255.255.0'
        option device 'SWITCH.1'

config interface 'DMZ'
        option proto 'static'
        option ipaddr '10.0.0.254'
        option netmask '255.255.255.0'
        option device 'SWITCH.100'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'wan'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config interface 'Guest'
        option proto 'static'
        option netmask '255.255.255.240'
        option device 'SWITCH.5'
        option ipaddr '10.0.4.254'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'wlan0-1'
        option ipv6 '0'

config interface 'IoT'
        option proto 'static'
        option ipaddr '10.0.2.254'
        option netmask '255.255.255.0'
        option device 'SWITCH.66'

config device
        option name 'wlan0-2'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'SWITCH'
        list ports 'lan1'
        list ports 'lan3'

config bridge-vlan
        option device 'SWITCH'
        option vlan '1'
        list ports 'lan3:t*'

config bridge-vlan
        option device 'SWITCH'
        option vlan '100'
        list ports 'lan1:t'

config bridge-vlan
        option device 'SWITCH'
        option vlan '66'
        list ports 'lan1:t'

config bridge-vlan
        option device 'SWITCH'
        option vlan '99'
        list ports 'lan3:t'

config bridge-vlan
        option device 'SWITCH'
        list ports 'lan3:t'
        option vlan '101'

config bridge-vlan
        option device 'SWITCH'
        option vlan '25'
        list ports 'lan3:t'

config bridge-vlan
        option device 'SWITCH'
        option vlan '5'

config interface 'MANAGMENT'
        option proto 'static'
        option device 'SWITCH.25'
        option ipaddr '10.0.6.254'
        option netmask '255.255.255.0'

config interface 'ACCESS'
        option device 'SWITCH.101'
        option proto 'static'
        option ipaddr '10.0.5.254'
        option netmask '255.255.255.0'

config interface 'RASPBERRY'
        option proto 'static'
        option device 'SWITCH.99'
        option ipaddr '10.0.3.254'
        option netmask '255.255.255.0'

It's a loopback problem or something like else no ?

2

If I understand correctly, you want to connect from 10.0.5.1 to 10.0.0.17, not the other way around, so that rule

should look like this:

config rule
        option name 'COD / ACCESS'
        option dest 'DMZ'
        option dest_ip '10.0.0.17'
        option src 'ACCESS'
        option src_ip '10.0.5.1'
        option target 'ACCEPT'

To make nat loopback work (which is the worse option), you need to use the reflection_zone option:

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'COD'
        option src 'WAN'
        option dest_ip '10.0.0.17'
        option reflection_zone 'ACCESS'
        option src_dport '16666'
        option dest_port '16666'
3 
config rule
        option name 'COD / ACCESS'
        option dest 'DMZ'
        option dest_ip '10.0.0.17'
        option src 'ACCESS'
        option src_ip '10.0.5.1'
        option target 'ACCEPT'

I have already :

config rule
        option name 'ACCESS / DMZ'
        option src 'ACCESS'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option dest '*'

The only solution that I have found :

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option src 'ACCESS'
        option dest_port '16666'
        option src_dport '16666'
        option dest_ip '10.0.0.17'
        option name 'COD INTERNAL'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

Do you know why ?

Where can I change relfection zone in luci ?

        option reflection_zone 'ACCESS'

image
image1130×868 38.5 KB

I don't found.

Thanks you

4

Sorry, but your configuration is quite complex and it will take a long time to be carefully inspected.

AFAIK there is no such option in LuCI.
If you don't feel comfortable editing the configuration file manually, try this:

rn=$(uci show firewall | grep redirect | grep \'COD\' | cut -d "[" -f2 | cut -d "]" -f1)
uci add_list firewall.@redirect[$rn].reflection_zone="ACCESS"

Verify that the option has been added correctly and then save the changes and restart the service.

uci commit firewall
/etc/init.d/firewall restart
1 Like
5

Ok it's works with reflection_zone.

If I want all zones, it's :

option reflection_zone '*'

?

6

Unfortunately, you'll have to list all the zones one by one.

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.