NAT loopback/reflection problem: local static routed subnets are not covered by fw3 reflection rules

I am trying to work out the correct way to support NAT reflection on my home router when I have several additional local subnets accessible via a static route (through a second openwrt router).

Currently, the fw3-generated firewall NAT rules set the source address scope to match the "lan" zone. This excludes the IP address ranges of the subnets served by my second router, which causes NAT reflection to fail for any of my hosts on the routed subnets.

Any advice or assistance would be gratefully received. Scouring the web and forum have failed me so far. I guess a clean solution would be to add my routed subnets to the "lan" firewall zone - but I can't figure out how to do that (I can only add interfaces to zones).

In the meantime, I have put some hand-crafted rules into /etc/firewall.user to fix this, but that means hard-coding my public IP which is subject to change by my ISP.

edgerouter is a Ubiquiti Edgerouter X running OpenWrt 19.07.3.

Relevant parts of edgerouter /etc/config/network:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'
config route
	option target ''
	option gateway ''
	option netmask ''
	option interface 'lan'

A Port redirect rule from /etc/config/firewall:

config redirect
	option dest_port '5789'
	option src 'wan'
	option name 'Allow-wan-5789'
	option src_dport '5789'
	option target 'DNAT'
	option dest_ip ''
	list proto 'tcp'
	option dest 'lan'

which generates the following iptables rules (iptables-save | grep 5789):

-A zone_lan_postrouting -s -d -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789 (reflection)" -j SNAT --to-source
-A zone_lan_prerouting -s -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789 (reflection)" -j DNAT --to-destination
-A zone_wan_prerouting -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789" -j DNAT --to-destination

(where XXX.XXX.XXX.XXX is my router's public IP address.)

The issue is with the -s, which specifically excludes the subnets served by router2.

thanks in advance, Glenn.

1 Like
1 Like

Thanks @vgaetera. That was very useful. I updated my hand-crafted rules in /etc/firewall.user (see below). Still a hack - but a more useful hack now :-). If my ISP IP address changes, I just have to /etc/init.d/firewall restart.

I found I also had to adapt the solution a little as I find I still require a matching SNAT rule for the reflection to work correctly.

source /lib/functions/
network_get_ipaddr wan wan

iptables -t nat -A zone_lan_postrouting -p tcp -s -d -m tcp --dport 5789 -m comment --comment "Extend NAT reflection to all my routed subnets." -j SNAT --to-source
iptables -t nat -A zone_lan_prerouting -p tcp -s -d $wan/32 -m tcp --dport 5789 -m comment --comment "/etc/firewall.user: Extend NAT reflection to all my routed subnets." -j DNAT --to-destination

I also felt uncomfortable dropping the "-s" arguments entirely (as in the suggested solution). Since fw3 generates rules with "-s", I feel more comfortable retaining them (with an expanded scope) rather than ditching them entirely.

OK - I have a better solution now. Documented here for anyone else struggling with this.

I was able to manually add my routed subnets to the "lan" firewall zone definition:

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list subnet ''

This can also be done through the luci web UI:
Firewall -> General Settings Tab -> "Edit" on lan Zone -> Advanced Settings tab
Add "" to "Covered subnets".

Now fw3 will automatically write additional NAT reflection iptables rules for the additional subnet(s). Any new port forwarding rules will be handled correctly.

Thanks @vgaetera - your suggestion got me looking in the right direction, but I pick this as a preferred solution to writing hand-crafted NAT reflection rules in /etc/firewall.user.

Cheers, Glenn.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.