TopDog
October 2, 2020, 6:43pm
1
I did a bunch of searches but came up empty, so here goes.
I am trying to forward a port to an internal server, which in turn needs to respond to the IP of the original requester (on a different port). So the incoming traffic to the local server needs to 'see' the IP of the original requester.
But by default, the config will propagate the routers own IP to the server, so we now are unable to reach the remote requestor.
In LuCi there is a drop-down in the Advanced setting to pick which IP is used in these forwards, local or source, I picked source, but the server still sees the router's own local IP, not the public IP of the remote requestor.
Basically, this is the "option reflection_src external" on this forward.
here is the rule in question:
config redirect
option dest_port '50432'
option src 'wan'
option name 'TestServer'
option src_dport '50432'
option target 'DNAT'
option dest_ip '192.168.0.184'
option reflection_src 'external'
option dest 'lan'
I'm on 19.07.3
Any input welcome.
krazeh
October 2, 2020, 7:12pm
2
Where are the original requests coming from? Internal or external? Can you post the entire contents of /etc/config/firewall.
1 Like
TopDog
October 2, 2020, 8:10pm
3
Requests are coming from the public internet through the WAN interface.
Here is the firewal config
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_rate '200/s'
option synflood_burst '500'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option mtu_fix '1'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option src 'guest'
option name 'GuestDNS'
option proto 'all'
option dest_port '53'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'guest'
option name 'GuestDHCP'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'BlockLinkLocal'
option proto 'tcp udp'
option src_ip '169.254.0.0/16'
option target 'DROP'
option src 'lan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option dest_port '50432'
option src 'wan'
option name 'TestServer'
option src_dport '50432'
option target 'DNAT'
option dest_ip '192.168.0.184'
option reflection_src 'external'
option dest 'lan'
It looks like you have misunderstood something.
A WAN to LAN port forwarding does not mask the source IP by default.
It's best to use tcpdump to investigate the issue properly.
4 Likes
tmomas
March 7, 2022, 4:45pm
5
@TopDog
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
TopDog
March 7, 2022, 5:20pm
6
TopDog:
routers own IP
The problem was due to the server application reporting the wrong IP in the UI, so this was a 'confused user' issue due to being given bad data.
Thanks to all who responded.
1 Like
system
Closed
March 17, 2022, 5:21pm
7
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.