OpenWrt masq --to-ports

Hi, I'd want to be able to specify what port range masquerade uses while Natting the internal network, how can I do that through Luci or config files?

Here's how you do it in ubiquiti:

Thanks and regards

1 Like

GOOD QUESTION...and I just went over this for another issue...!

In Linux, this is done in sysctl...I don't think you can in LuCI (except running the custom command in startup or firewall); but the UCI file in OpenWrt is located at /etc/sysctl.d/10-default.conf

The value is: net.ipv4.ip_local_port_range

Hope this helps.

By the way, the default is:

root@OpenWrt:~# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768	60999

I'll check what the default range is on my router, because its starting NATTing using ports 1026 and above

1 Like

That's not it, net.ipv4.ip_local_port_range = 32768 61000 this is the output we get

Then, you should mark the problem as solved, as they [practically] match...but I surmise that you probably need to clearly explain why you believe the OpenWrt router is not using ports 32768-60999[61000] for masquerade?

Can you provide a tcpdump of your WAN interface, and the corresponding LAN connection?

Yeah I'm doing that right now

1 Like
====      ICSI Netalyzr CLI, build 57861       ====
====          18-08-2018 17:35:44 UTC          ====
==== ID xxxxxx-xxxxxxxx-xxxxxx-xxxx-xxxxx-xxxx ====


A- I'm NATTing UDP Connections
B- Even with TCP the ports that are being used are below 32000

Network Topology

intenal network <-> WAN on openWRT <-> Edge Router <-> Internet

Trace on LAN > some.public.ip.addr.5080: UDP, length 781 > some.public.ip.addr.5080: UDP, length 779 > some.public.ip.addr.5080: UDP, length 779 > some.public.ip.addr.5080: UDP, length 779

Trace on WAN > some.public.ip.addr.5080: UDP, length 287 > some.public.ip.addr.5080: UDP, length 781 > some.public.ip.addr.5080: UDP, length 781 > some.public.ip.addr.5080: UDP, length 780

You can see port 1031 and 1034 being used. What's funny is that right now its using 5060 and 5061 as well for NATTing but I have another WAN interface which is an LTE modem, if I route through that, then these ports are 1025-1029

Output of sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 61000

I'm not sure if you're joking. That appears to be SIP. Of course it's using 5060 and 5061.

That's odd, but you didnt't provide any results from tcpdump, or anything of the like...also, when doing so, please don't test using a service registered with IANA - that uses a port under 32768.

I can send you the results via email, over TCPDUMP, its a SIP handshake a lot of information going over, didn't want to share all that info here.

The to port is 5080, that's where I'm listening for the SIP REGISTER, the from port on the WAN side of OpenWRT is what's messing up, it uses ports 1025-1029 when NATTing the internal network (If I'm on my LTE Modem, if I'm on ethernet, then the ports used are 5060, 5061 and then 1032 etc as showed in dumps

Please don't test using SIP, I noted:

  • Can you try just going to a HTTPS site???
  • HTTP?
  • SSH?
  • IRC?

Just use some protocol/service that doesn't specify IANA-registered source ports.

So I tried downloading a large file and you're right I'm getting this the connection is NATTed using port 41285

1 Like

the next connection was on the port 41286
and the next on 41287

So coming back to my original question, is there anything I can do so that my router uses higher ports for SIP handshakes? and sequentials ?

Apologies, I thought the original question was:

Your reasoning was:

We determined that isn't the case.

You then had success:

...I was going to ask if you'll consider marking the thread as SOLVED, actually.

  • You might look into turning off connection tracking for SIP (but, if you have inbound endpoints, this may degrade or break service):

Well, the only issue I'm having right now is that when I restart the box, and its on 4G, for some reason, verizon is blocking UDP port 1026 and 1027 so I can't establish SIP connectivity, a workaround I've found is to simply restart the network interface so it moves on to the next set of ports for NATTing and that works OK

So the TLDR of the thread is that yes OpenWRT honors the values of ports it uses for NATTING as long as they aren't a registered service like SIP, with IANA, and then it does whatever the hell it wants, and that usually involves starting from the lowest port avaiable for NAtting.