Port Forwarding and NAT Loopback for OpenWrt itself

Hi,
I have a NAS connected to lan of OpenWrt, and in order to access my NAS by using domain name (or public IP) anywhere, I set a Port Forwarding rule for it.
Now, my NAS is accessible by domain from both ouside and inside (thanks to NAT Loopback).
Few days ago, I installed an app on OpenWrt, and this app need a subscribe link to keep updated. Hey, I have a NAS, so I just use my NAS to set this subscribe link.
Howerer, this app on OpenWrt just can't connect to my NAS by using domain name (or public IP).
According to the doc of this app, it use 'curl' to get the subscribe content. So, I try to it via ssh, the error message is "curl: (56) Recv failure: Connection reset by peer".

It doesn't seem that port forwarding or NAT Loopback is applied to openwrt itself at all.
What a black hole.

So, how can I let OpenWrt itself to access the local servers by using public IP and port?
Plz help.

Can Access Remote Ports Externally but not Locally - #4 by vgaetera

3 Likes

Thanks for your reply, but rebinding the domain to a single private IP is not what I want.
There could be several servers on the local net. If I rebind the domain to NAS, I will not able to access OpenWrt by the domain locally.
Currently, I can access remote ports both externally and locally, but not from OpenWrt itself.

@Yang-z, welcome to the community!

Of course you can't - unless I missed the reasoning for your response to @vgaetera, you merely re-stated your issue/technical limitation.

  1. "NAT Loopback" as implemented in OpenWrt refers to the host IP itself only
  2. :bulb: This is not suggested by most Regulars here; but you can make a NAT redirect for traffic to WAN @ port - DNAT to the IP in the SRC network - this will change the DST IP to the internal address and route it according to the SRC zone's rules
  3. This rule can be duplicated as needed for other VLANs/zones, of course
  4. This takes more CPUs in your router to implement

EDIT: Did you actually create/apply a rule for the OpenWrt itself? :thinking:

3 Likes

The proper way of solving this is using a different subdomain for each host:

router.example.org
laptop.example.org
nas.example.org

Then set up static DHCP leases and utilize IPv6 to make it work globally.
You can also assign CNAME to specific hosts to flexibly manage their roles.

Another approach is based on dynamic LAN configuration that relies on mDNS/LLMNR.

CNAMEs translate to an A or AAAA (and RFCs forbid nested CNAMEs - though I don't think that applies here)...how does this approach work?

Wouldn't the A/AAAA be the same WAN IP (in case of IPv6 it should be the host, I agree)?

It sounds like the OP doesn't wish to perform Local DNS Poisoning (or in local cases a.k.a. "Split Horizon DNS") to solve the problem.

1 Like

I adjusted the wording, hope it's less confusing.
That's why I mentioned IPv6 and mDNS/LLMNR to avoid split-DNS.

1 Like

Hi,
Your reply is appreciated.
As a beginner, I feel hard to achieve a full understanding about the information you provided. Really sorry for that.
However, I am certain now that traffic from OpenWrt itself will not go through rules of wan (port forwarding) or lan (NAT loopback) on firewall, right? If OpenWrt try to access myDomain.org:1111, it will access 127.0.0.1:1111. Am I right? (myDomain.org resolves to the public IP of OpenWrt)

Did you actually create/apply a rule for the OpenWrt itself?

No, I guess luci's UI just don't let beginners to do this easily. So could you please give me example of how to write a customer rule for OpenWrt itself? (i.e. When OpenWrt try to access "myDomain.org:1111", redirect it to "192.168.1.5:1111")

I want to figure this out first before I try other menthods. It's really a good point to start to learn the routing knowledge.

By the way, is it a reasonable recommendation that adding an option for this to the luci's UI. i.e. When setting the port forwarding rules, there could be an option called, e.g. "lo loopback", to let OpenWrt itself to follow. Just like "NAT Loopback" option, thanks to which I don't have to set up it manually. If it's reasonable, please handle it to the developers.

Correct, rules into the router are INPUT; but that's not what you're dong - so I didn't understand the question.

How would the developers know what IP you wanted looped to?

To be clear...you're running a VPN or SSH tunnel from your router and accessing the server doesn't work?

Otherwise, I don't get this "OpenWrt itself" thing.

I donno how in LuCI unless I just take a pic - this is a port forward to redirect to a server on its internal IP:

config redirect                                          
        option target 'DNAT'                                       
        option src 'wan'                                           
        option proto 'tcp'             
        option src_dport '80'                                      
        option dest_port '80'                                      
        option src_ip '192.168.1.0/24'                               
        option name 'REDIRECT_HTTP_LAN'                        
        option dest_ip '<LAN_IP>'                               
        option dest 'lan'

Hi,
Thanks a lot.
Utilizing IPv6 is really an elegant solution.
I prefer to use IPv6 after my local telecom operator complete optimization for it.

Hi,
To be clear, there is an applicaion installed on the OpenWrt, and it use curl to get the subscribe content. The subscribe link is "http://myDomain.org:1111/.....". Well, "myDomain.org:1111" should be redirected to "192.168.1.5:1111".

How would the developers know what IP you wanted looped to?

When setting the port forwarding rules by using luci's UI, every pieces of information are provided.

config redirect                                          
        option target 'DNAT'                                       
        option src 'wan'                                           
        option proto 'tcp'             
        option src_dport '80'                                      
        option dest_port '80'                                      
        option src_ip '192.168.1.0/24'                               
        option name 'REDIRECT_HTTP_LAN'                        
        option dest_ip '<LAN_IP>'                               
        option dest 'lan'

I don't think this will work, since the source is still 'wan'.

The following rule is already exist, but it don't work for OpenWrt itself:

config redirect
	option target 'DNAT'
	option name 'Ex'
	option src 'wan'
	option src_dport '1111'
	option dest 'lan'
	option dest_ip '192.168.1.5'
	option dest_port '1111'
	list proto 'tcp'

Wait...why don't you change the address in the script?

:confused:

I don't think what you're asking is possible with a firewall rule. The router cannot firewall from itself. The traffic would only pass the firewall during OUTPUT.

You're basically saying "when I see traffic from me to my WAN IP (which is correct, as you improperly noted) - DNAT to another IP"????

Just use the correct IP.

1 Like

Wait...why don't you change the address in the script?

Yes, If I change the address to internal IP, it works. But there are also sub links in the content, I have to change all of them. So, I have to prepare two versions of subscribe files, One for the OperWrt and another for the rest devices.
NAT Loopback unifies subscribe file for public and local access, but now a subscribe file with internal IP is still required for OpenWrt itself, and I have to maintain two versions of subscribe files.

I don't think what you're asking is possible with a firewall rule. The router cannot firewall from itself. The traffic would only pass the firewall during OUTPUT.

There should be way to work it out. As I know, It is possible to let traffic to 127.0.0.1:(a port) redirect to another IP.

You're basically saying "when I see traffic from me to my WAN IP (which is correct, as you improperly noted) - DNAT to another IP"????

Yes. When I see traffic from other devices to my WAN IP (within a specified port), redirect to another IP. Why not let the traffic from myself also obey the rule.

Thanks a lot.
I will keep digging.

run luci on nginx and write reverse proxy rule for it? openwrt has nginx in it's repo (but uhttpd colids, so you will want to rebuild image with luci-nginx-tls and without luci (so no uhttpd installed)
(but this terminates tls on router, so probably not fast enough for gigabit if it isn't arm SBC or x86. but it's just web pages that matter so unlikely effect your other mass transfer (SFTP/samba etc)

Hi,
I just figure it out.
The following script will do the job.
Since traffic from OpenWrt itself will not go throug PREROUTING, OUTPUT is targeted.

iptables -t nat -A OUTPUT -d myDomain.org -p tcp --dport 1111 -j DNAT --to-dest 192.168.1.5:1111

or, a more elegant way to get rid of domain name, by referring to wan IP:

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
iptables -t nat -A OUTPUT -d "${NET_ADDR}" -p tcp --dport 1111 -j DNAT --to-dest 192.168.1.5:1111

Hope no side effects will be introduced.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.