I have a NAS connected to lan of OpenWrt, and in order to access my NAS by using domain name (or public IP) anywhere, I set a Port Forwarding rule for it.
Now, my NAS is accessible by domain from both ouside and inside (thanks to NAT Loopback).
Few days ago, I installed an app on OpenWrt, and this app need a subscribe link to keep updated. Hey, I have a NAS, so I just use my NAS to set this subscribe link.
Howerer, this app on OpenWrt just can't connect to my NAS by using domain name (or public IP).
According to the doc of this app, it use 'curl' to get the subscribe content. So, I try to it via ssh, the error message is "curl: (56) Recv failure: Connection reset by peer".
It doesn't seem that port forwarding or NAT Loopback is applied to openwrt itself at all.
What a black hole.
So, how can I let OpenWrt itself to access the local servers by using public IP and port?
Thanks for your reply, but rebinding the domain to a single private IP is not what I want.
There could be several servers on the local net. If I rebind the domain to NAS, I will not able to access OpenWrt by the domain locally.
Currently, I can access remote ports both externally and locally, but not from OpenWrt itself.
Of course you can't - unless I missed the reasoning for your response to @vgaetera, you merely re-stated your issue/technical limitation.
"NAT Loopback" as implemented in OpenWrt refers to the host IP itself only
This is not suggested by most Regulars here; but you can make a NAT redirect for traffic to WAN @ port - DNAT to the IP in the SRC network - this will change the DST IP to the internal address and route it according to the SRC zone's rules
This rule can be duplicated as needed for other VLANs/zones, of course
This takes more CPUs in your router to implement
EDIT: Did you actually create/apply a rule for the OpenWrt itself?
Your reply is appreciated.
As a beginner, I feel hard to achieve a full understanding about the information you provided. Really sorry for that.
However, I am certain now that traffic from OpenWrt itself will not go through rules of wan (port forwarding) or lan (NAT loopback) on firewall, right? If OpenWrt try to access myDomain.org:1111, it will access 127.0.0.1:1111. Am I right? (myDomain.org resolves to the public IP of OpenWrt)
Did you actually create/apply a rule for the OpenWrt itself?
No, I guess luci's UI just don't let beginners to do this easily. So could you please give me example of how to write a customer rule for OpenWrt itself? (i.e. When OpenWrt try to access "myDomain.org:1111", redirect it to "192.168.1.5:1111")
I want to figure this out first before I try other menthods. It's really a good point to start to learn the routing knowledge.
By the way, is it a reasonable recommendation that adding an option for this to the luci's UI. i.e. When setting the port forwarding rules, there could be an option called, e.g. "lo loopback", to let OpenWrt itself to follow. Just like "NAT Loopback" option, thanks to which I don't have to set up it manually. If it's reasonable, please handle it to the developers.
To be clear, there is an applicaion installed on the OpenWrt, and it use curl to get the subscribe content. The subscribe link is "http://myDomain.org:1111/.....". Well, "myDomain.org:1111" should be redirected to "192.168.1.5:1111".
How would the developers know what IP you wanted looped to?
When setting the port forwarding rules by using luci's UI, every pieces of information are provided.
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option src_ip '192.168.1.0/24'
option name 'REDIRECT_HTTP_LAN'
option dest_ip '<LAN_IP>'
option dest 'lan'
I don't think this will work, since the source is still 'wan'.
The following rule is already exist, but it don't work for OpenWrt itself:
option target 'DNAT'
option name 'Ex'
option src 'wan'
option src_dport '1111'
option dest 'lan'
option dest_ip '192.168.1.5'
option dest_port '1111'
list proto 'tcp'
Wait...why don't you change the address in the script?
Yes, If I change the address to internal IP, it works. But there are also sub links in the content, I have to change all of them. So, I have to prepare two versions of subscribe files, One for the OperWrt and another for the rest devices.
NAT Loopback unifies subscribe file for public and local access, but now a subscribe file with internal IP is still required for OpenWrt itself, and I have to maintain two versions of subscribe files.
I don't think what you're asking is possible with a firewall rule. The router cannot firewall from itself. The traffic would only pass the firewall during OUTPUT.
There should be way to work it out. As I know, It is possible to let traffic to 127.0.0.1:(a port) redirect to another IP.
You're basically saying "when I see traffic from me to my WAN IP (which is correct, as you improperly noted) - DNAT to another IP"????
Yes. When I see traffic from other devices to my WAN IP (within a specified port), redirect to another IP. Why not let the traffic from myself also obey the rule.
run luci on nginx and write reverse proxy rule for it? openwrt has nginx in it's repo (but uhttpd colids, so you will want to rebuild image with luci-nginx-tls and without luci (so no uhttpd installed)
(but this terminates tls on router, so probably not fast enough for gigabit if it isn't arm SBC or x86. but it's just web pages that matter so unlikely effect your other mass transfer (SFTP/samba etc)