Port forwarding lan to lan

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm trying to set up a port forward on my local network because I have one locked-down laptop with very restrictive firewall.

When I use microsoft rdp from the locked down device to 141.92.156.2:80 I want it to connect to 192.168.0.117:3389 (default rdp port of another machine on my network)

So far no joy, can anyone shed some insight, here is the etc/config/firewall entry

config redirect
        option target 'DNAT'
        option proto 'tcp udp'
        option src_dip '141.92.156.2'
        option src_dport '80'
        option dest_ip '192.168.0.117'
        option dest_port '3389'
        option name 'annapurna156'
        option dest 'lan'
        option src 'lan'
2

I am not sure what are you trying to achieve there.
LAN to LAN traffic will most likely not hit the firewall at all, unless they two hosts are connected to different interfaces on the router, both belonging to LAN firewall zone.
Explain a bit better the problem and you'll get more feedback.

1 Like
3

Thanks for your reply.

The question is really about how to set up a port forward to make an rdp request to one ip:port equivalent to another ip:port.

The firewall I mention is on the client device, not the router, and is definitely blocking my attempts to rdp to my other device.

I know this is possible, as I've had it working before, just need to get the configuration right.

4

Could you be more specific with IP/Ports and what are the limitations of the firewall on client device?

1 Like
5

@waxingsatirical, welcome to the community!

If all of this traffic occurs within LAN, then the firewall is on the local machine - you'd set it up there.

Then why are you asking in the OpenWrt forum?

Next:

Screenshot%20from%202019-10-11%2010-42-39

Please don't involve us in trying to open a RDP backdoor at one of the most well-known financial institutions in the world.

6

OK, this was confusing, my mistake. There is a firewall on the locked down device which I cannot touch. The port-forwarding needs to be setup under the firewall rules of my openwrt router. Both the locked down device and th e target are connected to the 'lan' side of the openwrt router.

Does that make sense?

7

I'm not sure why you quoted your words as mine, but OK...

Please clearly explain what port you wish to open on this device (I'm guessing RDP 3398/udp).

Please explain this - how port 80 on a public IP to a bank gets involved, if your devices are all on LAN.

Yes, and you were told:

So please explain why you want to place rules in the OpenWrt - as if it will control any firewall between the 2 devices on the same broadcast domain?

Also, the 2 IPs you show are not in the same subnet, so it brings more confusion regarding your "devices are on LAN side" description. Lastly, you still haven't explained why you're trying to backdoor the IP of a bank to get to a desktop.

8

OK, let's try a different approach.

I open the locked down device, I open Microsoft rdp, I type in 141.92.156.2:80, it opens a rdp session to another machine, also on my network, with ip 192.168.0.117

What port forwarding rule can I setup on my router to enable this.

9
  • None, not possible if these IPs are not on the same LAN.
  • The router is not involved if they are on the same LAN.
  • If they are on a different network src and dst network cannot both be LAN
  • These IPs have different subnet numbering, so they cannot both be on LAN

Now if you really being honest about thinking you control the firewall at at a bank for real...you'd make a port forward from WAN to LAN (not LAN to LAN). Otherwise your port forward rule was OK (except you can remove the public IP, and RDP is only TCP).

But none of this works until you can open the client's firewall, which you admit that you do not control.

10

Wow, are you trolling me? I'm finding it hard to describe this in simpler terms. But here goes again.

Imagine you are in your house, you have 2 machines A & B, which have ip addresses 1 & 2 respectively. You connect them together with a router, that is also in your house. Are you telling me it is impossible to set up the router so that when machine A opens a connection to ip address 3, it in fact gets routed to machine B?

Is this not the essence of port-forwarding? I know it is not impossible because, like I said, I have had it working before.

11

Wait...are you now saying that you have TWO routers?

  • Can you draw a diagram?
  • Are you using public IP space on one of these router networks?
  • Are these IPs in the same subnet?
  • Are they in the same physical network?

:man_facepalming:

Then the rule would be WAN to LAN as I noted above:

Also, you might wish to consider not using IP space that belongs to Lloyd's of London, it would really fix alot of confusion.

12

Ok, you are trolling me. Fine. Well done.

13
  • You said devices are on same network
  • then you mention another router (i.e. not on the same network)
  • you provided a public IP address for one of the networks, twice - and you won't explain it
  • you won't explain how traffic will access the RDP machine if you can't open its firewall
  • and I told you EXACTLY how the firewall rule needs to be edited if you had a router, twice
config redirect
        option target 'DNAT'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.0.117'
        option dest_port '3389'
        option name 'annapurna156'
        option dest 'lan'
        option src 'wan'

So now, how in the world am I trolling you!?!?

14

The solution is @lleachii's code with loopback option enabled to redirect traffic from lan zone as well.

15

I only thought this worked from the IP in question (192.168.0.117); but otherwise, I also agree with your conclusion - given the scarce information the OP provided.

I honestly think the OP is using public address space (perhaps on one interface) and doesn't realize it...or want's to use a "hidden subnet" on the same LAN by forcing the firewall to redirect the packet....but then perhaps the OP's terminology in computer networking is not clear enough to convey that...

16

No, nobody is rolling you here. All answers you have received seem to me insightful and appropriate. You either do not know what you are doing, or are not capable of explaining yourself.

1 Like
17 
tcpdump -n -i any tcp port 80 or tcp port 3389
18

It's OK I've got it, was a couple of things, firstly the src had to be 'wan', I guess I was confused because both machines were on my network, I thought it would be 'lan' to 'lan'.

Secondly, I needed to set up a static route from 141.92.156.2 to 192.168.0.117. Can't share the config as I did this via the Luci interface.

Maybe the second step is only needed because there's something wrong with the port forward config, but anyway, it's working!

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src_dip '141.92.156.2'
option src_dport '80'
option dest_ip '192.168.0.117'
option dest_port '3389'
option name 'annapurna156'
option dest 'lan'
option src 'wan'

19

I explain above the issue; but you think I'm trolling you or something. Smh.

I thought you may have had the decency and honor to apologize, instead you act like I didn't provide this information.

Nonetheles, as others can now see, you are using a public IP belonging to a bank somewhere in your network. This is likely why your rigging some weird route and port forward, instead of configuring it correctly - is even necessary to accomplish your goal.

If you configured this network range as normal, it likely wouldn't be necessary for you to route IPs from a bank to your RDP computer.

20

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.