Port-forwarding with mwan3 not working for one wan

hexen · April 6, 2025, 3:19pm

Hello.

I have a turris router with two internet links connected to it (say wanA and wanB), and I am using mwan3 for load balancing those two links.

I have a few servers behind this router which I am using port-forwarding. So far all my servers are being accessed via wanA.
I was trying to setup port-forwarding to a new server so that incoming connections from wanB would be routed to this server.

I used luci to setup the port-forwarding, but I can't make it work.

I was using tcpdump/wireshark to find out if the incoming connections were reaching my server, behind the router, and indeed it is.
So I believe the replies to these incoming connections are going to lalaland instead of back to the client. For context, it is a webserver, but any other service is facing the same issue

I can see the incoming SYN connections, and my server replying the SYN/ACK, but seems like the router isn't properly sending the packets back to the client.
I'm guessing it's something related to the routing, but I'm not sure how to fix it.
Could somebody help me debug it?
Thanks

brada4 · April 6, 2025, 3:28pm

Please post output of

ubus call system board

Check conntrack -E whether translation applies
Or trace nftables (change port obviously)

github.com/openwrt/openwrt

DNS hijack rule does not apply DNAT reliably

opened 07:01PM - 31 Mar 25 UTC

mark8223

target/ramips bug Official Image Supported Device release/24.10

### Describe the bug Have a DNS hijack rule for IPv6 that DNAT's packets to Goo…gle's DNS server as follows: ``` config redirect option dest 'wan' option target 'DNAT' option name 'Hijack-DNS-IPv6' option src 'lan' option src_dport '53' option dest_ip '2001:4860:4860::8888' option family 'ipv6' list src_mac '$clientMAC' ``` Then from an iOS client with iSH shell app, fire off a DNS query to a fictional server that should get hijacked by the rule and DNAT'ed: ``` nslookup google.com fd::1 ``` This will fire off an A query and an AAAA query very close to each other. Listening with tcpdump on the wan interface of the router you'll see the A query being DNAT'ed, but the AAAA query goes out to the internet still with the original destination (obviously wrong and undesired behavior): ``` 11:53:01.900537 Out ethertype IPv6 (0x86dd), length 92: $clientIPv6.61581 > 2001:4860:4860::8888.53: 27025+ A? google.com. (28) 11:53:01.900584 Out ethertype IPv6 (0x86dd), length 92: $clientIPv6.61581 > fd::1.53: 53025+ AAAA? google.com. (28) ``` This should not ever happen, as any IPv6 packet on port 53 should be caught by the rule and DNAT'ed. ### OpenWrt version r28427-6df0e3d02a ### OpenWrt release 24.10.0 ### OpenWrt target/subtarget ramips/mt7621 ### Device TP-Link Archer C6U v1 ### Image kind Official downloaded image ### Steps to reproduce Install rule as in the example. Get an iOS phone and install iSH app then fire off an `nslookup` as above. I don't know what's special about this client, but it's able to generate the second packet that is not DNAT'ed correctly by the rule. Other Linux-based nslookup clients I have seem to not be able to reproduce this. ### Actual behaviour AAAA query shortly after A query is not DNAT'ed. ### Expected behaviour Both A and AAAA queries should be DNAT'ed. ### Additional info This bug reproduces 100% of the time on 24.10 and 0% of the time on 23.05. ### Diffconfig ```text ``` ### Terms - [x] I am reporting an issue for OpenWrt, not an unsupported fork.

hexen · April 6, 2025, 3:31pm

# ubus call system board
{
	"kernel": "5.15.148",
	"hostname": "turris",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Turris Omnia",
	"board_name": "cznic,turris-omnia",
	"rootfs_type": "btrfs",
	"release": {
		"distribution": "TurrisOS",
		"version": "7.1.4",
		"revision": "r20343+130-4e1d1b7df0",
		"target": "mvebu/cortexa9",
		"description": "TurrisOS 7.1.4 4e1d1b7df0ce6fa96d7462dc883917682f428046"
	}
}

hexen · April 6, 2025, 3:40pm

What I can see on the conntrack -E output is essentially, for obvious reasons I trimmed the IP public addresses :
...186 is the client I'm using to test
...158.184 is my router's WAN
10.0.0.99 is my server behind the router.

    [NEW] tcp      6 120 SYN_SENT src=...186 dst=.158.184 sport=15500 dport=80 [UNREPLIED] src=10.10.0.99 dst=....112.186 sport=80 dport=15500 mark=256
 [UPDATE] tcp      6 60 SYN_RECV src=....186 dst=....158.184 sport=15489 dport=80 src=10.10.0.99 dst=.....186 sport=80 dport=15489 mark=256
 [UPDATE] tcp      6 60 SYN_RECV src=....186 dst=....158.184 sport=15500 dport=80 src=10.10.0.99 dst=....186 sport=80 dport=15500 mark=256

I can see the connection requests, but I'm not sure how to interrpet it

hexen · April 20, 2025, 9:28am

I've fixed it, so, just leaving the solution here in case somebody steps on it in the future.

My configuration was missing a policy/rule pair in my mwan3 configuration to allow traffic from my internal server to be routed back to a specific wan, instead of the default gateway, detailed steps on how to configure it are here:

https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#controlling_the_mapping_between_internal_ip_sources_and_external_ips_and_interfaces