Port forwarding works only from wwan, not from lan

giovannic · September 9, 2020, 8:13pm

I have just set up an extremely simple port forwarding rule so that when I want to connect to my server the router redirects https traffic to the server (in lan area). However, the rule applies only to traffic incoming from wwan area, not to local traffic.
Example: i can connect to the server normally from outside my network (eg. from my smartphone), but not from my laptop that is connected to the same network.
I'm quite new to this, but shouldn't this be handled by the option "Enable NAT Loopback" (that I have ticked in the rule configuration)?

What am I doing wrong?

I am running OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)
Below is a screenshot of the rule I added in the "Port forwards" section of the UI.

This is the configuration of /etc/config/firewall:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.1.131'
	option dest_port '443'
	option name 'https'

vgaetera · September 9, 2020, 8:43pm

Actually, this should be enabled by default.
Perhaps you should change the "Loopback source IP" to "Use external IP address".
In addition, the reflection works only when the source and the destination are in the same zone.

trendy · September 10, 2020, 7:47am

What is the output of iptables-save -c -t nat ?

giovannic · September 10, 2020, 11:44am

@vgaetera It is enabled by default indeed. Could you elaborate on that, please?

@trendy, here is the output for that specific rule. Do you need the whole output?
[1970:103120] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" -j DNAT --to-destination 192.168.1.131:443

trendy · September 10, 2020, 11:49am

I need to whole output.

giovannic · September 10, 2020, 12:02pm

root@OpenWrt:~# iptables-save -c -t nat
# Generated by iptables-save v1.6.2 on Thu Sep 10 11:43:13 2020
*nat
:PREROUTING ACCEPT [224757:27310746]
:INPUT ACCEPT [13676:933917]
:OUTPUT ACCEPT [41802:2919403]
:POSTROUTING ACCEPT [13420:929698]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[226736:27414322] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[52258:4960131] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[138748:8507036] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[125328:7577338] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[125328:7577338] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[125328:7577338] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[52258:4960131] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1970:103120] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" -j DNAT --to-destination 192.168.1.131:443
COMMIT
# Completed on Thu Sep 10 11:43:13 2020

trendy · September 10, 2020, 12:08pm

Reflection is not enabled.
Anyway I don't advice the use of reflection, since it utilizes router resources for intra-lan traffic. You can utilize an internal name for the server, like www.lan, or if you must use the public name create a hostname entry with the fqdn pointing to the internal address.

giovannic · September 10, 2020, 12:16pm

Thank you for the recommendation.
I suppose that I can do that by adding the following line to /etc/hosts:
192.168.1.131 my.domain.name
Correct?

trendy · September 10, 2020, 12:22pm

Better add it in dnsmasq
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#domains

system · September 20, 2020, 12:22pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.