Router IP for forwarded connections + IPv6 problem

lnicola · October 7, 2020, 8:42am

Hello! I like OpenWRT, but I just ran into a couple of issues wrt. port forwarding:

LAN machines see the router IP instead as the client address instead of the client IP (see below, fixed)
If I connect to the ~~external IP~~ hostname from LAN, I reach the router instead of the LAN machine (due to IPv6)

For 1. I tried configuring the forward with external loopback source IP and I checked that masquerading is disabled for LAN (cf. Port Forwarding - router IP is shown instead of real one).

Here is my /etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'RDS'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	list network 'lan'
	list network 'wg0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

config rule
	option name 'Allow-WireGuard'
	option proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.2.239'
	option dest_port '443'
	option reflection_src 'external'

config redirect
	option target 'DNAT'
	option name 'Quassel'
	list proto 'tcp'
	option src 'wan'
	option src_dport '4242'
	option dest 'lan'
	option dest_ip '192.168.2.239'
	option dest_port '4242'
	option reflection_src 'external'

config redirect
	option target 'DNAT'
	option name 'SSH'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22'
	option dest 'lan'
	option dest_ip '192.168.2.239'
	option dest_port '22'
	option reflection_src 'external'

config redirect
	option target 'DNAT'
	option name 'HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.2.239'
	option dest_port '80'
	option reflection_src 'external'

trendy · October 7, 2020, 8:56am

lan and wg0 interfaces belong to lan and vpn zones. They must belong to one zone only.
Is there a specific need for external loopback ?
In general nat loopback utilizes cpu resources for something that normally is intralan traffic. You can use the internal IP directly, an internal name, or setup an external hostname. (https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#domains)

lnicola · October 7, 2020, 9:11am

lan and wg0 interfaces belong to lan and vpn zones. They must belong to one zone only.

I tried to uncheck wg0 from the "covered zones" list, but it shows up again when I reopen it. Editing the config file seems to have fixed problem 1, but 2 still happens.

In general nat loopback utilizes cpu resources for something that normally is intralan traffic.

Setting up DNS entries might be a good idea, but generally I'm fine with the loopback -- the overhead doesn't matter for my services.

lnicola · October 7, 2020, 9:31am

After reading the docs for the reflection_src option:

The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.

I think I don't need it. As for my second problem, I'm still unsure.

lnicola · October 7, 2020, 9:35am

Hmm, the second problem is related to IPv6 -- I was connecting to the router's v6 address, which doesn't use NAT.

trendy · October 7, 2020, 9:52am

To be honest I don't understand what is the first problem. The sentence doesn't make sense to me. Maybe you could explain it with an example?

lnicola · October 7, 2020, 10:09am

To be honest I don't understand what is the first problem.

It's working now, but connections coming from WAN showed up with the router IP, as in SNAT (IIUC). So if an external computer connected to e.g. SSH on a LAN computer, sshd printed the router IP in the logs instead of the real address of the client.

trendy · October 7, 2020, 10:38am

Because you had lan interface in the vpn zone and masquerade was enabled.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

lnicola · October 7, 2020, 10:39am

Yeah, I guess I'll make another topic for the second issue.

system · October 17, 2020, 10:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.