Nague
August 24, 2017, 12:21pm
1
I have multiple network interfaces attached on zone "lan". I've noticed that router is doing DNAT redirection on routed lan-to-lan connections, based on redirections applied from wan to lan.
Here an example:
config zone
option name lan
list network 'lan'
list network 'wifi'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
=> lan interface is 192.168.0.1/24
=> wifi interface is 192.168.100.1/24
config redirect
option src wan
option dest lan
option _name TEST
option proto tcp
option src_dport 8012
option dest_ip 192.168.0.24
option dest_port 8012
Redirection work as expected from wan to lan. But if I established a tcp connection from a wifi host 192.168.100.x (zone lan) to 192.168.0.24:8012, connection appears from 192.168.100.1 on 192.168.0.24 i.e. router is doing DNAT on this connection too.
I think this behavior is confirmed with the results of iptables-save command:
root@LEDE:~# iptables-save | grep 8012
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.24/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.0.24/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j SNAT --to-source 192.168.100.1
-A zone_lan_prerouting -s 192.168.0.0/24 -d 176.x.y.z/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j DNAT --to-destination 192.168.0.24:8012
-A zone_lan_prerouting -s 192.168.100.0/24 -d 176.x.y.z/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j DNAT --to-destination 192.168.0.24:8012
-A zone_lan_prerouting -s 192.168.0.0/24 -d 10.x.y.z/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j DNAT --to-destination 192.168.0.24:8012
-A zone_lan_prerouting -s 192.168.100.0/24 -d 10.x.y.z/32 -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3] (reflection)" -j DNAT --to-destination 192.168.0.24:8012
-A zone_wan_prerouting -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3]" -j DNAT --to-destination 192.168.0.24:8012
176.x.y.z and 10.x.y.z are both wan interfaces address.
By the way, using a different “src” zone (anything different from wan), I don’t observe this behavior :
config redirect
option src tun
option dest lan
option _name TEST
option proto tcp
option src_dport 8012
option dest_ip 192.168.0.24
option dest_port 8012
root@LEDE:~# iptables-save | grep 8012
-A zone_tun_prerouting -p tcp -m tcp --dport 8012 -m comment --comment "!fw3: @redirect[3]" -j DNAT --to-destination 192.168.0.24:8012
There is something specific in redirection rules from zone « wan ». Can anyone explain me why ?
Please, post the complete config file here.
Nague
August 24, 2017, 1:48pm
3
@eduperez Here the complete config file:
config defaults
option synflood_protect 1
option synflood_rate 25
option synflood_burst 5
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name lan
list network 'lan'
list network 'wifi'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'public'
list network 'private'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
config zone
option name wan6
list network 'henet'
option input REJECT
option output ACCEPT
option forward REJECT
option conntrack 1
config zone
option name tun
list network 'tun'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config forwarding
option src lan
option dest wan
config forwarding
option src tun
option dest wan
config forwarding
option src lan
option dest tun
config forwarding
option src tun
option dest lan
config forwarding
option src lan
option dest wan6
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config redirect
option src wan
option _name RDP
option proto tcp
option src_dport 3389
option dest_ip 192.168.0.11
config redirect
option src wan
option _name RDP_2
option proto tcp
option src_dport 3390
option dest_ip 192.168.0.110
option dest_port 3389
config redirect
option src wan
option _name SUB
option proto tcp
option src_dport 1080
option dest_ip 192.168.0.25
option dest_port 80
config redirect
option src wan
option dest lan
option _name TEST
option proto tcp
option src_dport 8012
option dest_ip 192.168.0.24
option dest_port 8012
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'ICMP'
option 'src' 'wan'
option 'proto' 'icmp'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'GRE'
option 'src' 'wan'
option 'proto' '47'
config 'rule'
option 'target' 'ACCEPT'
option '_name' '6in4'
option 'src' 'wan'
option 'proto' '41'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'ICMP6'
option 'src' 'wan6'
option 'proto' 'ipv6-icmp'
option 'family' 'ipv6'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'OPENVPN'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1195'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'PNRP6'
option 'src' 'wan6'
option 'dest' 'lan'
option 'proto' 'udp'
option 'dest_port' '3540'
option 'family' 'ipv6'
config 'redirect'
option 'src' 'wan'
option 'proto' 'tcp'
option '_name' 'SSH_1'
option 'src_dport' '22'
option 'dest_ip' '192.168.0.12'
config 'redirect'
option 'src' 'wan'
option 'proto' 'udp'
option '_name' 'OpenVPN'
option 'src_dport' '1194'
option 'dest_ip' '19.168.0.2'
config rule
option 'src' 'wan'
option 'proto' 'igmp'
option 'target' 'ACCEPT'
config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest' 'lan'
option 'dest_ip' '224.0.0.0/4'
option 'target' 'ACCEPT'
config rule
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_ip' '224.0.0.0/4'
option 'target' 'ACCEPT'
You put "option masq 1
" in WAN zone; that means all traffic to that zone is going to be NATed / masqueraded, as you have detected.
Nague
August 25, 2017, 8:56am
5
Well, my issue is connections from lan to lan. What's the relation ?
Sorry, I somehow misread WIFI to WAN in your first post... thought you had some weird configuration.
I cannot find an explanation for that behaviour, you might want to file a bug report.
Nague
August 25, 2017, 9:46am
7
Thanks @eduperez for your help.
My assumption is that I'm facing a side effect of a feature that allows connections from lan to lan, using the wan IP address. For example, if I have web server in lan and a regular port 80 redirection from wan to lan, it allows me to http my web site with the wan public IP, from lan. (I can remember, this was not working in old openwrt release).
There is definitively something hardcode with redirection from src "wan".
jow
August 26, 2017, 1:01pm
8
There is nothing specific or hardcoded about wan, the difference between using tun and using wan is that wan has masquerading enabled while tun has not. If you do not need or want NAT reflection, you can turn it off using option reflection 0
in your config redirect
sections.
1 Like
jow:
There is nothing specific or hardcoded about wan, the difference between using tun and using wan is that wan has masquerading enabled while tun has not. If you do not need or want NAT reflection, you can turn it off using option reflection 0 in your config redirect sections.
I have just checked the documentation, and effectively reflection is active by default on DNAT redirections... I would not have guessed it, many thanks!
Nague
August 28, 2017, 12:47pm
10
jow:
There is nothing specific or hardcoded about wan, the difference between using tun and using wan is that wan has masquerading enabled while tun has not. If you do not need or want NAT reflection, you can turn it off using option reflection 0 in your config redirect sections.
This is it !
I had no idea this feature was named "reflection" but it makes sense now. Thanks a lot for your help !