[Solved] Need original source IP on forwarded traffic

I did a bunch of searches but came up empty, so here goes.

I am trying to forward a port to an internal server, which in turn needs to respond to the IP of the original requester (on a different port). So the incoming traffic to the local server needs to 'see' the IP of the original requester.
But by default, the config will propagate the routers own IP to the server, so we now are unable to reach the remote requestor.

In LuCi there is a drop-down in the Advanced setting to pick which IP is used in these forwards, local or source, I picked source, but the server still sees the router's own local IP, not the public IP of the remote requestor.
Basically, this is the "option reflection_src external" on this forward.

here is the rule in question:

config redirect
        option dest_port '50432'
        option src 'wan'
        option name 'TestServer'
        option src_dport '50432'
        option target 'DNAT'
        option dest_ip '192.168.0.184'
        option reflection_src 'external'
        option dest 'lan'

I'm on 19.07.3

Any input welcome.

Where are the original requests coming from? Internal or external? Can you post the entire contents of /etc/config/firewall.

1 Like

Requests are coming from the public internet through the WAN interface.

Here is the firewal config

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_rate '200/s'
	option synflood_burst '500'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option mtu_fix '1'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'GuestDNS'
	option proto 'all'
	option dest_port '53'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'guest'
	option name 'GuestDHCP'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'BlockLinkLocal'
	option proto 'tcp udp'
	option src_ip '169.254.0.0/16'
	option target 'DROP'
	option src 'lan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option dest_port '50432'
	option src 'wan'
	option name 'TestServer'
	option src_dport '50432'
	option target 'DNAT'
	option dest_ip '192.168.0.184'
	option reflection_src 'external'
	option dest 'lan'

It looks like you have misunderstood something.
A WAN to LAN port forwarding does not mask the source IP by default.
It's best to use tcpdump to investigate the issue properly.

3 Likes

@TopDog

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

The problem was due to the server application reporting the wrong IP in the UI, so this was a 'confused user' issue due to being given bad data.
Thanks to all who responded.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.