Hello,
using a server behind OpenWrt router with port forwarding.
Everytime i turn PBR on (doesn't matter which interface I select, WAN or VPN) for specific devices, those devices cannot access the server addresses with ports.
Why? What can I do to access the addresses?
Devices that are not routed via PBR rule still can access the server addresses.
Hope sb can help. Thank you.
Guessing a bit here, but perhaps the responses from the server are being routed over the WAN or VPN rather than going locally?
For example, using VPN Policy-Based Routing I append ! -d 192.168.0.0/16 so that when the source is one of my local subnets, the traffic stays local.
Apologies if this is more 'wild goose' than 'golden goose', but maybe it'll help.
Thank you so much for your reply.
I added remote ports and now, for example Postfix mail server works without any trouble.
192.168.1.11 is the server.
Let me make sure I understand:
You've got a server on your local network with address 192.168.1.11. You want to expose that server to the internet, so you've got the appopriate DNS entry with your public IP address and have a forwarding rule to forward traffic from the internet to 192.168.1.11
Can devices which are not on your network access the server through https://mypage.domain.net:89?
Right. No matter they are in local or public net, devices that are not ruled by PBR can access the server by public address (default route is WAN, configured VPN with route-nopull).
What I tried to do to solve this problem: For example, for a local device 192.168.1.13 I defined PBR rules with interface WAN or VPN and remote ports are the same that 192.168.1.11 has defined as local ports, e.g. 0-24 26-87 etc. This device 192.168.1.13 can then access the server by public addresses.
But the problem is, when i define for all local devices "192.168.1.1-192.168.1.10 192.168.1.12-192.168.1.255" with these remote ports instead only for 192.168.1.13, PBR shows an error.
Again, when for example device 192.168.13 is not listed in PBR everything works fine. I can access local and public server's addresses. But I also need to define all other devices in PBR.
OK, so first of all: if the default route is WAN, then you shouldn't need the first two rules in your screenshot.
FIrst of all the definition of the policies is wrong. For a couple of them you are using the remote ports and for the rest the local port.
If the 1.11 is a server and you want to route based on the source port, then all the ports should be defined in the local ports.
Other than that, what you try to achieve by using the public IP won't work for both connections. This mypage[.]domain[.]net is some ddns which resolves to either wan or lan, not both.
Regardless, the nat reflection is a bad idea and consumes router cpu resources for intra lan communication.
I would tell you to create a host entry, but it will conflict with the ddns script. So it would be best to use an internal name to access this server if you don't want to access it by IP.
Thanks!
I defined the ports as local ports.
Yeah and so now, I can't reach the web server with lan device via public ddns/ip.
But it's possible to reach via vpn connected client (added VPN server in the meantime) or outside from lan.
So, I'd still prefer to reach via public ddns/ip from lan.
@tectonic, default route is another vpn connection.
Edit: I think this is the same problem as mentioned here? https://serverfault.com/questions/525079/linux-routing-access-external-ip-from-lan
Then enable the nat loopback in the port forwarding rule.
Already enabled. Tried internal AND external IP. Still doesn't work. I can only reach the router.
Do I have to set public ddns on router/server, additionally?
What is the output of iptables-save -t nat -c ?
NAT loopback was enabled, but added external IP under port forwarding (in my case the IP range of the VPN's tun interface) additionally and now everything works fine! I can reach server's public IP from inside (LAN/VPN client) and of course from public.
Thank you so much for help!!
Best regard!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
