Warning over DNAT firewall rule after upgrade to 23.05.5

After the upgrade to 23.05.5 (with sysupgrade -n), I ran the configuration scripts, as I always do. But now I'm getting a bunch of warnings when it gets to the firewall setup.

Section DNAT_RDP (DNAT_RDP) external address range cannot be determined, disabling reflection
Section DNAT_RDP (DNAT_RDP) external address range cannot be determined, disabling reflection

The referred section is inserted with these commands:

cfgid='DNAT_RDP'
uci batch << EOI
set firewall.$cfgid=redirect
set firewall.$cfgid.name="$cfgid"
set firewall.$cfgid.src=wan
set firewall.$cfgid.src_dport=3389
set firewall.$cfgid.dest=lan
set firewall.$cfgid.dest_ip=192.168.1.108
set firewall.$cfgid.dest_port=3389
set firewall.$cfgid.proto='tcp udp'
set firewall.$cfgid.target=DNAT
EOI
uci commit firewall

What does that mean? (the warning)

When did this rule last work?

Remove that line, by default there is no route wan->lan

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

check the /etc/config/firewall file to make sure it's entered correctly
the entries themselves look ok
don't need dest_port if it's the same, but it's not the problem
only need tcp but still not the problem

I would not recommend in allowing any outside connection to your windows remote desktop
if you limited single IP source then maybe but not open to the world
I recommend add the VPN to your network for a layer of security
OpenVPN or WireGuard etc
once connected to your network then connect via RDP and don't need these rules or risks

1 Like

It means that currently the NAT Loopback rule(s) cannot be created because the router wan IP address cannot be retrieved (the interface is down or has no IP address assigned).

If you don't plan to initiate RDP requests from lan to the wan IP address of the router (that should be redirected to 192.168.1.108), you can disable reflection.

uci set firewall.DNAT_RDP.reflection='0'

You're right. With a working internet connection, reinserting DNAT_RDP produces no warnings.

The solution in my script is to move the firewall configuration (firewall.sh) to a later stage, where internet is already configured and working.


EDIT 1:
The reflection rules do need the public IP address assigned to the WAN:

ip saddr { 192.168.1.0-192.168.2.255 } ip daddr PUBLIC_IPV4_ADDR tcp dport 3389 dnat ip to 192.168.1.108:3389 comment "!fw4: DNAT_RDP (reflection)"
ip saddr { 192.168.1.0-192.168.2.255 } ip daddr PUBLIC_IPV4_ADDR udp dport 3389 dnat ip to 192.168.1.108:3389 comment "!fw4: DNAT_RDP (reflection)"
ip saddr { 192.168.1.0-192.168.2.255 } ip daddr 192.168.1.108 tcp dport 3389 snat ip to 192.168.1.1 comment "!fw4: DNAT_RDP (reflection)"
ip saddr { 192.168.1.0-192.168.2.255 } ip daddr 192.168.1.108 udp dport 3389 snat ip to 192.168.1.1 comment "!fw4: DNAT_RDP (reflection)"

Because I did reboot after the configuration scripts finished, these rules were already in effect. I could just ignore the warnings, but it's still a good idea to fix it in my scripts.


EDIT 2:
From your linked wikipedia page:

NAT reflection is a feature in many consumer routers where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router

I did not know about this feature, and I do need it sometimes.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.