OpenWrt Forum Archive

Topic: Firewall Forwarding Issue

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
HalNineThousand
19 Apr 2009, 08:08

I've noticed some people are running Slimserver (or Squeezebox, as it's now called) on OpenWRT.  I'm doing something different.  I have a Squeezebox that is on my screen porch and I want it connected via ethernet instead of wifi for various reasons.  That means, basically, an unsecured ethernet connection to my LAN outside of my direct control.

To solve that problem, I have a Linksys WRTSL54GS.  The LAN side is, of course, connected to my LAN, which is in the 172.16.7.xxx range.  The WAN side is connected to my Squeezebox.  I've set the firewall to forward ports 9000 and 3483 coming in on the WAN to the box on my LAN that runs Squeezecetner.

At first I tried this with the LAN side having the address 172.16.7.101 and the WAN and the Squeezebox were in the 192.168.1.xxx range.  Right now I've got the WAN and Squeezebox in the 10.0.0.xxx range.  I've told the Squeezebox the default gateway is 10.0.0.101, which is the WAN ip address.  I've set the firewall to forward anything with the destination IP as 172.16.7.2 (my Squeezecenter host) to that address on the LAN side.  (I figure later, when I get it working, I'll forward only the ports Squeezecener needs.)

While I don't think this is related, on my LAN the default gateway is 172.16.7.1, which is the firewall (running pfSense).

I'm no expert, but I've used web interfaces to set up port forwarding before, for example, to allow someone outside my LAN to make a connection to my VNC listener on my my computer in my LAN.  That's always worked just fine.

For some reason, though, no matter what I try, my Squeezebox on the WAN side of the router cannot detect the Sqeezecenter program in the LAN side, even with all the forwarding set up.

My understanding is that I can restrict and control what comes in through the WAN but don't really have control over what comes in through the LAN side, so as I understand it, this should work without a problem.

I've considered it possible that when the packets pass through the firewall, going to the LAN, that there's no NAT, so when my Squeezecenter computer tries to reply, the packets are going to the LAN gateway (at 172.16.7.1) instead of being returned to the router at 172.16.7.101.  I don't know enough, though, to have any way to check it out.

What do I need to change if I want the Squeezebox on the WAN side to communicate with Squeezecenter on 172.16.7.2 on the LAN side?

I've included the output from "iptables -L" below.  The computer "ozma.thresh.oz" is the one I'm forwarding to at 172.16.7.2 (don't ask -- the name's a long story involving a young relative who likes the Oz books).

Thanks for any help on this!

-------------------------------------------------------
IPTables Output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere           
input_wan  all  --  anywhere             anywhere           
LAN_ACCEPT  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     gre  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere           
forwarding_wan  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             ozma.thresh.oz     

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination

Post #2
HalNineThousand
19 Apr 2009, 18:12

I should add that I checked the firewall log and found NO entries at all.  Is there a firewall log by default or do I have to specify where it should be kept?

After I try to connect, I check the firewall logs and have yet to see any entries.  I'd like to at least be able to verify the Squeezebox is getting to the firewall.

Post #3
HalNineThousand
20 Apr 2009, 18:16

I've noticed a lot of people have viewed this thread and nobody has offered a suggestion, such as, perhaps, a setting that I may have inadvertently changed somewhere on the router or something else.

Do I need to include more detail?  Is there something I can clarify?  Would I be better off, since this router was sitting around for a while and I can't remember how I set it up originally, to reset all the variables in NVRAM and reflash it?

Post #4
HalNineThousand
21 Apr 2009, 08:22

Well, after the volumes of suggestions that poured in, and after 2 1/2 days of going over this, forwarding the output of "iptables -L" to a friend who specializes in firewalls and trying to figure this out, I tried Kamikaze.  I didn't want to at first because the page on this device suggested White Russian and said NOTHING about trying Kamikaze.  Since I'm no expert on embedded devices and didn't want to brick a route, I was reluctant to try it, but finally felt there was no other solution.  (Actually, I reflashed with White Russian, but for some reason, even though I used the same .bin file I used before, the web interface didn't allow control over firewalls -- and I don't know which package would have added it, tried searching but didn't want to go through a huge number of packages to find out.)

I wasn't able to set the firewall filters as finely as I wanted to, but I was able to get it working under Kamikaze.

The discussion might have continued from here.