Hi,
Just upgraded from 7.09 brcm-2.4 to 10.03 brcm-47xx on a Buffalo WHR-HP-G54.
Thanks for the hardwork. Wireless seems reliable, if a little slow, so far.
One problem I have is trying to getting 'hairpin' routing, so that LAN hosts can access other hosts on the LAN via the WAN IP address.
i.e. so p2p clients behind the router can access each other just as hosts from the internet can.
So, "telnet <WANIP> <port>" will work from the internet and the intranet, hitting whichever host port <port> is forwarded to incoming from the internet.
I used custom iptables command in /etc/firewall.user with 7.09 to achieve this, cos the firewall script didn't support it.
I hoped that this wasn't the case on 10.03 and see in the wiki the mention of SNAT. So I had a play. Nothing I tried would
get SNAT to appear in the iptables.
So I had a look in the script /lib/firewall/uci_firewall.sh. I can see DNAT in there, but no SNAT at all.
Is this really supported?
I used to have the following in /etc/firewall.user:
WANIP=`ifconfig $WAN | awk '/inet addr:/ { sub(/addr:/, ""); print $2 }'`
hairpin () {
do_hairpin $1 $2 tcp
do_hairpin $1 $2 udp
}
do_hairpin () {
# from intranet to intranet host (using double NAT)
iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP
# from internet to intranet
iptables -t nat -A prerouting_wan -p $3 -m multiport --dports $1 -j DNAT --to $2
iptables -A forwarding_wan -d $2 -j ACCEPT
}
hairpin 27588 192.168.1.4
hairpin 31745 192.168.1.4
hairpin 59287 192.168.1.4
do_hairpin 80 192.168.1.2 tcp
do_hairpin 25 192.168.1.2 tcp
I've updated the do_hairpin function to:
do_hairpin () {
iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP
iptables -A zone_wan_prerouting -t nat -p $3 -m multiport --dports $1 -j DNAT --to $2
iptables -I zone_wan_forward 1 -p $3 -d $2 --dport $1 -j ACCEPT
}
The port forwarding works (the 2nd two statements), but the hairpin (the 1st two statements) of the WANIP back into the intranet does not.
Any ideas why?
Thanks for your help guys.
(Last edited by gildenman on 1 Oct 2010, 10:25)