Hi,
Just upgraded from 7.09 brcm-2.4 to 10.03 brcm-47xx on a Buffalo WHR-HP-G54.
Thanks for the hardwork. Wireless seems reliable, if a little slow, so far.

One problem I have is trying to getting 'hairpin' routing, so that LAN hosts can access other hosts on the LAN via the WAN IP address.
i.e. so p2p clients behind the router can access each other just as hosts from the internet can.

So, "telnet <WANIP> <port>" will work from the internet and the intranet, hitting whichever host port <port> is forwarded to incoming from the internet.

I used custom iptables command in /etc/firewall.user with 7.09 to achieve this, cos the firewall script didn't support it.
I hoped that this wasn't the case on 10.03 and see in the wiki the mention of SNAT. So I had a play. Nothing I tried would
get SNAT to appear in the iptables.
So I had a look in the script /lib/firewall/uci_firewall.sh. I can see DNAT in there, but no SNAT at all.
Is this really supported?

I used to have the following in /etc/firewall.user:

WANIP=`ifconfig $WAN | awk '/inet addr:/ { sub(/addr:/, ""); print $2 }'`

hairpin () {
  do_hairpin $1 $2 tcp
  do_hairpin $1 $2 udp
}

do_hairpin () {
  # from intranet to intranet host (using double NAT)
  iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
  iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP

  # from internet to intranet 
  iptables -t nat -A prerouting_wan -p $3 -m multiport --dports $1 -j DNAT --to $2
  iptables        -A forwarding_wan    -d $2     -j ACCEPT
}

hairpin 27588 192.168.1.4
hairpin 31745 192.168.1.4
hairpin 59287 192.168.1.4

do_hairpin 80 192.168.1.2 tcp
do_hairpin 25 192.168.1.2 tcp

I've updated the do_hairpin function to:

do_hairpin () {
  iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
  iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP

  iptables -A zone_wan_prerouting -t nat -p $3 -m multiport --dports $1 -j DNAT --to $2
  iptables -I zone_wan_forward 1 -p $3 -d $2 --dport $1 -j ACCEPT
}

The port forwarding works (the 2nd two statements), but the hairpin (the 1st two statements) of the WANIP back into the intranet does not.
Any ideas why?
Thanks for your help guys.

(Last edited by gildenman on 1 Oct 2010, 10:25)

So is SNAT supported in the firewall?
Seems strange that it's documented, but not implemented.
Usually the other way round
Anyone got any idea?
Thanks.

Ok. It looks documented, but unsupported. Weird

Anyway, I solved my problem.

For the archive, it was simply the new firewall scripts blocking access to the port from the LAN, which they didn't seem to do in 7.09.
I just had to add an extra line to permit that and all is fine.
The updated hairpin function for clarity is:

do_hairpin () {

  # from intranet to intranet host (using double NAT)

  iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
  iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP

  # from internet to intranet

  iptables -A zone_wan_prerouting -t nat -p $3 -m multiport --dports $1 -j DNAT --to $2
  iptables -I zone_wan_forward 1 -p $3 -d $2 --dport $1 -j ACCEPT
  iptables -I zone_lan_forward 1 -p $3 -d $2 --dport $1 -j ACCEPT

}

Hope it helps someone.
Cheers.

Indeed it did...  Me. 

I've spent the last few days beating my head against the wall trying to make iptables do exactly this, and for the life of me could not track down exactly where these rules needed to live to do what was required.  Your script is elegant and does exactly what is needed, not a hack at all, as you had previously referred to it.  LOL

Glad I could assist.
It is a bugger to work out. That function is the culmination of quite a bit of posting, searching and fiddling. Seems a shame that it's not supported natively. Perhaps, I should submit a patch.

Ah. You are too kind sir

Why the heck are you doing that??? Your p2p-Clients don't have the option to "search lan"?

Also, access the device via telnet on the wan address? Thats totaly freekin' crazy. IF you /really/ need to access your device from the bad internet, use the ssh-daemon and a secure passwort at least.

I'm not sure that you understand the issue.

It would seem easy enough to build this directly into firewall.user with a few comment lines on how to use.  This issue does come up a bit. 

You've never had to telnet to port 25 to check a mail server's functionality, or tested a web server on port 80 via telnet?  Telnet is used for more than just command line access...  And that was just one example used, the point was it's allowing access to the ports as if you were hitting them from outside.

Hey guys,
sorry for reopening a very old thread, but im facing the same issue as gildenman and cant get it work.

He wrote something about an "updated" hairpin function. Where excactly do I find this function, or do I have to add the above listed function to my /etc/firewall.user?

P.s.: I'm using OpenWRT Barrier Breaker

(Last edited by monchi on 14 Apr 2015, 07:35)

I've been struggling through the exact same problem and since google keeps bringing me here, I think I should post what I've done for others who have the same problem. I'm using Chaos Calmer 15.05.

The problem: Some people like my use dynamic dns and run a server from our home. Accessing the sever via dynamic dns and/or the public ip address works from everywhere except from home. The "hairpin" code below sets up your firewall so that you can use the public IP address or your dynamic dns entry to access your server instead of its real ip address on the lan. This of course makes life much better because now you can access your server the same way and it won't matter if you're at home, or somewhere else.

I had problems with the firewall getting setup before comcast had a chance to give me an IP, so that's why the sleep is there (yuck!). Really we're just waiting to get an IP. You might not need to sleep.

This modified code only does the "hairpin." I've configured the port 80 forward from the wan -> 192.168.0.10 using the web ui.

#wait to make sure dhcp has time to give us an IP on the WAN :)
sleep 15
WANIP=$(ifconfig eth1 | grep inet | awk '{print $2}' | awk -F 'addr:' '{print $2}')
do_hairpin () {
  iptables -t nat -A prerouting_rule -d $WANIP -p $3 --dport $1 -j DNAT --to $2
  iptables -t nat -A postrouting_rule -s 192.168.0/24 -p $3 --dport $1 -d $2 -j SNAT --to $WANIP
}

# Allow the lan to access the web server who's ip is 192.168.0.10 on the lan using the routers public ip address
do_hairpin 80 192.168.0.10 tcp

(Last edited by dietsche on 10 Oct 2015, 01:29)