OpenWrt Forum Archive

Topic: Backfire 10.03.1-rc3, traffic redirection fail

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
JimWright
26 Sep 2010, 05:28

I'm testing a new router setup here, thought I had everything correct, but I don't.  smile

Outgoing traffic works just fine, but incoming traffic isn't getting where it needs to go.  I tried a web tool that can do a port scan, it was showing that the ports I wanted were open, I tried another tool and it got no response at all.  Also, the router's WAN address is not pingable, my WhiteRussian setup was pingable on the WAN address externally.

Here is my current network setup:

root@OpenWrt:/etc/config# cat network
#### VLAN configuration
config switch eth0
        option enable   1

config switch_vlan eth0_0
        option device   "eth0"
        option vlan     0
        option ports    "0 1 2 3 4 5u"

#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0"
        option macaddr  "00:1D:7E:1E:A0:F8"
        option proto    static
        option ipaddr   192.168.1.2
        option netmask  255.255.255.0


#### WAN configuration
config interface        wan
        option ifname   "eth1"
        option macaddr  "00:1d:7e:1e:a0:f9"
        option proto    dhcp

And now a snipped from my Firewall config showing traffic on port 80 should redirect to a different system on the LAN:

root@OpenWrt:/etc/config# cat firewall

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'

config 'zone'
        option 'name' 'wan'
        option 'output' 'ACCEPT'
        option 'masq' '1'
        option 'mtu_fix' '1'
        option 'input' 'ACCEPT'
        option 'forward' 'ACCEPT'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '80'
        option 'dest_ip' '192.168.1.10'
        option '_name' 'www'

From the web interface, I think I have everything set correctly?  I'm sure I'm missing something very basic here...

Also, my prior setup in WhiteRussian was such that I could access internal services by their external DNS name, for example, if the web server listed above was reachable externally as http://example.com, if I used that same URL from the LAN, my page would load correctly.  I'd like to keep this same capability, I'm not sure if the default LUCI setup will allow that.  Any tips on making that work via the LUCI interface would be appreciated.  I'm trying to avoid any unnecessary direct IPTABLES commands if I can avoid it.

Post #2
jow
26 Sep 2010, 05:44

I can reach your ip (70.x.x.x) with a web browser and see a "Mac OS X Personal Web Sharing" page.

Post #3
JimWright
26 Sep 2010, 06:00

Yes, I'm back to my old WhiteRussian router again.  I'm also running a mail server here that's fairly busy, so I had to revert back quickly when I discovered that it wasn't working.

Post #4
JimWright
26 Sep 2010, 19:52

Ignoring the redirection problem, my config above has the following:

config 'rule'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'target' 'ACCEPT'

This alone should make the router pingable on the WAN port, correct?  I'm getting no response to ping at all, so there must be some underlying issue that I need to resolve?

Right now I had the router sitting inside my LAN, it is picking up a DHCP address on the WAN port, and from the console port I can ping other systems on my LAN, so I know that there's connectivity there.  I keep coming back to a firewall or network config issue, but everything looks good.  I may end up just reflashing and starting from a fresh config just to be sure I didn't modify something accidentally.

Post #5
JimWright
27 Sep 2010, 03:44

OK, I've reflashed Backfire 10.03.1-rc3, and didn't save any old config files.  This definitely has helped, I'm now able to ping the router on the WAN port, and I've set up some redirection rules.  The redirection rules all show as open ports when scanning the WAN port's address, so far so good.

My issue now is with the Traffic Control rules that would open holes to access router services directly via the WAN port, two examples here are accessing the web and ssh services externally on alternate addresses, I've stripped out the working redirection statements for clarity:

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'src_port' '81'
        option 'dest_port' '80'
        option 'proto' 'tcp'

config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_port' '23'
        option 'dest_port' '22'

The last two rules are new, everything above those is from the default setup when the router was flashed.  When scanning the router's WAN port for open ports, I'm not seeing ports 23 or 81 being open, but any Redirect rules I apply work fine and show as open ports.

Post #6
JimWright
28 Sep 2010, 03:08

I've flashed Backfire 10.03.1-rc2, also 10.03, and am seeing the same issues as my last post above.  My rule to open WAN port 81 to the router on port 80 is having no effect, my scan isn't showing port 81 as being open on the WAN port.   I'm starting with a new config each time, no saved files, I'm only adding the one Traffic Control rule.  I'm stumped...

(Last edited by JimWright on 28 Sep 2010, 03:39)

Post #7
jow
28 Sep 2010, 08:10

Those rules do something different than what you might think.
src_port 81, dest_port 80 means that the port 80 is only open for connections originating from port 81 on the client.

Post #8
JimWright
28 Sep 2010, 14:47
jow wrote:

Those rules do something different than what you might think.
src_port 81, dest_port 80 means that the port 80 is only open for connections originating from port 81 on the client.

OK, right, I see that now.  So, what would be the correct way to set this up so that Luci can be access from, for example, port 81 on the WAN side, and not interfere with another web server on that LAN that's already having this port redirected to it?  It should be possible without running Luci on a different port.

In my WhiteRussian config, I used this:

# Access webif from WAN on port 81
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 81 -j DNAT --to :80                            
iptables        -A input_rule      -i $WAN -p tcp --dport 80 -j ACCEPT

But I'm trying to do as much setup via Luci as possible for my new config, and I'm just not seeing how to accomplish that.

Post #9
jow
28 Sep 2010, 15:15

This should work:

config redirect
  option src wan
  option src_dport 81
  option dest_port 80

The relevant change was here: https://dev.openwrt.org/changeset/22228 - it should be part of rc3.

Post #10
JimWright
28 Sep 2010, 18:09

[s]I'll reflash to RC3 tonight and test, thanks![/s]

Reflashed to 10.03.1-rc3, added the rule as listed above, rebooted.  I'm still now showing that port as being open.  I added 'option proto tcp' just in case, no change.

I can verify that rc3 has the script change that you gave, this is the rule that's getting applied to iptables (NAT table):

-A zone_wan_prerouting -p tcp -m tcp --dport 81 -j DNAT --to-destination :80


I've tried a number of combinations of iptables commands, nothing so far is causing the port to open when 80 is directed to the router.  I can open ports to other servers, but not to the router itself.

(Last edited by JimWright on 29 Sep 2010, 03:56)

Post #11
JimWright
29 Sep 2010, 03:55

Jow, I definitely like the elegance of the code you posted, but it's just not working here.  However, I now have a workaround:

config redirect
    option src    wan
    option src_dport    81
    option dest    lan
    option dest_ip    192.168.2.2
    option dest_port    80
    option proto    tcp

config rule
    option src    wan
    option proto    tcp
    option dest_ip    192.168.2.2
    option dest_port    80
    option target    ACCEPT

I have to do this as a redirect and a rule, but it seems to be working OK here so far.

Post #12
kwongwo
10 Jan 2011, 03:55

same problem, i will try it,

The discussion might have continued from here.