OpenWrt Forum Archive

Topic: Chaos Calmer 15.05.1 wrong prerouting for port forward to DMZ

The content of this topic has been archived on 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Dear experts,

I'm using OpenWRT for years and try to migrate from Attitude Adjustment to Chaos Calmer. After the first try was greatly failing, I setup from scratch in a test environment. However, there seems to be sometjing wrong with the zone_wan_prerouting rules.

Setup: WAN, LAN, DMZ

config interface 'dmz'
        option proto 'static'
        option ifname 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

For testing haproxy statistic interface is bount to 192.168.100.1:8888
Checked with lsof.

Port forwarding rule:

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '8888'
        option dest 'dmz'
        option dest_ip '192.168.100.1'
        option name 'test port forward dmz'
        option src_dport '4488'

Resulting ipfilter rule (iptables-save)

A zone_wan_prerouting -p tcp -m tcp --dport 4488 -m comment --comment "test port forward dmz" -j REDIRECT --to-ports 8888

Same setup in attitude adjustment for port 443:

A zone_wan_prerouting -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.5.1:443

So somethings goes really wrong in chaos calmer! There is no destination IP in the prerouting rule specified in the port forwarding ...

Or did I miss something, even debugging for days?

Any help would be appreciated?

Best regards

Hm,

noone problems like me? I don't know, whats going wrong here, but there is definitly something not o.k. in chaos calmer.

Especially I have no idea how to further debug this, cause I'm not an iptables expert.

Regards

Suggestion:

If you want to enable external access to some service that is hosted in the router, configure the server to listen on 0.0.0.0 (any interface) and use Open Ports on Router instead of port forwarding to the router itself.

Hi,

thank you very much, I know this workaround, but it's not acceptable. The proxy has to listen on the DMZ subnet. In case of your suggestion, there are several port conflicts with the internal LAN ports/services ...

I really wounder, why this problem is not more prominent in then forum.

Will make a bug report on github.

(Last edited by WRTHacker on 7 Jan 2017, 09:31)

WRTHacker wrote:

Hi,

thank you very much, I know this workaround, but it's not acceptable. The proxy has to listen on the DMZ subnet. In case of your suggestion, there are several port conflicts with the internal LAN ports/services ...

I really wounder, why this problem is not more prominent in then forum.

Will make a bug report on github.

In my opinion, doing a port forward from the router to itself is what is more close to a workaround solution.

The page for configuring the firewall to accept inbound connections to local services is "Traffic Rules - Open ports on router".

Two important points:
1) The service must be listening on the interface where you want the connections to come in. Listening on all interfaces would obviously include the interface you need.
2) If there's a port conflict on that interface, run the service on a different port.

If I understand correctly, you're skipping these steps and trying to use NAT as a fix to bypass the ipaddr:port listening configuration that has been put on the service.

The discussion might have continued from here.