Edit: This post has been significantly changed since the original posting, trying to offer a lot more clarity.
Got an interesting challenge here related to port forwarding UDP on Trunk to the local router. This started out rather complicated, but I've been able to cut pieces out to reduce complexity and here's what I'm looking at:
Default out-of-the-box trunk configuration on a WRT1900AC (no keep settings, etc.), OpenWrt Designated Driver r49066 / LuCI Master (git-16.081.38806-6b9a743), Kernel is 4.4.6 (build from yesterday, 3/22)
Running a lightweight server (think NCat) on UDP 444 on the OpenWRT router. I'm trying to expose that server to the WAN interface via port 443 (again a simplified example, in reality the server is more substantial than NCat, but I've cut that piece out and been able to reproduce with NCat).
This Rule doesn't work:
firewall.@redirect[2]=redirect
firewall.@redirect[2].enabled='1'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='udp'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_ip='192.168.1.1'
firewall.@redirect[2].dest_port='444'
firewall.@redirect[2].name='ExternalUDP1'
But this Rule does:
firewall.@redirect[3]=redirect
firewall.@redirect[3].enabled='1'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='udp'
firewall.@redirect[3].src_dport='443'
firewall.@redirect[3].dest_port='444'
firewall.@redirect[3].name='ExternalUDP3'
The first rule emits a DNAT to the local device IP (192.168.1.1), while the second rule emits a redirect (maybe related to the change committed here: http://git.openwrt.org/?p=project/firew … b1da92eb6)
Hits on both rules (attempting to open the port) result in an increase in the hit count so I know it's registering the hit, but the DNAT rule that includes the device IP doesn't actually function (can't pass data over NCat, and my more advanced software also doesn't work) while the second REDIRECT rule with no destination IP does.
It's worth noting that this exact setup worked flawlessly on a trunk build from last spring, so I'm thinking something may have changed in the way UDP packets are handled which is causing drops to occur (Firewall3 updates here: http://git.openwrt.org/?p=project/firew … =summary).
At this point, I've got it working as a redirect, but I'd love to figure out if the failing DNAT rule is actually a result of something that is now broken, or understand if it's intended functionality for some reason.
Thanks
(Last edited by OperatorOverload on 23 Mar 2016, 22:10)