I've some services inside my LAN. For example VNC server.
My internal network - 192.168.55.0/24
Router internal ip - 192.168.55.254
My Internet domain name myName.dyndns.org.
File /etc/config/firewall:
accept:src=192.168.55.0/24
forward:proto=tcp dport=20,21,25,3393,5500,5900,5800,80,82:192.168.55.1
forward:dport=8088:192.168.55.1
accept:proto=tcp dport=22

I can access vnc server from Internet, but I can not access it from my LAN using external IP/DNS.
Please help me configure iptables or (and) loopback.
I also need to make SSH on router accessible from Internet using alternative port (9999 for example), but not default (22)
Now I can access it only on default port 22.
Rule
forward:proto=tcp dport=999:192.168.55.254:22 has ho effect.

No special configuration needed in dd-wrt for it (for access local services using external ip from LAN)

(Last edited by dima8389 on 5 Oct 2007, 23:42)

Wireless problems:
1. Can not make wpa2 work (using webif2 and uci)
wpa forks perfectly.
Kamicaze documentation seems to be outdated.
2. How to explicitly specify transmit power like it can be done in dd-wrt or tomano ?

Hi,

so for your wireless questions:

you can set the txpower as option ("option txpower 18" for 18dBm, not mW!) under "config wifi-iface" in the file /etc/config/wireless. It´s working for me with a atheros-wifi, maybe you can use this setting for a broadcomwifi too.

to change from wpa-psk to wpa2-psk you only have to set "option encryption psk2" in the same section in the wireless-config file. I guess you can do this with uci-commands too, but I´m not really familiar with the uci.

so to the forwarding problem: I remember a "big fat disclaimer" in the firewall-configfile in older versions of openwrt, that the services are not reachable from the inside through the outside-ip.
the forwarding-rules in openwrt are very basic, but that have the advantage that they don´t need much cpu.
so as I remeber correctly the problem is, that the router don´t masquerade the sourceip. so if you want to connect to from inside your client connects to the external ip and the package is forwarded to the internal ip of you server, the server sees that the package came from the same subnet and tries to sent it back directly to the client, but the client expects a package sent from the router not from the server and drops it.

so there are two fixes (or workarounds) if you only have one server that should be available from the outside and the inside (you can have multiple that have to be reachable from the outside only), you can add the external dnsname in the /etc/hosts file (192.168.55.1 server-name myname.dyndns.org) so every client which uses your router as dns-server resolves the local-ip of the server and can connect without a problem, and you don´t bother the router with local traffic (I´m using this configuration)

if you have forwardings to multiple local servers an you want to reach all of them from the lanside at the external ip that you need to masquerade the source-ip to the internal ip of the router, so that the server sends the data back to the router an not directly to the client. but I´m not sure about the exact iptables-command, but there should be threads about this in the white-russian forum. As I remember there are a few drawbacks. with this setting you will see in every logfile on the server that all packages are from your router-ip and not from the original ip. this could be a problem if you want to know who downloading from you, or who hacked your vnc-server btw. I wouldn´t make a vnc-server directly available to the internet, I think thats very insecure, it would be better to connect to the vnc-server over a ssh-tunnel or something like that.

To have both WPA and WPA2 with PSK, you have to introduce an option that WR has but Kamikaze (707) just doesn't have.  Set your encryption to be "PSK+PSK2" , and that should do it.  The amount of cruft and bloat in the unforgotten but still gooey kamikaze pushed me back to the unloved but more complete WR, so I can't check my own routers.