Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1645 - NAT reflection/loopback fails with multiple zones #7950

Closed
openwrt-bot opened this issue Jul 9, 2018 · 6 comments
Closed

FS#1645 - NAT reflection/loopback fails with multiple zones #7950

openwrt-bot opened this issue Jul 9, 2018 · 6 comments
Labels

Comments

@openwrt-bot
Copy link

openwrt-bot commented Jul 9, 2018

TexasDex:

I have multiple internal VLANs, and multiple firewall zones (e.g. a guest network, a DMZ LAN) with separate IP ranges and locked-down routing in between. I've found that if I forward a port to a web server in my DMZ zone the 'NAT Loopback' option has no effect on hosts outside of that zone (e.g. in my LAN or GuestLAN zones).

LEDE:

curl https://mywebsite.com

curl: (7) Failed to connect to mywebsite.com port 443: Connection refused

On DMZ:

$ curl https://mywebsite.com

<title> ...

The port forward works fine on hosts outside my network.

I've looked into adding custom rules to fix this, since a Linux sysadmin with a little bit of iptables experience, but I'm not having much luck figuring out the LEDE firewall.

Using LEDE Reboot (17.01.4, r3560-79f57e422d) on x86 (QOTOM J1900 embedded PC).

@openwrt-bot
Copy link
Author

openwrt-bot commented Jul 9, 2018

TexasDex:

Note: This was reported as a bug in LuCI, but closed because the issue was not just with UI: openwrt/luci#1560

@openwrt-bot
Copy link
Author

openwrt-bot commented Jul 10, 2018

jow-:

This is by design. The setup of NAT loopback rules is currently tied to the zone of the target host.

I might look into introducing a new option "reflection zones" or similar to change set but I can't promise that it'll happen anytime soon.

@openwrt-bot
Copy link
Author

openwrt-bot commented Jul 10, 2018

TexasDex:

It took a lot of figuring out, but adding the following rule to the 'Firewall - Custom Rules' pane in LuCI seems to have fixed it for now:

network_get_ipaddr wan wan
network_get_ipaddr lan lan
webserver=(add your web server IP address here)
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $webserver:80
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $webserver:443

Making this an official feature would be appreciated, though.

@openwrt-bot
Copy link
Author

openwrt-bot commented Nov 26, 2018

dfberger:

I found this report while investigating the same problem - I fixed it in a similar way and would also appreciate it being more directly supported.

in my case I have a plex media server in the lan zone, accessible from the internet, and a set of devices in an untrusted zone that I want to be able to stream from it.

I ended up doing this on OpenWrt 18.06.1, r7258-5eb055306f:

. /lib/functions.sh . /lib/functions/network.sh

network_get_subnet iot iot
network_get_ipaddr wan wan
network_get_ipaddr lan lan
plexserver=IPADDR
plexport=PORT

iptables -t nat -A prerouting_iot_rule -s $iot -d $wan/32 -p tcp -m tcp --dport 8443 -j DNAT --to-destination $plexserver:$plexport -m comment --comment "firewall.user: plex iot to lan rule"
iptables -t nat -A postrouting_iot_rule -s $iot -d $plexserver/32 -p tcp -m tcp --dport $plexport -j SNAT --to-source $lan -m comment --comment "firewall.user: plex iot to lan rule"

(as an aside for anyone trying to replicate my results, I found that these rules don't appear after reboot until I do a firewall restart, but I haven't yet figured out why.)

@openwrt-bot
Copy link
Author

openwrt-bot commented May 3, 2020

neontty:

Upvote

I experienced the same problem. Thank you, Dan and Dex, for posting your solutions here.

It seems like a pretty common situation for people to have a DMZ'd zone hosting a webserver that they would want to access via a zone-to-zone nat loopback.

edit: @dan, I think your problem where you need to do the firewall restart is related to this: https://dev.archive.openwrt.org/ticket/20249.html . When the firewall reloads (instead of restarts) your custom firewall.user rules are not also reloaded, but they depend on a chain that is created in /etc/config/firewall so I think your rules get flushed too. That article explains that you can set a variable in your firewall config to also execute your firewall.user script on reloads as well.

I realize that this thread is super old, but I thought I would post this for anyone else who came across it.

@openwrt-bot
Copy link
Author

openwrt-bot commented Jun 13, 2021

phqzgunsfjror:

I also vote for the feature.

I opened a new ticket since it was closed:
https://bugs.openwrt.org/index.php?do=details&task_id=3875

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant