FS#1645 - NAT reflection/loopback fails with multiple zones

[openwrt-bot]

TexasDex:

I have multiple internal VLANs, and multiple firewall zones (e.g. a guest network, a DMZ LAN) with separate IP ranges and locked-down routing in between. I've found that if I forward a port to a web server in my DMZ zone the 'NAT Loopback' option has no effect on hosts outside of that zone (e.g. in my LAN or GuestLAN zones).

LEDE:

curl https://mywebsite.com

curl: (7) Failed to connect to mywebsite.com port 443: Connection refused

On DMZ:

$ curl https://mywebsite.com

<title> ...

The port forward works fine on hosts outside my network.

I've looked into adding custom rules to fix this, since a Linux sysadmin with a little bit of iptables experience, but I'm not having much luck figuring out the LEDE firewall.

Using LEDE Reboot (17.01.4, r3560-79f57e422d) on x86 (QOTOM J1900 embedded PC).

[openwrt-bot]

TexasDex:

Note: This was reported as a bug in LuCI, but closed because the issue was not just with UI: openwrt/luci#1560

[openwrt-bot]

jow-:

This is by design. The setup of NAT loopback rules is currently tied to the zone of the target host.

I might look into introducing a new option "reflection zones" or similar to change set but I can't promise that it'll happen anytime soon.

[openwrt-bot]

TexasDex:

It took a lot of figuring out, but adding the following rule to the 'Firewall - Custom Rules' pane in LuCI seems to have fixed it for now:

network_get_ipaddr wan wan
network_get_ipaddr lan lan
webserver=(add your web server IP address here)
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $webserver:80
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $webserver:443

Making this an official feature would be appreciated, though.

[openwrt-bot]

dfberger:

I found this report while investigating the same problem - I fixed it in a similar way and would also appreciate it being more directly supported.

in my case I have a plex media server in the lan zone, accessible from the internet, and a set of devices in an untrusted zone that I want to be able to stream from it.

I ended up doing this on OpenWrt 18.06.1, r7258-5eb055306f:

. /lib/functions.sh . /lib/functions/network.sh

network_get_subnet iot iot
network_get_ipaddr wan wan
network_get_ipaddr lan lan
plexserver=IPADDR
plexport=PORT

iptables -t nat -A prerouting_iot_rule -s $iot -d $wan/32 -p tcp -m tcp --dport 8443 -j DNAT --to-destination $plexserver:$plexport -m comment --comment "firewall.user: plex iot to lan rule"
iptables -t nat -A postrouting_iot_rule -s $iot -d $plexserver/32 -p tcp -m tcp --dport $plexport -j SNAT --to-source $lan -m comment --comment "firewall.user: plex iot to lan rule"


(as an aside for anyone trying to replicate my results, I found that these rules don't appear after reboot until I do a firewall restart, but I haven't yet figured out why.)

[openwrt-bot]

neontty:

Upvote

I experienced the same problem. Thank you, Dan and Dex, for posting your solutions here.

It seems like a pretty common situation for people to have a DMZ'd zone hosting a webserver that they would want to access via a zone-to-zone nat loopback.

edit: @dan, I think your problem where you need to do the firewall restart is related to this: https://dev.archive.openwrt.org/ticket/20249.html . When the firewall reloads (instead of restarts) your custom firewall.user rules are not also reloaded, but they depend on a chain that is created in /etc/config/firewall so I think your rules get flushed too. That article explains that you can set a variable in your firewall config to also execute your firewall.user script on reloads as well.

I realize that this thread is super old, but I thought I would post this for anyone else who came across it.

[openwrt-bot]

phqzgunsfjror:

I also vote for the feature.

I opened a new ticket since it was closed:
https://bugs.openwrt.org/index.php?do=details&task_id=3875