[FS#1334] port forwarding not working
LEDE Bugs
lede-bugs at lists.infradead.org
Thu Feb 8 05:10:27 PST 2018
The following task has a new comment added:
FS#1334 - port forwarding not working
User who did this - Jo-Philipp Wich (jow-)
----------
That setup will not work. You must ensure that the host your forward traffic to responds directly and not via another (natting) machine - this will lead to unexpected response packets which will get discared at the router.
You have two possibilities to fix the issue.
1) change the default route of the server to use the natting router
2) rewrite the source IPs of both the incoming connection and the response connection
To implement solution #2 you need two additional SNAT rules to complement the DNAT.
The first SNAT rule rewrites the source ip of incoming wan traffic to the routers internal LAN ip, so forwarded traffic hitting the internal server will appear to come from the router itself which will cause the server to respond to the router directly instead of using the default route.
The second SNAT rule rewrites response traffic from the lan server destined to the router back to the routers wan IP where the stateful connection tracking will take care of routing the packets to the original remote client.
In my example below, the both SNAT rules use the IP address of the LAN server as well as the protocol and port number to identify traffic needing rewrites. To avoid rewriting internal LAN traffic using this particular port, a negated subnet match is used to exclude the LAN range.
The rules use symbolic interface notation for the `src_dip` parameters, which will cause the firewall to automatically resolve the associated IP addresses; which is especially important for the dynamic WAN ip.
config redirect
option name 'Port forward wan-ip:2222 to lan-server:22'
option src wan
option dest lan
option proto tcp
option dest_ip 192.168.1.111 # IP of the LAN server
option src_dport 2222 # external WAN port
option dest_port 22 # internal LAN server port
option reflection 0
option target DNAT
config redirect
option name 'Rewrite request src ip to router lan ip'
option src wan
option dest lan
option proto tcp
option src_ip '!192.168.0.0/16' # did not came from private LAN range
option dest_ip 192.168.1.111 # is destined to internal LAN server address
option dest_port 22 # is destined to internal LAN server port
option src_dip lan # rewrite src IP to current address of "lan" interface
option target SNAT
config redirect
option name 'Rewrite response src ip to router wan ip'
option src lan
option dest lan
option proto tcp
option src_ip 192.168.1.111 # came from internal LAN server address
option src_port 22 # came from internal LAN server port
option dest_ip '!192.168.0.0/16' # is not destined to private LAN range
option src_dip wan # rewrite src IP back to current address of "wan" interface
option target SNAT
Downside of this approach is that you loose the information about the actual foreign client IP on the LAN server, so anti-bruteforce measures like fail2ban are useless since all requests will appear to come from the router itself.
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1334#comment4280
More information about the lede-bugs
mailing list