[FS#1334] port forwarding not working

LEDE Bugs lede-bugs at lists.infradead.org
Thu Feb 8 05:10:27 PST 2018 

The following task has a new comment added:

FS#1334 - port forwarding not working
User who did this - Jo-Philipp Wich (jow-)

----------
That setup will not work. You must ensure that the host your forward traffic to responds directly and not via another (natting) machine - this will lead to unexpected response packets which will get discared at the router.

You have two possibilities to fix the issue.

1) change the default route of the server to use the natting router
2) rewrite the source IPs of both the incoming connection and the response connection

To implement solution #2 you need two additional SNAT rules to complement the DNAT.

The first SNAT rule rewrites the source ip of incoming wan traffic to the routers internal LAN ip, so forwarded traffic hitting the internal server will appear to come from the router itself which will cause the server to respond to the router directly instead of using the default route.

The second SNAT rule rewrites response traffic from the lan server destined to the router back to the routers wan IP where the stateful connection tracking will take care of routing the packets to the original remote client.

In my example below, the both SNAT rules use the IP address of the LAN server as well as the protocol and port number to identify traffic needing rewrites. To avoid rewriting internal LAN traffic using this particular port, a negated subnet match is used to exclude the LAN range.

The rules use symbolic interface notation for the `src_dip` parameters, which will cause the firewall to automatically resolve the associated IP addresses; which is especially important for the dynamic WAN ip.

config redirect
        option name 'Port forward wan-ip:2222 to lan-server:22'
        option src wan
        option dest lan
        option proto tcp
        option dest_ip 192.168.1.111  # IP of the LAN server
        option src_dport 2222         # external WAN port
        option dest_port 22           # internal LAN server port
        option reflection 0
        option target DNAT

config redirect
        option name 'Rewrite request src ip to router lan ip'
        option src wan
        option dest lan
        option proto tcp
        option src_ip '!192.168.0.0/16'   # did not came from private LAN range
        option dest_ip 192.168.1.111      # is destined to internal LAN server address
        option dest_port 22               # is destined to internal LAN server port
        option src_dip lan                # rewrite src IP to current address of "lan" interface
        option target SNAT

config redirect
        option name 'Rewrite response src ip to router wan ip'
        option src lan
        option dest lan
        option proto tcp
        option src_ip 192.168.1.111       # came from internal LAN server address
        option src_port 22                # came from internal LAN server port
        option dest_ip '!192.168.0.0/16'  # is not destined to private LAN range
        option src_dip wan                # rewrite src IP back to current address of "wan" interface
        option target SNAT

Downside of this approach is that you loose the information about the actual foreign client IP on the LAN server, so anti-bruteforce measures like fail2ban are useless since all requests will appear to come from the router itself.
----------

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1334#comment4280

More information about the lede-bugs mailing list