Filter WAN NAT Redirection don't work

Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware
Goto page 1, 2  Next
Author Message
petula99
DD-WRT Novice


Joined: 07 Apr 2009
Posts: 10
Location: Czech republic

PostPosted: Wed Jan 12, 2011 1:31    Post subject: Filter WAN NAT Redirection don't work Reply with quote
Hi everyone, since last update I can't access my LAN devices from LAN using external IP. Can anyone help me?

Let us me explain the problem : If I am on internet location, I can access my devices using "my_external_ip" or "my_domain.com". I have for ex. web server behind NAT with port 80 forwarded, or mail server with forwarded all relevant ports (SMTP, POP3, IMAP...). It works without problems. But after firmware upgrade (I have latest firmware - Others->eko->PreSP2->...15962) I can't access those devices from LAN area. "my_external_ip" or "my_domain.com" don't work. I think there is some problem in WAN NAT redirection. I have tryied turn off firewall or change switch Firewall->Filter WAN NAT Redirection. I have tryied to turn off VPN server or clear all firewall startup rules, but without success.

Mail server or web server from internet location works only with configuration "my_domain.com" or "my_external_ip", from LAN it works only with configuration "LAN_IP" (192.168.40.3).

I have Alix 2D3, activated, I am using VPN.
I someone can help me, I will be happy.

And second problem after upgrade - I can't see any informations about connected clients in Tab Status->OpenVPN->Status. There is only data in Status->OpenVPN->State and Status->OpenVPN->Log. (I have connected 2 or more clients, "management localhost 5001" in config is inserted).

Thanks, Peter
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Wed Jan 12, 2011 10:44    Post subject: Reply with quote
this is no bug. this is a feature.
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
petula99
DD-WRT Novice


Joined: 07 Apr 2009
Posts: 10
Location: Czech republic

PostPosted: Wed Jan 12, 2011 13:09    Post subject: Reply with quote
Sash wrote:
this is no bug. this is a feature.

Ok, thank You, Sash. Can I disable this feature to work like on old version?
petula99
DD-WRT Novice


Joined: 07 Apr 2009
Posts: 10
Location: Czech republic

PostPosted: Fri Jan 14, 2011 21:56    Post subject: Reply with quote
Can anyone help? How to make WAN NAT redirection to work? Thanks
rpvdb
DD-WRT Novice


Joined: 17 Jan 2011
Posts: 8

PostPosted: Mon Jan 17, 2011 12:15    Post subject: Reply with quote
I have the same problem, running DD-WRT v24-sp2 (12/19/10) mega

It looks like a bug to me. NAT redirection is allowed in my cfg, but does not work.
SecurityFreak
DD-WRT User


Joined: 22 Jun 2010
Posts: 89

PostPosted: Tue Jan 18, 2011 13:00    Post subject: Reply with quote
Netgear seems to not use that too.There is some trend about this feature.Maybe it s unsecure and we dont know about it.
At least they should of removed the inteface switch if it s useless now.
zathmyre
DD-WRT Novice


Joined: 14 Aug 2008
Posts: 5

PostPosted: Wed Feb 23, 2011 22:20    Post subject: Filter WAN NAT Redirection Reply with quote
Same problem here. I unchecked "Filter WAN NAT Redirection", but it still won't do it. I have several laptop users that travel in and out of the home network and I would like to have the external address work from both. Sad
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Fri Feb 25, 2011 0:16    Post subject: Reply with quote
as u see for me its working. first with filter enabled, send with diabled filter

Code:
root@DD-WRT:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 38 packets, 2302 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.10         tcp dpt:8080 to:192.168.1.1:80
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            10.10.10.10         to:192.168.1.1
    0     0 TRIGGER    0    --  *      *       0.0.0.0/0            10.10.10.10         TRIGGER type:dnat match:0 relate:0

Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       0    --  *      *       10.10.10.0/24        0.0.0.0/0           to:10.10.10.10
    0     0 SNAT       0    --  *      ixp1    0.0.0.0/0            0.0.0.0/0           to:10.10.10.10
    0     0 DROP       0    --  *      br0     192.168.1.0/24       192.168.1.0/24     
root@DD-WRT:~#
root@DD-WRT:~#
root@DD-WRT:~#
root@DD-WRT:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1 packets, 55 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.10         tcp dpt:8080 to:192.168.1.1:80
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            10.10.10.10         to:192.168.1.1
    0     0 TRIGGER    0    --  *      *       0.0.0.0/0            10.10.10.10         TRIGGER type:dnat match:0 relate:0

Chain OUTPUT (policy ACCEPT 1 packets, 55 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 55 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       0    --  *      *       10.10.10.0/24        0.0.0.0/0           to:10.10.10.10
    0     0 SNAT       0    --  *      ixp1    0.0.0.0/0            0.0.0.0/0           to:10.10.10.10
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
root@DD-WRT:~#

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
nibb
DD-WRT Novice


Joined: 24 Feb 2011
Posts: 14

PostPosted: Fri Feb 25, 2011 3:23    Post subject: Reply with quote
So disabling NAT is a feature?

Did you fell out of bed and hit your head?

Your basically breaking all kind of services that need NAT, like SIP protocols, teleconference, remote desktops, xbox, and good knows what else.

If you are making a voip call from a LAN device it needs to send the public IP on the packets, not the internal LAN like it does now, this is normally done with STUN but any normal routers replaces the private LAN IP with the public one when it hits the router.

Im not sure how would you call it this a feature, I would call it a massive mega huge bug. No wonder people want it working like it was before. Now I understand why nothing seems to work behind WRT, not even basic stuff.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Fri Feb 25, 2011 16:09    Post subject: Reply with quote
i guess u dont know what we're a talking about.
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
hijglander
DD-WRT Novice


Joined: 08 Oct 2009
Posts: 45
Location: NL

PostPosted: Fri Mar 11, 2011 18:52    Post subject: Reply with quote
Adding this command to the firewall appears to enable what you need:
Code:

iptables -t nat -A POSTROUTING -j MASQUERADE
rpvdb
DD-WRT Novice


Joined: 17 Jan 2011
Posts: 8

PostPosted: Sat Mar 26, 2011 13:18    Post subject: Reply with quote
hijglander wrote:
Adding this command to the firewall appears to enable what you need:
Code:

iptables -t nat -A POSTROUTING -j MASQUERADE


Well done, it indeed seems to resolve the issue!
I had sort of solved it like this, adding in the DNS this:

address=/www.mydomain.com/10.1.1.1

but that did not take into account any port transforms or any ports set to a different device than the .1. You solution is far better! Thanks!
rpvdb
DD-WRT Novice


Joined: 17 Jan 2011
Posts: 8

PostPosted: Tue May 31, 2011 14:37    Post subject: Reply with quote
After the IPTABLES solution I have now discovered this also changes the WAN source address into the router LAN address. This messes up my webserver statistics and my auto block features, since all users now appear as the router IP.

I cannot find a solution for this. Any thoughts? I probably need to change the iptables command insome way, but I have not been able to see how.
watice
DD-WRT Novice


Joined: 17 Jul 2008
Posts: 21
Location: Queens, NYC

PostPosted: Sun Aug 07, 2011 23:31    Post subject: Reply with quote
i agree that this is a bug. when you disable WAN NAT redirection, and it doesn't disable, that means it doesn't work as intended. That's called a bug.

It's highly annoying to disable NAT. Guess I'll just start it up using scripts.
m4g1k
DD-WRT Novice


Joined: 24 Mar 2012
Posts: 1

PostPosted: Sat Mar 24, 2012 5:45    Post subject: Reply with quote
rpvdb wrote:
After the IPTABLES solution I have now discovered this also changes the WAN source address into the router LAN address. This messes up my webserver statistics and my auto block features, since all users now appear as the router IP.

I cannot find a solution for this. Any thoughts? I probably need to change the iptables command insome way, but I have not been able to see how.


Try this iptables command instead:
Code:
iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j SNAT --to-source 10.0.0.1

Where 192.168.0.0/24 is your LAN and 10.0.0.1 is your WAN IP.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum