Posted: Mon Sep 05, 2011 22:02 Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...
Does anyone have any suggestions? I can hit these machines (obviously) using their internal addresses, but it'd be easier for my users if they didn't have to do MAT (manual address translation) and work differently from home and from the office.
Posted: Wed Oct 19, 2011 23:25 Post subject: Re: loopback not working for me for one-to-one NAT
jipis wrote:
Does anyone have any suggestions? I can hit these machines (obviously) using their internal addresses, but it'd be easier for my users if they didn't have to do MAT (manual address translation) and work differently from home and from the office.
My bet is that you need to hard reset and reconfigure from scratch but I can't say for sure unless I see everything from iptables, PM it if you like or just try the hard reset.
iptables -vnL
iptables -t nat -vnL
iptables -t mangle -vnL _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
From the output you gave me it seems that you have custom iptables rules to do the port forwarding and you're limiting your port forwards to only -i vlan2 so that they're only effective for traffic coming in from the WAN. You need to remove that portion of your rules so that they will match traffic from your LAN too. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
sorry for bringing this thread from the dead but does svn version 17911 fix nat loopback? many changes were made relating to the nvram variable block_loopback
@ErMeglio - You're double NAT'ing and it's possible that the main router isn't able to loopback or hasn't been configured to forward the ports.
That's the real problem for sure, you're right! I thought I could do something to make it work anyway but seems not, or not in this way, right?
Port forwarding works on the main router+modem and on dd-wrt too, so that's not the matter.
Could there be another way to send back requests that go to my *outside* wan ip from dd-wrt using a similar script but avoiding to pass through the isp nat?
My ip is static, too, that could help
Sorry by me too, what about this? I'm passed to an e4200 and I'm running 17949.
Is there some way to say the router: send everything that from the home network goes towards *my internet ip ... which is 100% static and fixed now* to the e4200 router itself?
Posted: Thu Jan 05, 2012 16:28 Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss
phuzi0n wrote:
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
I'm using r18007 (Belkin N router, broadcom) and tried the above commands (as-is, no modification) then rebooted... loopback is not working for me.
phuzi0n wrote:
If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001
I have port forwarding from the internet to specific systems on my LAN. Do I need this statement?
Posted: Thu Jan 12, 2012 6:49 Post subject: Thank you!
Thank you so much phuzi0n! I was at my wits end with non functioning port forwarding in every build I tried on my rt-n16. Spent hours, was ready to burn the house down in frustration. Your fix worked in seconds, and you are my hero, +100 internets for you.