NAT Loopback (port forwarding) fix for builds 15760-19969

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 9, 10, 11  Next
Author Message
froinds
DD-WRT Novice


Joined: 14 Jan 2012
Posts: 8

PostPosted: Mon Jan 16, 2012 19:41    Post subject: Reply with quote
This trick worked for me. I'm using BS 18024 big. Thanks
Sponsor
the block
DD-WRT Novice


Joined: 06 Feb 2008
Posts: 17

PostPosted: Fri Jan 20, 2012 1:38    Post subject: Reply with quote
For some reason I can't get this fix to work for me. I have an E3000 running build 16785. On my Administration -> Commands page, in the Firewall section, the below is listed:

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

I've rebooted the router several times, but still cannot access my SABnzbd server internally using the public URL. I've connected to my computer at work, and I can access it fine from there, so I know the port is forwarded properly.

Anyone have any ideas?

Thanks
bhasden
DD-WRT Novice


Joined: 10 Mar 2010
Posts: 2

PostPosted: Wed Jan 25, 2012 20:35    Post subject: Reply with quote
the block wrote:
For some reason I can't get this fix to work for me. I have an E3000 running build 16785. On my Administration -> Commands page, in the Firewall section, the below is listed:

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

I've rebooted the router several times, but still cannot access my SABnzbd server internally using the public URL. I've connected to my computer at work, and I can access it fine from there, so I know the port is forwarded properly.

Anyone have any ideas?

Thanks


Sorry to hear the fix isn't working for the E3000 for you. It's working properly for me. I added the commands to the Firewall Script then rebooted the router via the configuration website. I have the standard ROM from the initial flashing.
davidstoll
DD-WRT User


Joined: 24 Apr 2009
Posts: 92

PostPosted: Sat Jan 28, 2012 1:39    Post subject: Reply with quote
This trick doesn't work for me, but like phuzi0n mentioned (and referenced by a link) in the very first first post, there are other methods.

This much more simple one worked for me:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE

My network is 192.168.0.x rather than 192.168.1.x

E3000 build 15943M (v24-sp2 (12/19/10) mega)
the block
DD-WRT Novice


Joined: 06 Feb 2008
Posts: 17

PostPosted: Wed Feb 01, 2012 16:47    Post subject: Reply with quote
davidstoll wrote:
This trick doesn't work for me, but like phuzi0n mentioned (and referenced by a link) in the very first first post, there are other methods.

This much more simple one worked for me:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE

My network is 192.168.0.x rather than 192.168.1.x

E3000 build 15943M (v24-sp2 (12/19/10) mega)


That just did the trick for me (after changing to 192.168.1.0), thanks.
FBOMB
DD-WRT Novice


Joined: 01 Feb 2012
Posts: 1

PostPosted: Wed Feb 01, 2012 17:22    Post subject: Reply with quote
davidstoll wrote:
This trick doesn't work for me, but like phuzi0n mentioned (and referenced by a link) in the very first first post, there are other methods.

This much more simple one worked for me:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE

My network is 192.168.0.x rather than 192.168.1.x

E3000 build 15943M (v24-sp2 (12/19/10) mega)


Thanks a lot, this worked for me as well. I have an E3000 running build 16785. I had been searching for a solution for this problem all morning.
CheezWiz
DD-WRT Novice


Joined: 14 Feb 2009
Posts: 1

PostPosted: Sat Feb 11, 2012 16:16    Post subject: Reply with quote
I finally got sick of the ONE annoying thing about DDWRT and found this thread.

Im trying this fix on a WNDR3700 running 15962.

It works fine for me from any wired lan clients, but not from the wireless interfaces.

Any suggestions?
ErMeglio
DD-WRT User


Joined: 11 Jul 2006
Posts: 104

PostPosted: Tue Feb 21, 2012 10:54    Post subject: Reply with quote
davidstoll wrote:
This trick doesn't work for me, but like phuzi0n mentioned (and referenced by a link) in the very first first post, there are other methods.

This much more simple one worked for me:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE

My network is 192.168.0.x rather than 192.168.1.x

E3000 build 15943M (v24-sp2 (12/19/10) mega)

Fast and easy, thanks a lot, it worked on the fly and works over WiFi too!
E4200 build 18050M (Kong)
uladzislau
DD-WRT Novice


Joined: 28 Aug 2010
Posts: 10

PostPosted: Tue Mar 06, 2012 7:45    Post subject: Reply with quote
davidstoll wrote:
This much more simple one worked for me:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE

Works perfect on Netgear WNDR3700, thanks!
(with 192.168.1.0)
Mage
DD-WRT Novice


Joined: 20 May 2011
Posts: 4

PostPosted: Sat Apr 07, 2012 14:24    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.


None of these methods works for me anymore on my E4200 since I upgraded to DD-WRT v24-sp2 (03/19/12) big.

Before that I used the oneliner with several DD-WRT builds:

iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

Worked before, doesn't work now and the 4 line version also doesn't.

I read on this forum that people keep telling that we don't need to access our LAN with WAN ip address from inside.

People telling this have serious mental problems.

Many users complain because they need it. If they wouldn't need they wouldn't even know about this issue.

Please fix it.
ltek
DD-WRT Novice


Joined: 26 May 2011
Posts: 16

PostPosted: Sat Apr 07, 2012 15:52    Post subject: Reply with quote
I agree... this is a fix that should be hard coded as an option (simple checkbox) in the main branch.




Joined: 01 Jan 1970
Posts:

PostPosted: Sun Apr 08, 2012 19:23    Post subject: Reply with quote
Can anyone confirm is this has been yet patched in the latest/current releases?




Joined: 01 Jan 1970
Posts:

PostPosted: Sun Apr 08, 2012 19:32    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback.


If it's left unfixed could this contribute to security in some way? In other words, what are the security implications of this lookback matter and if there are no server needs whatsoever, doesn't that help secure the router/network better in the absence of loopback?
Nebudchanezzer
DD-WRT User


Joined: 09 Apr 2012
Posts: 60

PostPosted: Mon Apr 09, 2012 20:01    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001


The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...

Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868


Tried it on a ASUS N66U, and it worked like a charm!
TX CS Aggie
DD-WRT Novice


Joined: 26 Mar 2012
Posts: 26

PostPosted: Tue Apr 17, 2012 17:59    Post subject: Reply with quote
Forgive the stupidity but, how do I test to see if the NAT Loopback is fixed?
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 9, 10, 11  Next Display posts from previous:    Page 6 of 11
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum