NAT Loopback (port forwarding) fix for builds 15760-19969

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 8, 9, 10, 11  Next
Author Message
madman999
DD-WRT Guru


Joined: 11 Jun 2012
Posts: 1042

PostPosted: Mon Oct 15, 2012 16:44    Post subject: Reply with quote
i don;t even know how to test that. i did go to the shields up web page

http://www.grc.com/x/ne.dll?rh1dkyd2

to do a scan and it said the first 1023 ports on my router was clean and secure-the 2nd question is how would I know if that website/tool is accurate. then again, who knows if that;s so only because i turned of wan pinging?

_________________
Please state what make and model router plus the build number and type of DD-WRT you are using. Screen prints and a network diagram can are also helpful. Before you create a new post, use the search function. Chances are your issue has happened to someone else.

Common F.A.Q.
Where can I get the latest test Firmware or older ones?
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/

Asus RT-AC66R on 3.x 28072 Giga
TP-Link Archer C9 on 3.x r54095
Sponsor
morganjayp
DD-WRT Novice


Joined: 15 Oct 2012
Posts: 4

PostPosted: Mon Oct 15, 2012 21:48    Post subject: Reply with quote
No, a port-scan wouldn't be affected by ping-response, that is separate. Sounds like it doesn't mess up the security, then, it just seems strange from 10,000' to treat all traffic the same, regardless of origin, in order to fix a forwarding issue. I guess I just don't understand what the masquerade command is doing...
marioja
DD-WRT Novice


Joined: 15 Sep 2012
Posts: 6

PostPosted: Wed Oct 17, 2012 15:22    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001


The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...

Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868

I did this fix on SVN 15962 on WRT300N. It works for a couple internal devices but it does not work a for 1 laptop who has a MAC address QoS rule. Is this a known issue and is there a fix for it?
marioja
DD-WRT Novice


Joined: 15 Sep 2012
Posts: 6

PostPosted: Wed Oct 17, 2012 15:34    Post subject: How to find out when this is included Reply with quote
barryware wrote:
something in trac about "fix nat_loopback":

http://svn.dd-wrt.com:8000/changeset/19896

maybe these entries will no longer be needed..

Barryware

Not being familiar with the DD-WRT build processes and TRAC in particular, how can one find out which build and when this would be included in a firmware build?

Thanks
marioja
DD-WRT Novice


Joined: 15 Sep 2012
Posts: 6

PostPosted: Wed Oct 17, 2012 15:37    Post subject: Does this problem exist in build 14929 Reply with quote
Just a question of general interest. Was this problem also found in build 14929? If not, how was this being addressed in that build?




Joined: 01 Jan 1970
Posts:

PostPosted: Wed Oct 17, 2012 22:18    Post subject: Reply with quote
@marioja: Hi, as I wrote a page back, it's fixed in all builds after 19933. I'm on 20086 now and everything's working quite well.

It worked in builds prior to 15760 because the change that broke it hadn't been made yet.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Oct 18, 2012 1:17    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
marioja wrote:
I did this fix on SVN 15962 on WRT300N. It works for a couple internal devices but it does not work a for 1 laptop who has a MAC address QoS rule. Is this a known issue and is there a fix for it?

Yeah Markus pointed out that the marks need to be saved with conntrack so that they're not killed by conntrack restore rules that QoS (and maybe AR) use. The >20000 builds have it included but if you want to do it on older builds then you should add this to the bottom of the script:

iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
code65536
DD-WRT User


Joined: 28 Dec 2011
Posts: 100
Location: .us

PostPosted: Sat Nov 03, 2012 3:24    Post subject: Reply with quote
From my (limited) understanding, the original behavior (before it "broke") was that the NAT rule was hard-coded in. That hard-coding was then removed because it's non-standard behavior, and people who wanted the old behavior could add the rule back in manually, so no functionality is lost (just an extra step added to the setup). Now all that this new "fix" does it revert to the old way of hard-coding this rule in, regardless of whether you want it or not. Since there is essentially no difference between adding the rule manually and having added automatically, why this reversal?

I do use (and require) the NAT loopback, so I personally don't care either way. But on principle, if the loopback is indeed nonstandard, then I think that the so-called "broken" behavior was correct.
obi--wan
DD-WRT Novice


Joined: 16 Mar 2012
Posts: 25
Location: Poland

PostPosted: Mon Nov 05, 2012 21:11    Post subject: Reply with quote
Yeah, it worked for me. I tried only the 4lines version. Works like a charm. Netgear WNDR3700v2 v17201.
I only have a small question. What does the "Filter WAN NAT Redirection" checkbox does in the "loopback-broken" versions? It is supposed to turn on, and off NAT loopback, isn't it? Why someone "broke" all loopback in the code, instead of only change the default option to this checkbox if it wants to change the default behavior of routers?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Nov 13, 2012 19:22    Post subject: Reply with quote
code65536 wrote:
From my (limited) understanding, the original behavior (before it "broke") was that the NAT rule was hard-coded in. That hard-coding was then removed because it's non-standard behavior, and people who wanted the old behavior could add the rule back in manually, so no functionality is lost (just an extra step added to the setup). Now all that this new "fix" does it revert to the old way of hard-coding this rule in, regardless of whether you want it or not. Since there is essentially no difference between adding the rule manually and having added automatically, why this reversal?

I do use (and require) the NAT loopback, so I personally don't care either way. But on principle, if the loopback is indeed nonstandard, then I think that the so-called "broken" behavior was correct.

Your understanding is wrong. There has always been an option to enable or disable loopback (very long ago there was even duplicate options), that option ("Filter WAN NAT Redirection" unchecked in security settings) was left in the GUI but did nothing and is now fixed to actually disable/enable loopback again. It could use a more obvious name though.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
68rustang
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 33

PostPosted: Sat Jan 26, 2013 5:32    Post subject: Reply with quote
Where do I add the text if I am running pixelserv on the router which adds the following to the firewall:

Code:
/usr/sbin/iptables -t nat -I PREROUTING 1 -d 192.168.1.1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:81


I have tried pasting it before and after but it breaks pixelserv each time.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Jan 27, 2013 21:56    Post subject: Reply with quote
68rustang wrote:
Where do I add the text if I am running pixelserv on the router which adds the following to the firewall:

Code:
/usr/sbin/iptables -t nat -I PREROUTING 1 -d 192.168.1.1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:81


I have tried pasting it before and after but it breaks pixelserv each time.

Are you saying that the pixelserv command works fine without the loopback rules in the OP but breaks when you have both, or are you just having trouble getting pixelserv to work on its own? The loopback rules don't touch any of the same traffic that the pixelserv rule does so there shouldn't be any problems doing both unless for some crazy reason your WAN IP happens to be 192.168.1.1.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
68rustang
DD-WRT Novice


Joined: 11 Jan 2010
Posts: 33

PostPosted: Sun Jan 27, 2013 23:17    Post subject: Reply with quote
Must have been something else causing my issue earlier. I cleared the PixelServ rules from the Firewall, pasted the loopback rules and let the disable-ads.sh rut the PixelServ rules back in and everything works.

Thanks for your help.
seineil56k
DD-WRT Novice


Joined: 05 Jan 2013
Posts: 5

PostPosted: Fri Feb 08, 2013 8:07    Post subject: Reply with quote
Okay in general i have a wrt320n w/mega, wrt54gs v6 w/micro and wrt54gtm with build 15962 this i read was a stable build for WDS setup. Problem is now from the WAN i can get to the host router admin but unable to get to any other of my forwarded ports.

I tried the three following options here http://svn.dd-wrt.com:8000/ticket/1868

Just to confirm i only add this script to the firewall on the host router...Or do i add it to all three routers?
makaveli101
DD-WRT Novice


Joined: 17 May 2010
Posts: 44

PostPosted: Sun Feb 10, 2013 15:17    Post subject: Reply with quote
didnt work on dir-615 d

seems like 15778 is the only build for port forwards to function properly..

really surprised there is no proper fix
Goto page Previous  1, 2, 3 ... 8, 9, 10, 11  Next Display posts from previous:    Page 9 of 11
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum