NAT Loopback (port forwarding) fix for builds 15760-19969

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... , 9, 10, 11  Next
Author Message
Messer262
DD-WRT Novice


Joined: 12 Feb 2008
Posts: 38

PostPosted: Thu Feb 14, 2013 4:08    Post subject: Reply with quote
Thanks for the fix.

I see a lot of web pages where router manuf. say they turn it off because of security. Is this really a security issue?

Or can I just use your fix and don't worry about it?
Sponsor
Messer262
DD-WRT Novice


Joined: 12 Feb 2008
Posts: 38

PostPosted: Tue Mar 12, 2013 6:37    Post subject: Reply with quote
Messer262 wrote:
Thanks for the fix.

I see a lot of web pages where router manuf. say they turn it off because of security. Is this really a security issue?

Or can I just use your fix and don't worry about it?


I'm still curious about my initial question Smile
Cheers!
MrSirUndersteer
DD-WRT Novice


Joined: 22 Mar 2013
Posts: 1

PostPosted: Fri Mar 22, 2013 17:09    Post subject: Reply with quote
Hi,

I have looked through multiple threads on how to fix the port forwarding issues with the code script, however, I have tried all of the suggested ones and none of them have worked.

I have a Linksys E3000 running the v24-sp2 build 15962, and I've been using the portforward.com portforward checker software to verify my ports being open, and so far it doesn't seem like any of them is working.

Any advice would be awesome. Also, if you need anymore information from me, I will gladly provide them.
cwc1885
DD-WRT Novice


Joined: 06 Nov 2010
Posts: 31
Location: SE WA

PostPosted: Wed Jul 10, 2013 13:07    Post subject: worked on a e3200 port 80 Reply with quote
This is epic. worked for my e3200
How did you figure this out?

Is ever line required?
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

_________________
cwc
dscotl
DD-WRT Novice


Joined: 18 Jul 2013
Posts: 1

PostPosted: Thu Jul 18, 2013 20:39    Post subject: Works on Build 18874 (Asus RT-N16 ) Reply with quote
Thanks for working that out and posting. My vendor (FlashRouters) delivered the Asus RT-N16 with the earlier build and NAT Loopback was not available -- a real showstopper.
ddwrt.guy
DD-WRT Novice


Joined: 13 Aug 2013
Posts: 24

PostPosted: Thu Aug 15, 2013 20:03    Post subject: wndr3700v2 with dd-wrt 22118 Reply with quote
Environment:
WNDR3700v2 running 22118 as gateway router and AP.
I am using port forwards and port range forwards.

The PF/PRF work fine from any IP outside the wan.

From within the LAN, I can't access them.
LAN-ip => WAN-ip:port - does not work.

The only one that does work is
Lan-IP => Router-Wan-ip:SSH port.

I have tried the 2 approaches in this thread to enable loopback and they have not worked.

Attachments:
iptables -vnL = iptables.txt
iptables -t nat -vnL = NAT.txt

Any help appreciated. Smile



iptables.txt
 Description:

Download
 Filename:  iptables.txt
 Filesize:  5.34 KB
 Downloaded:  1780 Time(s)


NAT.txt
 Description:

Download
 Filename:  NAT.txt
 Filesize:  3.58 KB
 Downloaded:  1418 Time(s)

<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Thu Aug 15, 2013 20:20    Post subject: Reply with quote
Loopback works just fine, if you disable:

Filter WAN NAT Redirection

under Firewall settings. This is a basic feature that I use very often. Not sure why some people still come up with outdated fixes fro something that ain't broken.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
ddwrt.guy
DD-WRT Novice


Joined: 13 Aug 2013
Posts: 24

PostPosted: Thu Aug 15, 2013 20:25    Post subject: Reply with quote
<Kong> wrote:
Loopback works just fine, if you disable:

Filter WAN NAT Redirection

under Firewall settings. This is a basic feature that I use very often. Not sure why some people still come up with outdated fixes fro something that ain't broken.


Thanks for the quick reply. This option IS turned off in the GUI yet I still have the issue. What else might cause this?
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Thu Aug 15, 2013 21:44    Post subject: Reply with quote
ddwrt.guy wrote:
<Kong> wrote:
Loopback works just fine, if you disable:

Filter WAN NAT Redirection

under Firewall settings. This is a basic feature that I use very often. Not sure why some people still come up with outdated fixes fro something that ain't broken.


Thanks for the quick reply. This option IS turned off in the GUI yet I still have the issue. What else might cause this?


Probably something in your current setup vpn, bridges etc. Start with a simple config and you will see it works that way.

I did a quick test using netcat and I can confirm it works in a standard setup, what I did:

1. Create forward rule to port 5000 on my current machine

2. Open up a simple telnet server on port 5000 with netcat "nc -l -t -p 5000

3. Connect with putty protocol telnet port 5000 to localhost -> works

3. Connect with putty protocol telnet port 5000 to my dyndns adress -> works

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
ddwrt.guy
DD-WRT Novice


Joined: 13 Aug 2013
Posts: 24

PostPosted: Thu Aug 15, 2013 23:05    Post subject: Reply with quote
<Kong> wrote:

Probably something in your current setup vpn, bridges etc. Start with a simple config and you will see it works that way.

I did a quick test using netcat and I can confirm it works in a standard setup, what I did:

1. Create forward rule to port 5000 on my current machine

2. Open up a simple telnet server on port 5000 with netcat "nc -l -t -p 5000

3. Connect with putty protocol telnet port 5000 to localhost -> works

3. Connect with putty protocol telnet port 5000 to my dyndns adress -> works


Thanks for the guidance. I reloaded the config, testing the port forwards along the way. You were right! The problem was VPN.

I was running OpenVPN with a tap interface. I attached my config. It works well but obviously breaks the port forwards.

Any thoughts on what might be causing the VPN problem?



VPN.jpg
 Description:
 Filesize:  51.65 KB
 Viewed:  41123 Time(s)

VPN.jpg


katedhaka
DD-WRT Novice


Joined: 09 Sep 2013
Posts: 1

PostPosted: Mon Sep 09, 2013 6:02    Post subject: HI Reply with quote
Thanks for working since build 19969.
romkyns
DD-WRT Novice


Joined: 28 Sep 2013
Posts: 1

PostPosted: Sat Sep 28, 2013 16:26    Post subject: Reply with quote
<Kong> wrote:
Loopback works just fine, if you disable:

Filter WAN NAT Redirection

under Firewall settings. This is a basic feature that I use very often. Not sure why some people still come up with outdated fixes fro something that ain't broken.

Ain't broken? In a pre-19969 build?

I start with factory defaults on my Buffalo HP-G300NH, built off r19484. I can initially see the DD-WRT UI on the WAN IP from both inside and outside. I change *only* one thing: add a port forwarding rule. I can now see my server from the outside, but not from the inside. The option you mention is disabled by default, though I tried both states.

If that's "ain't broken" then what is it? It sure ain't workin'.
mrsdonovan
DD-WRT Novice


Joined: 15 Apr 2013
Posts: 11

PostPosted: Sun Oct 06, 2013 4:38    Post subject: Re: NAT Loopback (port forwarding) fix for builds 15760-1996 Reply with quote
Just bought a new Buffalo WHR-300HP with DD-WRT "v24SP2-MULTI (07/05/12) std (SVN revision 19438)" (Buffalo's "Pro" dd-wrt firmware) and loopback was disabled. The code below worked.
phuzi0n wrote:


Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Yah, I can test my Minecraft server locally again! I haven't seen any negative side affects, but will report back if I do.
andsus
DD-WRT User


Joined: 06 Dec 2013
Posts: 51

PostPosted: Sun Dec 22, 2013 2:31    Post subject: Does Port Forwarding doesn't work DD-WRT v24-sp2 23082 Reply with quote
DD-WRT v24-sp2 (12/12/13) std
(SVN revision 23082)

I set the Port Forwarding for my Security Cam following
http://www.dd-wrt.com/wiki/index.php/Port_Forwarding

It supports Upnp, but only works for few moments.
So I set Port range forwarding:
See attachment.


Is there a way to make this works? Any help and tips appreciated



Untitled.png
 Description:
Port Range Forwarding
 Filesize:  49.22 KB
 Viewed:  37839 Time(s)

Untitled.png


begunfx
DD-WRT Novice


Joined: 13 Sep 2010
Posts: 10

PostPosted: Thu Jun 12, 2014 22:31    Post subject: Re: NAT Loopback (port forwarding) fix for builds 15760-1996 Reply with quote
phuzi0n wrote:
NAT loopback is once again working since build 19969. This fix should only be needed for builds between 15760-19969.

I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE



If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block and add the rule before the CONNMARK rule.

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001


Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868



Just and FYI: This fix worked for those having NAT loopback issues with OpenVPN. I'm running build 18777 on a Netgear WNDR4000. When not running the VPN, I don't have a loopback problem. However, when I turn it on, the error comes up. I plugged in phuzi0n's fix, and it works! I had to add the additional line to cover all my internal ip addresses, but it fixed it for me. Thanks phuzi0n!
Goto page Previous  1, 2, 3 ... , 9, 10, 11  Next Display posts from previous:    Page 10 of 11
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum