Joined: 27 Aug 2006 Posts: 146 Location: Pineville, North Carolina - USA
Posted: Sat May 21, 2011 17:24 Post subject:
The fix works great on my new WHR-HP-G54 running build 16214 - DD-WRT v24-sp2 (02/17/11) std. Thanks a ton phuzi0n for posting the fix. They should just make this standard in the build.
Posted: Tue May 31, 2011 23:52 Post subject: Also a fix for port forwarding to additional subnets?
I just posted a port forwarding problem a few days ago here.
Found the answer in the buffalo forums and traced it back to this thread.
My problem doesn't seem to be exactly the same as others, but this fix seems to also work.
It seems that the main goal of this is to fix loopback - accessing internal ports using the external address from within the lan.
However in my situation I couldn't access any internal servers on alternate networks from my router (e.g. could port forward to router LAN of 10.10.10.x, but not alternate routed LAN of 10.10.20.x or 10.10.30.x). The two IPTABLES commands seemed to work for me (the insmod mod commands state that the module isn't found...but it still appears to work).
I would appreciate any more information on exactly what the syntax means and how this is resolving the issue.
I found this post two days ago, after put your script to my WNDR 3700 v.1 revision 16994 everything was working fine till today. I don`t know why it no longers work. Any body else has got similar issue ?
yogi3 the packet and byte counters are still 0 for all your port forwards and the loopback rules. Even if the loopback rules are broken, the port forward rules should still be getting matched and traffic would just get sent with the wrong IP. If you tried to access the port forwards before getting that output then you need to hard reset and reconfigure. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
yogi3 the packet and byte counters are still 0 for all your port forwards and the loopback rules. Even if the loopback rules are broken, the port forward rules should still be getting matched and traffic would just get sent with the wrong IP. If you tried to access the port forwards before getting that output then you need to hard reset and reconfigure.
I find out that my ISP change my IP address and that was the reason. After try with new IP I can confirm that script working fine:).
I don't know why but the script isn't working for me!
I have a WRT54GL with flashed DD-WRT v24-sp2 (06/14/11) std - build 17201.
I don't know if particular conf could lead to this. I am having a modem/L3-router (ISP given and not touchable!) that gives a (mac auto-reserved) ip by dhcp to the dd-wrt unit. It would have other 3 eth ports and also has wifi, everything on 192.168.1.x . So the dd-wrt unit does nat, forward (again) and so on in another lan range of course. The ISP in fact makes me configure basic options of their unit from within their own page (port forwarding). I have verified with an external connection (3g) that everything works great so there are no problems with the whole network.
Anyway also giving the script internal lan pcs (on dd-wrt unit) aren't able to loopback to the internal network.
Hints?
Thanks for your efforts, anyway!!!
---edit---
Oh, there's more...leaving the firewall script on completely breaks forwarding of *some* ports. Strangely I was going crazy to understand why my https server today was reachable from external addresses and not it was not. I removed the firewall script, reboot, and woila it works again!!!
Other port forward rules WAS working as usual instead. Don't ask me why
@ErMeglio - You're double NAT'ing and it's possible that the main router isn't able to loopback or hasn't been configured to forward the ports. You ought to try a build that isn't affected by this problem before trying to fix a build that is affected.
See this if you have trouble with the forum recommended build from the announcements.
http://www.dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
@ErMeglio - You're double NAT'ing and it's possible that the main router isn't able to loopback or hasn't been configured to forward the ports.
That's the real problem for sure, you're right! I thought I could do something to make it work anyway but seems not, or not in this way, right?
Port forwarding works on the main router+modem and on dd-wrt too, so that's not the matter.
Could there be another way to send back requests that go to my *outside* wan ip from dd-wrt using a similar script but avoiding to pass through the isp nat?
My ip is static, too, that could help
This works well, only problem I have is that I can't do xdebugging, because according to php I'm coming from 192:168.1.2, instead of .14 which is the ip of my machine
Is there any rule to allow masquerade whilst also telling the "server" my connected internal ip instead of the router
This works well, only problem I have is that I can't do xdebugging, because according to php I'm coming from 192:168.1.2, instead of .14 which is the ip of my machine
Is there any rule to allow masquerade whilst also telling the "server" my connected internal ip instead of the router
External ips come through correctly
No the TCP connection would not work at all trying to NAT like that. The source IP has to be translated so that the server sends the traffic back to the router to undo the destination translation. Otherwise you'd have a PC opening a connection to the router's public IP, the router translating the destination to the server's IP, and then the server trying to reply to the PC's LAN IP even though the server expects it to come back from the router's public IP. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I understood perfectly well what you want and it simply can not work like that as I explained. The router must translate the source addresses not just the destination addresses in order for the connection to work with loopback. If you don't want to see the router's IP then you need to connect directly to the server's LAN IP instead of looping back through NAT.
Example of the impossible behavior you want:
dev initiates connection - source: 192.168.1.14, destination: 88.88.88.88
router only translates dest (bad!!!) - src: 192.168.1.14, dest: 192.168.1.8
server replies - src: 192.168.1.8, dest: 192.168.1.14
dev sees reply from 192.168.1.8 but it expects a reply from 88.88.88.88 so it drops the packet and no connection is ever made
Example of the proper behavior that loopback MUST do:
dev initiates connection - source: 192.168.1.14, destination: 88.88.88.88
router translates both addresses - src: 192.168.1.2, dest: 192.168.1.8
server replies - src: 192.168.1.8, dest: 192.168.1.2
router undoes it's original translations - src 88.88.88.88, dest: 192.168.1.14
dev sees reply from 88.88.88.88 as expected and connection works _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Fri Jul 29, 2011 16:04 Post subject: RT-N16 hell!
Been trying to get port forwarding working with my new Asus RT-n16. UPNP works but none of the rules I make work. DMZ doesn't make any difference and neither does the router firewall. If Upnp isn't enabled I can't get any of the ports to unlock. I added the script from page 1 to my firewall rules. I'm using version DD-WRT v24-sp2 (05/08/11) mega
(SVN revision 16994)
Any ideas?
Note: I have hard booted and factory reset several times. Doesn't make any difference.
Code tested and seems working on my WZR-HP-G300NH and WRT160NL (and yes i know this isn't the Atheros section but still relevant info). Also seems working on WNR3500L, E2000, and WHR-HP-G54 (running NEWD 15943 nokaid)
Best Regards.
I can also confirm this works on my WZR-HP-G300NH. I just upgraded from a build from June 2010 (I know, I know, I suck) to build 17201 and was perplexed and annoyed that my web server port forward was no longer working. Consulted Google which lead me here.