NAT Loopback (port forwarding) fix for builds 15760-19969

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next
Author Message
djdracula
DD-WRT Novice


Joined: 21 Aug 2011
Posts: 1

PostPosted: Sun Aug 21, 2011 13:08    Post subject: Reply with quote
It works!

Router Model: TP-Link TL-WR941ND v4
Firmware Version: DD-WRT v24-sp2 (11/21/10) std - build 15778
Sponsor
Irrational86
DD-WRT Novice


Joined: 03 Sep 2011
Posts: 2

PostPosted: Mon Sep 05, 2011 22:02    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...

Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868


Working perfectly on a Netgear WNDR3700v1 running DD-WRT v24-sp2 (06/14/11) std - build 17201

Thanks phuzi0n!
strfr
DD-WRT User


Joined: 21 Jan 2008
Posts: 192

PostPosted: Tue Oct 04, 2011 10:42    Post subject: Reply with quote
works as expected on 15962@e3000, thanks a lot phuzi0n!
hayesmd
DD-WRT Novice


Joined: 06 Oct 2011
Posts: 1

PostPosted: Thu Oct 06, 2011 19:54    Post subject: Reply with quote
Worked great on my e3000 after I flushed the iptables.
jipis
DD-WRT Novice


Joined: 18 Oct 2011
Posts: 1

PostPosted: Wed Oct 19, 2011 16:59    Post subject: loopback not working for me for one-to-one NAT Reply with quote
I followed the directions I found for enabling the loopback on my entire IP block of one-to-one NATed servers. And no dice.

My firewall script (minus the one-to-one-NAT lines):

Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d X.X.X.32/28          -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Some output:

Code:
# lsmod
Module                  Size  Used by
etherip                 8192  0
nf_nat_pptp             4096  0
nf_conntrack_pptp       4096  1 nf_nat_pptp
nf_nat_proto_gre        4096  1 nf_nat_pptp
nf_conntrack_proto_gre     4096  1 nf_conntrack_pptp
xt_mark                 4096  1
switch_robo             8192  0
switch_core             8192  1 switch_robo
bcm57xx               110592  0

# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 33085 packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   152 MARK       0    --  !vlan2 *       0.0.0.0/0            X.X.X.33          MARK set 0xd001
  177  9800 MARK       0    --  !vlan2 *       0.0.0.0/0            X.X.X.32/28       MARK set 0xd001

# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 13 packets, 3210 bytes)
 pkts bytes target     prot opt in     out     source               destination
   21  1324 SNAT       0    --  *      vlan2   192.168.1.66         0.0.0.0/0           to:X.X.X.35
    3   228 SNAT       0    --  *      vlan2   192.168.1.65         0.0.0.0/0           to:X.X.X.34
 1455  107K SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:X.X.X.33
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 RETURN     0    --  *      br1     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0xd001


Does anyone have any suggestions? I can hit these machines (obviously) using their internal addresses, but it'd be easier for my users if they didn't have to do MAT (manual address translation) and work differently from home and from the office.

Thanks!!

-J
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Wed Oct 19, 2011 23:25    Post subject: Re: loopback not working for me for one-to-one NAT Reply with quote
jipis wrote:
Does anyone have any suggestions? I can hit these machines (obviously) using their internal addresses, but it'd be easier for my users if they didn't have to do MAT (manual address translation) and work differently from home and from the office.

My bet is that you need to hard reset and reconfigure from scratch but I can't say for sure unless I see everything from iptables, PM it if you like or just try the hard reset.

iptables -vnL
iptables -t nat -vnL
iptables -t mangle -vnL

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Oct 28, 2011 10:48    Post subject: Reply with quote
From the output you gave me it seems that you have custom iptables rules to do the port forwarding and you're limiting your port forwards to only -i vlan2 so that they're only effective for traffic coming in from the WAN. You need to remove that portion of your rules so that they will match traffic from your LAN too.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
sus
DD-WRT Novice


Joined: 05 May 2010
Posts: 12

PostPosted: Mon Oct 31, 2011 16:51    Post subject: Reply with quote
Ok, i need this fix also, but i have a question about those iptables-commands

I'm trying to limit connections on certain ports (max connections per IP), using these commands:

Code:

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 21 -j DNAT --to 192.168.1.101:21
iptables -I FORWARD -p tcp -d 192.168.1.101 --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -p tcp -d 192.168.1.101 --dport 21 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -I FORWARD 3 -p tcp -d 192.168.1.101 --dport 21 -j logreject

source: dd-wrt wiki (brute force protection)

Where do i put the lines of this fix? Before or after these brute-force-protection lines

/me is iptables-n00b :+

[edit]
FIXED, works perfect on Linksys E4200, DD-WRT v24-sp2 (04/13/11) std-usb-nas - build 16785

Addes the patch as first lines in my firewall-commands, works like a charm.
Mangix
DD-WRT User


Joined: 04 Aug 2011
Posts: 367

PostPosted: Mon Nov 21, 2011 20:36    Post subject: Reply with quote
sorry for bringing this thread from the dead but does svn version 17911 fix nat loopback? many changes were made relating to the nvram variable block_loopback
ErMeglio
DD-WRT User


Joined: 11 Jul 2006
Posts: 81

PostPosted: Sun Dec 04, 2011 14:07    Post subject: Reply with quote
ErMeglio wrote:
phuzi0n wrote:
@ErMeglio - You're double NAT'ing and it's possible that the main router isn't able to loopback or hasn't been configured to forward the ports.

That's the real problem for sure, you're right! I thought I could do something to make it work anyway but seems not, or not in this way, right?
Port forwarding works on the main router+modem and on dd-wrt too, so that's not the matter.
Could there be another way to send back requests that go to my *outside* wan ip from dd-wrt using a similar script but avoiding to pass through the isp nat?
My ip is static, too, that could help Smile

Sorry by me too, what about this? I'm passed to an e4200 and I'm running 17949.
Is there some way to say the router: send everything that from the home network goes towards *my internet ip ... which is 100% static and fixed now* to the e4200 router itself?

Thanks Wink
ontwowheels
DD-WRT Novice


Joined: 11 Mar 2008
Posts: 11

PostPosted: Mon Dec 12, 2011 22:39    Post subject: Reply with quote
Steps in the original post worked for me, running 16785 on a Linksys E2000.
Synth3t1c
DD-WRT Novice


Joined: 29 Oct 2011
Posts: 12

PostPosted: Thu Dec 29, 2011 5:23    Post subject: Reply with quote
Not working for me... Help?

Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
iptables -I INPUT -p udp --dport 830 -j ACCEPT


I need port 830 open and this is what I have. I need it open on IP 192.168.1.141 specifically. Please help.
regeli
DD-WRT Novice


Joined: 31 Dec 2011
Posts: 21

PostPosted: Sun Jan 01, 2012 20:06    Post subject: Reply with quote
Code:

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Thanks, but how to get it to work if you have the OpenVPN Client running on interface "tun1"?
ltek
DD-WRT Novice


Joined: 26 May 2011
Posts: 16

PostPosted: Thu Jan 05, 2012 16:28    Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss Reply with quote
phuzi0n wrote:
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


I'm using r18007 (Belkin N router, broadcom) and tried the above commands (as-is, no modification) then rebooted... loopback is not working for me.

phuzi0n wrote:

If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001


I have port forwarding from the internet to specific systems on my LAN. Do I need this statement?


Thanks for helping a network and linux, newbie.
anon5
DD-WRT Novice


Joined: 18 Oct 2011
Posts: 6

PostPosted: Thu Jan 12, 2012 6:49    Post subject: Thank you! Reply with quote
Thank you so much phuzi0n! I was at my wits end with non functioning port forwarding in every build I tried on my rt-n16. Spent hours, was ready to burn the house down in frustration. Your fix worked in seconds, and you are my hero, +100 internets for you.
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next Display posts from previous:    Page 5 of 10
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum