NAT Loopback (port forwarding) fix for builds 15760-19969

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 9, 10, 11  Next
Author Message
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Mar 07, 2011 22:29    Post subject: NAT Loopback (port forwarding) fix for builds 15760-19969 Reply with quote
NAT loopback is once again working since build 19969. This fix should only be needed for builds between 15760-19969.

I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE



If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block and add the rule before the CONNMARK rule.

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001


Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)


Last edited by phuzi0n on Thu Oct 18, 2012 2:19; edited 5 times in total
Sponsor
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Tue Mar 08, 2011 23:44    Post subject: Reply with quote
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.

insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Can't you put this in a new ticket?
It's your idea, so I don't want to....

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Wed Mar 09, 2011 0:23    Post subject: Reply with quote
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Wed Mar 09, 2011 5:39    Post subject: Reply with quote
phuzi0n wrote:
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself.
Running it here on my RT-N16 with build 16214 mega
_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 10917
Location: Wherever the wind blows- North America

PostPosted: Fri Mar 11, 2011 0:11    Post subject: Reply with quote
Yeah this code takes care of my RT-N16 that connects to a 520gu ftp server on a Client Bridge unit. I am able to access my ftp server from my local LAN.


redhawk



Clipboard01.jpg
 Description:
 Filesize:  90.12 KB
 Viewed:  122315 Time(s)

Clipboard01.jpg



_________________
I currently test dd-wrt on Asus, Buffalo, Linksys, and Netgear. Too many to list.

Looking for more test units (newer models) for the project...got a brick?...PM me to make a donation. (USA) A donation is not a debricking service....it is a way to "Give back" to the dd-wrt project.

I do NOT provide personal assistance through chat or phone....so please don't ask.


Last edited by redhawk0 on Tue Mar 15, 2011 11:59; edited 2 times in total




Joined: 01 Jan 1970
Posts:

PostPosted: Sat Mar 12, 2011 2:37    Post subject: Reply with quote
So this might make it into a future build? Smile
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sat Mar 12, 2011 3:47    Post subject: Reply with quote
osmosis wrote:
So this might make it into a future build? Smile

Don't get your hopes up too much. Just focus on testing it please.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
wavracer
DD-WRT Novice


Joined: 08 Mar 2011
Posts: 20
Location: Saskatchewan, Canada

PostPosted: Sun Mar 13, 2011 3:41    Post subject: Reply with quote
Are there any other known disadvantages (other than bad QoS scripts) to using this fix (potential security flaw, breaking other features, etc.)?

Working well so far with my WRT310N V2 running std-nokaid-small - build 15940:

Code:
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Keep up the great work by the way, it is very much appreciated.

Mark

PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode.

_________________
*Linksys WRT310N V2 with DD-WRT v24-sp2 (12/18/10) std-nokaid-small - build 15940
*Linksys WRT54GL v1.1 with DD-WRT v24-sp2 (08/12/10) std - build 14929

http://www.speedtest.net/result/1189834606.png http://www.pingtest.net/result/36803607.png
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Mar 13, 2011 6:55    Post subject: Reply with quote
wavracer wrote:
Are there any other known disadvantages (other than bad QoS scripts) to using this fix (potential security flaw, breaking other features, etc.)?

Nope, it shouldn't break any of the built in features.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
zi99y
DD-WRT Novice


Joined: 17 Mar 2011
Posts: 1

PostPosted: Thu Mar 17, 2011 20:27    Post subject: Reply with quote
phuzi0n: Thank you for this fix, applied the firewall script and testing so far proves to be working well.

Will report back if I discover any issues.

:)
8steve8
DD-WRT Novice


Joined: 17 Mar 2011
Posts: 7

PostPosted: Fri Mar 18, 2011 0:49    Post subject: Reply with quote
this script fixes my issues. thanks.
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Wed Mar 23, 2011 14:52    Post subject: Reply with quote
This has been running well on my E2000 with build 15943 for a couple days now. It hasn't affected anything negatively. My PPTP server still works, and is accessible from inside and outside my LAN, and that's all I need.

wavracer wrote:

PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode.


@wavracer: Are you on Sasktel? I'm will send you a PM so as to not muck up this thread with off topic stuff.
bskchaos
DD-WRT User


Joined: 07 Feb 2009
Posts: 191

PostPosted: Thu Mar 24, 2011 14:32    Post subject: Reply with quote
I have to use firewall scripts to handle port forward.
None of the above methods works for me.
kimwolin90
DD-WRT Novice


Joined: 26 Mar 2011
Posts: 1

PostPosted: Sat Mar 26, 2011 6:18    Post subject: Reply with quote
Is there a latest software for this? Thanks.
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7385
Location: Little Rock

PostPosted: Sat Mar 26, 2011 19:37    Post subject: Reply with quote
Code tested and working fine on my E3000 w/ build 15943 K2.6 Newd-2, haven't tried this code on any of my K2.4 Newd units.. yet.

Thanks phuzi0n!

_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
Goto page 1, 2, 3 ... 9, 10, 11  Next Display posts from previous:    Page 1 of 11
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum