#18057: NAT Loopback, NAT Reflection appears to be broken.
------------------------------+-------------------------------------
Reporter: wbr@… | Owner: jow
Type: defect | Status: assigned
Priority: response-needed | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Resolution: | Keywords: nat loopback reflection
------------------------------+-------------------------------------
Comment (by jow):
Thats an entirely different use case. The kind of nat loopback this ticket
is about refers to the creation of automatic DNAT+SNAT rule pairs to make
external ports forwards (WAN->LAN) available from inside the LAN.
Those magic rules are usually done automatically but only under these
conditions:
* the src zone has masquerading enabled (essentially an indicator whether
it is external (i.e. "wan")
* the IP the forward is redirecting to is not the router itself
The following redirect:
{{{
config redirect
option name 'SSH J400'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22014'
option dest_port '22'
option dest_ip '10.11.12.14'
}}}
Will translate to these iptables rules:
{{{
-A zone_wan_prerouting -p tcp -m tcp --dport 22014 -m comment --comment
"SSH J400" -j DNAT --to-destination 10.11.12.14:22
-A zone_lan_postrouting -s 10.11.12.0/24 -d 10.11.12.14/32 -p tcp -m tcp
--dport 22 -m comment --comment "SSH J400 (reflection)" -j SNAT --to-
source 10.11.12.13
-A zone_lan_prerouting -s 10.11.12.0/24 -d 95.1.2.3/32 -p tcp -m tcp
--dport 22014 -m comment --comment "SSH J400 (reflection)" -j DNAT --to-
destination 10.11.12.14:22
}}}
As you can see there three IPs involved:
* 95.1.2.3 - the router wan ip
* 10.11.12.13 - the router lan ip
* 10.11.12.14 - the lan host we redirect to
In your LAN-to-LAN forward case the required additional SNAT and DNAT
rules are not created automatically and you need to define them yourself.
I'm not sure what you intend to achieve with the iPhone rule, redirect any
port 22 TCP traffic from any LAN host to port 22 of 192.168.1.203 ? That
will most likely fail if you request e.g. 192.168.1.1:22 and suddenly
192.168.1.203 replies because an intermediate router changed the
destination IP. For this reason you need a corresponding SNAT rule where
the router will put itself as source so that replies from the redirected
.203 get back to the router and then the router needs yet another DNAT
rule translating the destination IP of .203's replies back to the IP of
the original requesting host.
--
Ticket URL: <https://dev.openwrt.org/ticket/18057#comment:28>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
