Re: [OpenWrt-Devel] External (public) IP forwarded to internal LAN [SOLVED]
Hi Angelo, > [..] > Doest this is an error or normal behaviour of fw3 ? Could you add the network and the firewall configuration files? Lars ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] External (public) IP forwarded to internal LAN [SOLVED]
Hi Lars, following your directions I played with the buttons, options but I haven't found the solution. I left the checkbutton MASQUERADE only for the internal lan, but always I haven't the "right" behaviour. On 15/05/2015 00:45, openwrt-devel-requ...@lists.openwrt.org wrote: Here is the lan postrouting taken from the above: Chain zone_lan_postrouting (1 references) pkts bytes target prot opt in out source destination 12 860 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 12 860 MASQUERADEall -- * * 0.0.0.0/0 0.0.0.0/0 The last line should be the problem: every packet heading for the lan zone (e.g. your webserver) will be masqueraded (SNAT). Maybe you enabled the masquerading checkbox in the firewall config for this interface? The content of /etc/config/firewall would probably show the root cause (in case my above guess is wrong). cheers, lars Checking another firewall script, I found an interesting rule: Chain POSTROUTING (policy ACCEPT 98070 packets, 12M bytes) pkts bytes target prot opt in out source destination 215K 17M MASQUERADE all -- * *eth1* 0.0.0.0/00.0.0.0/0 so all address are masquerade only for the destination eth1. So I issued iptables -t nat -D zone_lan_postrouting -j MASQUERADE iptables -t nat -A zone_lan_postrouting -j MASQUERADE -o pppoa-wan and my webserver is logging the source address. Doest this is an error or normal behaviour of fw3 ? Cheers Angelo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] External (public) IP forwarded to internal LAN
Hi Angelo, > you can find the output of the two commands on pastebin in the next 2 weeks. > > iptables -L -vn at http://pastebin.com/2b0ewSyu > iptables -t nat -L -vn at http://pastebin.com/i7qPXEMJ Here is the lan postrouting taken from the above: Chain zone_lan_postrouting (1 references) pkts bytes target prot opt in out source destination 12 860 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 12 860 MASQUERADEall -- * * 0.0.0.0/0 0.0.0.0/0 The last line should be the problem: every packet heading for the lan zone (e.g. your webserver) will be masqueraded (SNAT). Maybe you enabled the masquerading checkbox in the firewall config for this interface? The content of /etc/config/firewall would probably show the root cause (in case my above guess is wrong). cheers, lars ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] External (public) IP forwarded to internal LAN
Hi, I'll try to explain better my concern. I would like to show the "source" ip when I read the log of my web browser; this is the scenario: user A (IP) ---//- (extern iface)MODEM/ROUTER(internal iface) -- (WWW iface) WWW the IP is 1.2.3.4 the extern iface is 5.6.7.8 the internal iface is 192.168.100.100 the WWW iface is 192.168.100.200 when I look the ip packets on extern iface I can see the packet from 1.2.3.4 and directed to 5.6.7.8, BUT on internal iface every packet comes from 192.168.100.100, not from 1.2.3.4. in the log of the web server the address recorded is 192.168.100.100. the dump on the modem's extern iface 15:07:09.216062 IP 1-2-3-4.foo.com.15716 > adsl-5-6-7-8.foo.it.10080 the dump on the modem's internal iface 15:07:03.135591 IP 192.168.100.100.15716 > 192.168.100.200.www on the www side 192.168.100.100 - - [14/May/2015:15:07:03 +0200] "GET / HTTP/1.1" 200 2735 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" you can find the output of the two commands on pastebin in the next 2 weeks. iptables -L -vn at http://pastebin.com/2b0ewSyu iptables -t nat -L -vn at http://pastebin.com/i7qPXEMJ Hope this helps. Cheers Angelo Hi all, first of all, I'm sorry for my poor english and if I placed my question in a wrong place. I'm facing an issue with,I think, iptables. This is the scenario: I'm using a ddns service to point my external ip to access my server; and it works fine, but the original address is always the internal iface of my modem. This is my actual port-forwarding conf in /etc/config/firewall option src 'wan' option dest 'lan' option proto 'tcp udp' option dest_ip '192.168.x.x' option dest_port 'x' option name 'Photo' option src_dport 'x' option reflection '1' surfing on web and in the wiki of openwrt I cannot find any solution. If I'm not wrong, in the previous release of openwrt the origin's IP was forwarded to the internal lan. Tcpdumping the wan iface I can see both public ip (original and my own ip) Is there any solution (conf, recompile the packet,patch etc) to reflect the previous behaviour ? Cheers Angelo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] External (public) IP forwarded to internal LAN
Hi Angelo, > I'm facing an issue with,I think, iptables. This is the scenario: I'm > using a ddns service to point my external ip to access my server; and it > works fine, but the original address is always the internal iface of my > modem. I am not sure what is the source and the destination of your requests and where you noticed an unexpected IP (and what your expectation was). I guess that the complete firewall configuration is also necessary for analyzing this problem. Additionally the output of the following commands would be useful: iptables -L -vn iptables -t nat -L -vn (preferably in separate files) cheers, Lars ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] External (public) IP forwarded to internal LAN
Hi all, first of all, I'm sorry for my poor english and if I placed my question in a wrong place. I'm facing an issue with,I think, iptables. This is the scenario: I'm using a ddns service to point my external ip to access my server; and it works fine, but the original address is always the internal iface of my modem. This is my actual port-forwarding conf in /etc/config/firewall config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp udp' option dest_ip '192.168.x.x' option dest_port 'x' option name 'Photo' option src_dport 'x' option reflection '1' surfing on web and in the wiki of openwrt I cannot find any solution. If I'm not wrong, in the previous release of openwrt the origin's IP was forwarded to the internal lan. Tcpdumping the wan iface I can see both public ip (original and my own ip) Is there any solution (conf, recompile the packet,patch etc) to reflect the previous behaviour ? Cheers Angelo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
