I just upgraded my WRT54Gv1.1 router from Kamikaze 7.06 to 7.07 last night. It took a little work because Dropbear kept not wanting to start, but it's now quite up. My setup (as you may have read in previous posts of mine) is such that it is a wireless client to my DSL modem, meaning that it needs to grab PPPOE from the wireless interface. I got that working, but I had recently put up a server behind this router (it's at http://polypman.hopto.org btw). Because my ISP blocks port 80, that's a port 80 redirect ( so the traffic comes to me as port 8080). My router, in firewall.user, redirects port 8080 traffic from the WAN to port 80 on 192.168.1.147 (my server). Here's the relevant parts of firewall.user:

iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.147:80
  iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.147 -j ACCEPT

   iptables -t nat -A prerouting_wan -p tcp --dport 21 -j DNAT --to 192.168.1.147:21
    iptables        -A forwarding_wan -p tcp --dport 21 -d 192.168.1.147 -j ACCEPT

Anyway, this works fine (until **cking Verizon DSL goes down) for accessing my server from the outside.

For consistency, I'd like to be able to access this server from the lan. Basically, I just want a request for polypman.hopto.org from the lan to point to port 80 on my server. In case It makes a difference, most of my lan clients are behind a second wireless router with Netgear Stock firmware, acting as an access point, with the WAN port connected to the OpenWRT box.

I've seen a few solutions, but the one changing firewall.user doewsn't work, and the one changing /etc/hosts breaks ALL dns.

Got any ideas?

tia,
poly-p man

Oh, and call me crazy, but at least last night, my router's internet connection stopped working at one point, when there was no reason for it to, and there were pings going constantly. Basically, I can't have this happen, and I need a way for the connection to either stay up indefintely, or reconnect when it drops, preferably without rebooting, but making sure that if the IP address on my WAN changed, no-ip knows about it. Hey, I told you it'd be intricate

Okay, maybe I can offer an alternate solution possibility. Is there any way to route requests to the router's port 8080 to 192.168.1.147:80 ? If it's easy, could I also route requests for port 21 from the lan to 192.168.1.147:21 ?

Any help appreciated!!!

tia,
poly-p man

Okay, I have MORE problems.

My internet from behind the router works pretty well, doesn't drop for no reason (at least often ). My problem is, that sometimes, for no reason, a request for my website will just drop. As in, the client gets an error, and nothing shows up in my logs. When this happens, I need to reboot the router. What's wrong??? When it does error out, my internet outbound still works fine, leading me to believe that there is a problem with the firewall, not pppoe.

Any ideas?

tia,
poly-p man

Using the following rule, will only redirect port 8080 to your local server, if the packet is coming from the wan side of the router.

iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.147:80
  iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.147 -j ACCEPT

   iptables -t nat -A prerouting_wan -p tcp --dport 21 -j DNAT --to 192.168.1.147:21
    iptables        -A forwarding_wan -p tcp --dport 21 -d 192.168.1.147 -j ACCEPT

If you want to redirect a connection made to your public ip from inside your lan, you could try:

iptables -t nat -A prerouting_rule -p tcp -i eth0.0 -d $PUBLIC_IP --dport 8080 -j DNAT --to 192.168.1.147:80
iptables          -A forwarding_rule -p tcp  --dport 80 -d 192.168.1.147 -j ACCEPT

You should be able to add those lines into firewall.user.  Basically everytime a packect comes into your router, it will check if it is coming from inside your lan, and if its destination is your wan ip, and if so, redirect that to your server.

Hope that helps somehow.

(Last edited by wcastillo on 22 Aug 2007, 16:40)

Okay, somethings going WAYYY wrong with that. Your idea _looks_ right (I can't say for sure, I don't know iptables ), but it isn't working for some reason.

As in, iptables -L has no reference to the first rule. Even if I swap eth0.0 for br-lan (though either should work, neither does).

What's going on here? Here's my ENTIRE firewall.user, some of the commented stuff taken out for space:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

WANIP=`ifconfig ppp0 | grep inet\ addr | sed -r 's/.*inet addr:(.+) P-t.*/\1/'`
network="192.168.1.0/24"
server="192.168.1.147"

#iptables -t nat -A postrouting_rule -o ppp0 -j SNAT --to-source $WANIP
iptables -t nat -A prerouting_rule -p tcp -i br-lan -d $WANIP --dport 8080 -j DNAT --to 192.168.1.147:80
iptables          -A forwarding_rule -p tcp  --dport 80 -d 192.168.1.147 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2

iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.147:80
  iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.147 -j ACCEPT

   iptables -t nat -A prerouting_wan -p tcp --dport 21 -j DNAT --to 192.168.1.147:21
    iptables        -A forwarding_wan -p tcp --dport 21 -d 192.168.1.147 -j ACCEPT

What's going wrong here???

tia,
poly-p man

And what the hell, here's the output of iptables -L :

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
input_wan  all  --  anywhere             anywhere
LAN_ACCEPT  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.147       tcp dpt:80

Chain forwarding_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.147       tcp dpt:80
ACCEPT     tcp  --  anywhere             192.168.1.147       tcp dpt:21

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

hihyhm,
poly-p man

It appears that the IP address in the comment is not the one in the rule.  Is the comment wrong, or the rule?  Or am I just confused?

Take Care,
David Baldock

The comment's wrong. The "stock" firewall.user has that exact line but for 192.168.1.2, and since I didn't feel like screwing up dhcp, I just left it at 192.168.1.147, and edited the firewall.user.

poly-p man

Okay, I've deduced a second problem (though the first is still unsolved).

My ISP's DHCP release time is 2 hours (from what I've read). After that time, I still get internet perfectly going out, but clients get problems coming in (The proxy I use to check service, at least). Is there any way to set it up to release/renew every two hours, and then get noip to instantly re-configure?

At least, that's what I _think_ is happening, my incoming connection broke just now, until I took your lines out of my firewall.user; they didn't do anything before!

Strange things are afoot,
poly-p man

First of, the prerouting_rule does not exist in the 'filter' table (or when you do 'iptables -L'), it exists in the 'nat' table ('iptables -t nat -L') and if you want more details in the output, I suggest using '-v -n' for more information.

Second off, I apologize for saying eth0.0, the correct one should be 'br-lan' if you have WLAN and LAN bridged.  'eth0.0' is only used if you unbridge WLAN and LAN, which in is what I have.. Copy/Paste error.

Third, the line below will only work as long as your $WANIP matches your WAN Ip address.  I believe you mentioned that your WAN IP changes every two hours... in which case the rule below would be invalid unless you updated the value of $WANIP and updated your ip tables.

iptables -t nat -A prerouting_rule -p tcp -i br-lan -d $WANIP --dport 8080 -j DNAT --to 192.168.1.147:80

Also, make sure that polypman.hopto.org resolves to the same ip address that you specify in $WANIP

Now here's where you'll get confused. My WAN IP addess stays the same after the 2 hours, but incoming connections don't work. So I _NEED_ to release/renew dhcp on ppp0, then update noip (and the firewall config).

Here's iptables -t nat -L :

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
NEW        tcp  --  anywhere             anywhere            state NEW
prerouting_rule  all  --  anywhere             anywhere
prerouting_wan  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain NEW (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            limit: avg 50/sec burst 100
DROP       all  --  anywhere             anywhere

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             pool-71-250-9-106.nwrknj.east.verizon.net tcp dpt:8080 to:192.168.1.147:80

Chain prerouting_wan (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:8080 to:192.168.1.147:80
DNAT       tcp  --  anywhere             anywhere            tcp dpt:21 to:192.168.1.147:21

I don't _THINK_ I have a bridged Wlan + Lan, but br-lan is the interface that gets 192.168.1.1 ; eth0.0 doesn't get anything. Here's ifconfig:

br-lan    Link encap:Ethernet  HWaddr 00:0C:41:A3:98:09
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2394 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:354668 (346.3 KiB)  TX bytes:307979 (300.7 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:41:A3:98:09
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2406 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2664 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:408454 (398.8 KiB)  TX bytes:418109 (408.3 KiB)
          Interrupt:3

eth0.0    Link encap:Ethernet  HWaddr 00:0C:41:A3:98:09
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2394 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:364320 (355.7 KiB)  TX bytes:317555 (310.1 KiB)

eth0.1    Link encap:Ethernet  HWaddr 00:0C:41:A3:98:09
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:276 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:89148 (87.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:941 (941.0 B)  TX bytes:941 (941.0 B)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:71.250.9.106  P-t-P:10.5.28.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2277 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:249432 (243.5 KiB)  TX bytes:350350 (342.1 KiB)

wl0       Link encap:Ethernet  HWaddr 00:0C:41:A3:98:0B
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2301 errors:0 dropped:0 overruns:0 frame:10130
          TX packets:2249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:301828 (294.7 KiB)  TX bytes:417953 (408.1 KiB)
          Interrupt:6 Base address:0x2000

Oh, and yes, polypman.hopto.org does resolve to the same IP.

poly-p man

One more addition to my rant:

this problem (the 2 hour dead server bug) only appeared after the update to 7.07. It appears that the "fix" to pppoe has indeed broken it. Is there a workaround for this? Should I just fall back to the previous version?

poly-p man

Okay, I reverted back to 7.06. It seems to work better, but I still don't have the lan-side server working, not even with your solution. I don't feel like posting details tonight, so if you need anything, ask me

thanks for you help so far, please keep it coming

poly-p man