Just installed kamikaze 8.09_RC1 on a new WRT54GL - works fine, nice work!

But the firewall filters too much packets, and I don't know if this is a bug or a feature (and how to configure it).

I like to connect my local mailserver from the lan AND from the wan.
I've configured a port forwarding to my server at the lan side. I don't like to change the IP address in my mail client, so I used the wan IP address.
- If the client is on the wan side, the connection works
- If the client is in the local lan, the connection failed. openwrt refuses the connection to the wan ip.
I've added a second port forwarding, same port and destination, but with "lan" zone. Now the connection get's a timeout :-(

Well the problem that I had was openwrt seems to accept any packets destined to the WAN ip to itself, instead of having them go out and back in, in a sense.

The connection timeout you are having does not make any sense--as long as you have src=lan and dest=lan, and also set the correct dest_ip, and make sure also that dest_port and src_dport are set to the same value (there is no nat from lan<->lan so it may not be possible to change ports.

Just a thought, what happens if you remove "src=wan" and just have it redirect the connection regardless of the src.
I think the problem with "src" is it checks the source interface, not the destination IP address of the original packet.  So basically when you get a packet, even though it is destined for your external IP, it still comes in on br-lan, so is assumed to be from the "lan" source.

Unfortunately this may be a problem for a few services like SSH because you also want to allow SSH to your router, and this will apply the same rules to 192.168.1.1 as well as your external IP.

It is possible because of NAT that in this case the src=lan but src_ip=external address of your router... but I am not sure because that feels like a contradiction of some sort.

(Last edited by phorn on 5 Dec 2008, 02:51)

This thread from WhiteRussian is what I based all of my firewall rules on, but I haven't had time to sit down and convert this to work with Kamikaze yet.  But it's probably as good a starting point as anything. 

Using the info in that thread, I'm able to use my external domain name from the LAN, checking mail, accessing my web server, etc.  I'm sure that I could reference the WAN IP also, either should work.

Aha, so the way that thread does it is by referencing $WAN_IP to compute iptables rules... and if you are on a dynamic IP connection (DSL, Cable) then this cannot be done just once per boot because the IP address changes.

# Note: Firewall must be re-run if WAN IP address changes
WANIP=`ifconfig vlan1 | grep inet\ addr | sed -r 's/.*inet addr:(.+) Bcast:.*/\1/'`

So basically the difference here is that iptables must be rerun everytime your connection goes down.  The Kamikaze sacrifices a few features by using only interface names, and not IP addresses.  But in return the advantage is you must only run your firewall once, no matter if you restart your wan connection.

In http://wiki.openwrt.org/OpenWrtDocs/Kam … figuration they mention that you can add manual iptables rules, however these are only run once per boot, so if your WAN IP changes, you will be locked out from any redirects you set up.

To me the simplicity of kamikaze is worth it, but if not, it is possible to run manual ifconfig rules, and in fact, if you must reference the WAN_IP, you can set it to redo the firewall when your WAN goes down or up, by putting a script into /etc/hotplug.d/iface/

#!/bin/sh

if [ "$INTERFACE" = "wan" ] && [ "$ACTION" = "ifup" ]; then
... iptables rules go here ...
fi

The iptables rules may conflict with the openwrt ones so you would have to do:
/etc/init.d/firewall stop
/etc/init.d/firewall disable

I wrote this to similar thread in the past, and I write it again, because I think it's a very easy solution and it will work in most cases.

you can work around this problem by using dnsnames.

you can use a free service like dyndns (with no update problems, because of your static ip) to register a dns-name, to get your WAN-IP if you are outside your LAN.

then configure the dns-server on your openwrtbox to use the LAN-IP of your mailserver for the same dns-name.
just add it to /etc/hosts  (or /etc/config/luci_hosts for kamikaze 8.09)

now you can enter the dns-name in your mailapplication and you have always the right name-resolution. you get the LAN-IP if you are inside the LAN and the WAN-IP if you are outside.

Thanks for this simple workaround.

But I have some port translated IPs, too :-( (e.g. webserver on WAN port 88)

Tested some routers (without WLAN), they all give access to this ports. Would be nice if openwrt do this by default, too