It seems that NAT reflection (loopback in LuCI) is broken in latest trunk. Maybe broken with r41480?
Topic: NAT reflection broken in latest trunk?
The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Page 1 of 1
Rebuilt with previous firewall_2014-06-26, works now. Confirmed broken I guess 
I cannot reproduce the problem. Can you post /etc/config/firewall and the "iptables-save" output?
ownCloud/OpenVPN should be reflected on LAN, that does not happen with the latest firewall update.
# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'vpn'
list device 'tun+'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'
option name 'PING'
config rule
option target 'ACCEPT'
option name '6in4'
option src 'wan'
option proto '41'
option family 'ipv4'
config rule
option target 'ACCEPT'
option name 'OpenVPN'
option src 'wan'
option proto 'udp'
option dest_port '1194'
config redirect
option src 'wan'
option src_dport '222'
option dest_port '22'
option proto 'tcp'
option name 'EXTSSH'
option target 'DNAT'
option dest 'lan'
option reflection '0'
config redirect
option name 'SABNZB'
option src 'wan'
option proto 'tcp'
option src_dport '9095'
option dest_ip '10.1.1.3'
option target 'DNAT'
option dest 'lan'
option reflection '0'
config redirect
option name 'PLEX'
option src 'wan'
option proto 'tcp'
option src_dport '443'
option dest_ip '10.1.1.3'
option dest_port '32400'
option target 'DNAT'
option dest 'lan'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option dest_port '1194'
option proto 'udp'
option dest 'lan'
option name 'OpenVPN redirect UDP 443'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '10.1.1.3'
option dest_port '443'
option name 'ownCloud'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1# iptables-save
# Generated by iptables-save v1.4.21 on Thu Jul 10 12:04:46 2014
*nat
:PREROUTING ACCEPT [6870:1005502]
:INPUT ACCEPT [329:39342]
:OUTPUT ACCEPT [354:24951]
:POSTROUTING ACCEPT [30:2742]
:MINIUPNPD - [0:0]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o tun+ -j zone_vpn_postrouting
-A delegate_postrouting -o eth1 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i tun+ -j zone_vpn_prerouting
-A delegate_prerouting -i eth1 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.1.1.0/24 -p udp -m udp --dport 1194 -m comment --comment "OpenVPN redirect UDP 443 (reflection)" -j SNAT --to-source 10.1.1.1
-A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.3/32 -p tcp -m tcp --dport 443 -m comment --comment "ownCloud (reflection)" -j SNAT --to-source 10.1.1.1
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.1.1.0/24 -d 84.210.170.236/32 -p udp -m udp --dport 443 -m comment --comment "OpenVPN redirect UDP 443 (reflection)" -j DNAT --to-destination :1194
-A zone_lan_prerouting -s 10.1.1.0/24 -d 84.210.170.236/32 -p tcp -m tcp --dport 443 -m comment --comment "ownCloud (reflection)" -j DNAT --to-destination 10.1.1.3:443
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 222 -m comment --comment EXTSSH -j DNAT --to-destination :22
-A zone_wan_prerouting -p tcp -m tcp --dport 9095 -m comment --comment SABNZB -j DNAT --to-destination 10.1.1.3:9095
-A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "OpenVPN redirect UDP 443" -j DNAT --to-destination :1194
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment ownCloud -j DNAT --to-destination 10.1.1.3:443
COMMIT
# Completed on Thu Jul 10 12:04:46 2014
# Generated by iptables-save v1.4.21 on Thu Jul 10 12:04:46 2014
*raw
:PREROUTING ACCEPT [3032996:4030907513]
:OUTPUT ACCEPT [2133:365203]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Thu Jul 10 12:04:46 2014
# Generated by iptables-save v1.4.21 on Thu Jul 10 12:04:46 2014
*mangle
:PREROUTING ACCEPT [3032997:4030907553]
:INPUT ACCEPT [8065:818394]
:FORWARD ACCEPT [3021411:4029453831]
:OUTPUT ACCEPT [2133:365203]
:POSTROUTING ACCEPT [3023546:4029819694]
:fwmark - [0:0]
:mssfix - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
-A qos_Default -m mark --mark 0x0/0xff -j qos_Default_ct
-A qos_Default -m mark --mark 0x1/0xff -m length --length 400:65535 -j MARK --set-xmark 0x0/0xff
-A qos_Default -m mark --mark 0x2/0xff -m length --length 800:65535 -j MARK --set-xmark 0x0/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xff -m length --length 0:500 -j MARK --set-xmark 0x2/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x1/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xff -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x4/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xff -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x4/0xff
-A qos_Default -p tcp -m length --length 0:128 -m mark ! --mark 0x4/0xff -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-xmark 0x1/0xff
-A qos_Default -p tcp -m length --length 0:128 -m mark ! --mark 0x4/0xff -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j MARK --set-xmark 0x1/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xff -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x1/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xff -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x1/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xff -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x3/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xff -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x2/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xff -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x2/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Thu Jul 10 12:04:46 2014
# Generated by iptables-save v1.4.21 on Thu Jul 10 12:04:46 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:dropBrute - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:logndrop - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i tun+ -j zone_vpn_forward
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i tun+ -j zone_vpn_input
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o tun+ -j zone_vpn_output
-A delegate_output -o eth1 -j zone_wan_output
-A input_rule -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A input_rule -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j logndrop
-A input_rule -p tcp -m tcp --dport 22 -j dropBrute
-A logndrop -j LOG
-A logndrop -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_src_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun+ -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_src_ACCEPT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun+ -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_src_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment PING -j ACCEPT
-A zone_wan_input -p ipv6 -m comment --comment 6in4 -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment OpenVPN -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth1 -j DROP
-A zone_wan_src_REJECT -i eth1 -j reject
COMMIT
# Completed on Thu Jul 10 12:04:46 2014Was able to reproduce it - it should be fixed in latest trunk now.
Cool, thanks jow
Does anyone else have issues with the firewall rules at startup?
Did you ever hear of the IPTABLES to be 'blocked' at boot, and until you restart it does not allow other application to insert anything else in the IPTABLES?
jow, new firewall segfaults for me 
Did you just update the firewall package? Might be an abi mismatch with newer ubus. If the issue persists with a clean build, run:
ulimit -c unlimited
fw3 printAnd send me the resulting core file.
No I rebuilt from trunk, I've flashed back now so can't test at the moment will do when I find some time.
fw3 also crashes on a BB x86 image I just built.
I've e-mailed jow the core files.
Thanks for the input, I found the problem.
I've just re-compiled the latest BB trunk with updates fw3 and there was no segfault on bootup.
Glad to see such a quick response :-)
Looks like this is broken again in BB rc3 (r42682). In short, I have this /etc/config/firewall rule:
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '22001'
option dest_port '22'
option name 'Remote Admin'
option dest 'lan'
option proto 'tcp'And the corresponding loopback/reflection rules are missing in iptables:
root@WNDR3800:~# iptables-save | grep 22
-A zone_wan_prerouting -p tcp -m tcp --dport 22001 -m comment --comment "Remote Admin" -j REDIRECT --to-ports 22My routers with r42475 (and going back at least as far as r39972), the reflection rules are present:
root@WNDR3700:~# iptables-save | grep 22
-A zone_lan_postrouting -s 192.168.4.0/24 -p tcp -m tcp --dport 22 -m comment --comment "Remote Admin (reflection)" -j SNAT --to-source 192.168.4.1
-A zone_lan_prerouting -s 192.168.4.0/24 -d <my_public_ip>/32 -p tcp -m tcp --dport 22001 -m comment --comment "Remote Admin (reflection)" -j DNAT --to-destination :22
-A zone_wan_prerouting -p tcp -m tcp --dport 22001 -m comment --comment "Remote Admin" -j DNAT --to-destination :22Update:
NAT Loopback for port forwarding does not work correctly on the Barrier Breaker final release. The reflection rules in iptables are not created, unless the destination address is NOT on the router itself.
This means you cannot have a wan port forwarded to an internal port on the router, AND hit the forwarded wan port from the lan at the same. You will need to use different connection settings in whatever application you are using to connect to your router, depending on your current location (lan vs wan).
This still seems broken on:
OpenWrt Chaos Calmer r44091 / LuCI (git-15.023.51993-40066a6)
The discussion might have continued from here.
Page 1 of 1