Posted: Mon Mar 07, 2011 10:29 pm Post subject: NAT Loopback fix for 15760 and higher, (Port forward issue)
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001
The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...
Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868 _________________ If your build is older than a year then update if you want support. Broadcom recommended builds (Click this!)
Only use tested forum recommended builds (DB recommendations are bad) and read the forum announcements!
Advanced configuration help takes considerable time, stipend helps coax answers.
Looking for bricks and spare routers for testing/tutorials.
Last edited by phuzi0n on Tue Sep 13, 2011 4:50 pm; edited 4 times in total
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Can't you put this in a new ticket?
It's your idea, so I don't want to.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself. _________________ If your build is older than a year then update if you want support. Broadcom recommended builds (Click this!)
Only use tested forum recommended builds (DB recommendations are bad) and read the forum announcements!
Advanced configuration help takes considerable time, stipend helps coax answers.
Looking for bricks and spare routers for testing/tutorials.
Joined: 31 Aug 2009 Posts: 2203 Location: Formerly DHC_DarkShadow
Posted: Wed Mar 09, 2011 5:39 am Post subject:
phuzi0n wrote:
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself.
Joined: 04 Jan 2007 Posts: 10573 Location: Wherever the wind blows- North America
Posted: Fri Mar 11, 2011 12:11 am Post subject:
Yeah this code takes care of my RT-N16 that connects to a 520gu ftp server on a Client Bridge unit. I am able to access my ftp server from my local LAN.
redhawk
Clipboard01.jpg
Description:
Filesize:
90.12 KB
Viewed:
25125 Time(s)
_________________ I currently test dd-wrt on Asus, Buffalo, Linksys, and Netgear. Too many to list.
Looking for more test units (newer models) for the project...got a brick?...PM me to make a donation. (USA) A donation is not a debricking service....it is a way to "Give back" to the dd-wrt project.
I do NOT provide personal assistance through chat or phone....so please don't ask.
Last edited by redhawk0 on Tue Mar 15, 2011 11:59 am; edited 2 times in total
Don't get your hopes up too much. Just focus on testing it please. _________________ If your build is older than a year then update if you want support. Broadcom recommended builds (Click this!)
Only use tested forum recommended builds (DB recommendations are bad) and read the forum announcements!
Advanced configuration help takes considerable time, stipend helps coax answers.
Looking for bricks and spare routers for testing/tutorials.
Joined: 08 Mar 2011 Posts: 20 Location: Saskatchewan, Canada
Posted: Sun Mar 13, 2011 3:41 am Post subject:
Are there any other known disadvantages (other than bad QoS scripts) to using this fix (potential security flaw, breaking other features, etc.)?
Working well so far with my WRT310N V2 running std-nokaid-small - build 15940:
Code:
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Keep up the great work by the way, it is very much appreciated.
Mark
PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode. _________________ *Linksys WRT310N V2 with DD-WRT v24-sp2 (12/18/10) std-nokaid-small - build 15940
*Linksys WRT54GL v1.1 with DD-WRT v24-sp2 (08/12/10) std - build 14929
Are there any other known disadvantages (other than bad QoS scripts) to using this fix (potential security flaw, breaking other features, etc.)?
Nope, it shouldn't break any of the built in features. _________________ If your build is older than a year then update if you want support. Broadcom recommended builds (Click this!)
Only use tested forum recommended builds (DB recommendations are bad) and read the forum announcements!
Advanced configuration help takes considerable time, stipend helps coax answers.
Looking for bricks and spare routers for testing/tutorials.
Joined: 16 Mar 2011 Posts: 40 Location: Saskatoon, SK, Canada
Posted: Wed Mar 23, 2011 2:52 pm Post subject:
This has been running well on my E2000 with build 15943 for a couple days now. It hasn't affected anything negatively. My PPTP server still works, and is accessible from inside and outside my LAN, and that's all I need.
wavracer wrote:
PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode.
@wavracer: Are you on Sasktel? I'm will send you a PM so as to not muck up this thread with off topic stuff. _________________ Linksys E2000 DD-WRT v24-sp2 (12/12/11) mini
(SVN revision 18000)
Having problems with port forwarding? Using build 15778 or later? Check out Port Forward Troubleshooting for more info. Also for loopback code testing, reference this post.
