Issues with localnat
Issues with localnat
Hi everyone
I installed the latest firmware on my DSL-502T in order to be able to reach my portforwards from the LAN using the external IP.
Now, this does not seem to work properly. Obviously, I enabled localnat.sh in the settings.
When I reboot the router, it sometimes works once or for a very short period of time but then stops working, i.e. I cannot reach my forwarded ports from the LAN (while everything else still works fine incl. access to the forwarded ports from WAN).
I tried individual port forwards as well as DMZ and the localnat scripts seems to work ok.
Can anyone help?
Cheers
Stefan
I installed the latest firmware on my DSL-502T in order to be able to reach my portforwards from the LAN using the external IP.
Now, this does not seem to work properly. Obviously, I enabled localnat.sh in the settings.
When I reboot the router, it sometimes works once or for a very short period of time but then stops working, i.e. I cannot reach my forwarded ports from the LAN (while everything else still works fine incl. access to the forwarded ports from WAN).
I tried individual port forwards as well as DMZ and the localnat scripts seems to work ok.
Can anyone help?
Cheers
Stefan
Re: Issues with localnat
Apologies - there has been a previous report that localnat no longer works - but I have never gottten round to reproducing and attempting to fix - are you also using upnp?
Re: Issues with localnat
Hi mstombs
no I am not using UPNP and just a single port forward at the moment (port 14652):
In the above case, the interesting thing was that the first connection attempt (1 packet) worked but the following 3 did not. You can see all 4 packets above though.
Thanks
S.
no I am not using UPNP and just a single port forward at the moment (port 14652):
Code: Select all
/var # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 319 packets, 41860 bytes)
pkts bytes target prot opt in out source destination
4 204 INT_PRE all -- br0 * 0.0.0.0/0 $WAN_IP
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:14652 to:10.1.1.31:14652
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 204 INT_POST all -- * br0 10.0.0.0/8 0.0.0.0/0
264 24485 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 9 packets, 865 bytes)
pkts bytes target prot opt in out source destination
Chain INT_POST (1 references)
pkts bytes target prot opt in out source destination
4 204 SNAT tcp -- * * 0.0.0.0/0 10.1.1.31 tcp dpt:14652 to:10.1.1.1:14652
Chain INT_PRE (1 references)
pkts bytes target prot opt in out source destination
4 204 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:14652 to:10.1.1.31:14652
/var # iptables -nvL
Chain INPUT (policy ACCEPT 395 packets, 25973 bytes)
pkts bytes target prot opt in out source destination
23 1245 CFG tcp -- * * 10.1.1.31 0.0.0.0/0 tcp dpt:80 Records Packet's Source Interface
23 3036 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
2 80 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 29975 packets, 8339K bytes)
pkts bytes target prot opt in out source destination
120 6804 TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
43875 9098K ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 10.1.1.31 tcp dpt:14652
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 377 packets, 84726 bytes)
pkts bytes target prot opt in out source destination
4 2304 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID
/var #
Thanks
S.
Re: Issues with localnat
Thanks - that output is exactly what was required next to investigate -
localnat.sh is surprisingly well documented, the only lingering issue I recall from 4 years ago is that it stopped working when the debug echo statements and 'sleeps' taken out - so they were left in. Assumed at the time that the little router needed time to handle the relatively big memory demands of the iptables command piped through multiple greps (I'm now sure it could be simplified). It makes heavy use of shell string handling, provided by BusyBox without "awk" I recall, and BusyBox has been upgraded several times since RT2.5 ...
I will not have ever tested using the 10/8 local IP range - can you confirm that 10.1.1.1 is correctly your router lan IP.
- but as you say localnat.sh seems to have worked, so the problem must be deeper. I will also have only tested using low port No ports http 80, telnet 23 and similar, but cannot see why this would not work...
If I had a test setup next stop would be using wireshark to check the actual comms to/from the router
localnat.sh is surprisingly well documented, the only lingering issue I recall from 4 years ago is that it stopped working when the debug echo statements and 'sleeps' taken out - so they were left in. Assumed at the time that the little router needed time to handle the relatively big memory demands of the iptables command piped through multiple greps (I'm now sure it could be simplified). It makes heavy use of shell string handling, provided by BusyBox without "awk" I recall, and BusyBox has been upgraded several times since RT2.5 ...
I will not have ever tested using the 10/8 local IP range - can you confirm that 10.1.1.1 is correctly your router lan IP.
- but as you say localnat.sh seems to have worked, so the problem must be deeper. I will also have only tested using low port No ports http 80, telnet 23 and similar, but cannot see why this would not work...
If I had a test setup next stop would be using wireshark to check the actual comms to/from the router
Re: Issues with localnat
Hi mstombs
yes, 10.1.1.1 is the router IP and I did already sniff the traffic. The only thing you see is a SYN packet to the router but no answer.
I'll try changing the IP range and use a low port.
Any other ideas?
Thanks.
yes, 10.1.1.1 is the router IP and I did already sniff the traffic. The only thing you see is a SYN packet to the router but no answer.
I'll try changing the IP range and use a low port.
Any other ideas?
Thanks.
Re: Issues with localnat
You are not going to llke this - but "It works for me"
Have checked out RT2.95 and RT2.97 with DMZ looping back to same PC - running exact firmware version
Firmware version: RouterTech_3.6.0D_20120130_2.97 (psbl-4mb-flash; 20120130221409)
This maybe important - please advise which router/firmware doesn't work for you - I'm sure I can fire up equivalent router/ firmware
One thing I have noticed is the packet/byte counters do not count every packet - maybe only the first connection one
This is after browsing my own website for a bit - always with the WANIP (numeric) is the address line
Have checked out RT2.95 and RT2.97 with DMZ looping back to same PC - running exact firmware version
Firmware version: RouterTech_3.6.0D_20120130_2.97 (psbl-4mb-flash; 20120130221409)
This maybe important - please advise which router/firmware doesn't work for you - I'm sure I can fire up equivalent router/ firmware
One thing I have noticed is the packet/byte counters do not count every packet - maybe only the first connection one
This is after browsing my own website for a bit - always with the WANIP (numeric) is the address line
Code: Select all
/var # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1256 packets, 91265 bytes)
pkts bytes target prot opt in out source destination
21 1452 INT_PRE all -- br0 * 0.0.0.0/0 $mywanip
15 664 DNAT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 to:192.168.2.2
Chain POSTROUTING (policy ACCEPT 15 packets, 664 bytes)
pkts bytes target prot opt in out source destination
21 1452 INT_POST all -- * br0 192.168.2.0/24 0.0.0.0/0
220 14198 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 150 packets, 9736 bytes)
pkts bytes target prot opt in out source destination
Chain INT_POST (1 references)
pkts bytes target prot opt in out source destination
21 1452 SNAT all -- * * 0.0.0.0/0 192.168.2.2 to:192.168.2.1
Chain INT_PRE (1 references)
pkts bytes target prot opt in out source destination
21 1452 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.2.2
Re: Issues with localnat
Hi mstombs
many thanks for your help.
After having run it for a few days, it appears that the localnat functionality works somehow intermittently.
I want to use the same servername in my email clients for LAN and WAN connections, so I use a dyndns name, which resolves back to the router.
The clients are set to poll email every few minutes. I use different clients on different devices (laptop, android,...).
When being on the LAN, it can sometimes take an hour before a poll gets through but eventually it will (even without router reboot).
I am using a DSL-502t (first generation) with 2.97 firmware (from this image: RouterTech_3.6.0D_20120130_2.97_AR7RD-1Port_Adam2_firmware.upgrade.img)
Any chance that you test this setup on your side?
Thanks
many thanks for your help.
After having run it for a few days, it appears that the localnat functionality works somehow intermittently.
I want to use the same servername in my email clients for LAN and WAN connections, so I use a dyndns name, which resolves back to the router.
The clients are set to poll email every few minutes. I use different clients on different devices (laptop, android,...).
When being on the LAN, it can sometimes take an hour before a poll gets through but eventually it will (even without router reboot).
I am using a DSL-502t (first generation) with 2.97 firmware (from this image: RouterTech_3.6.0D_20120130_2.97_AR7RD-1Port_Adam2_firmware.upgrade.img)
Any chance that you test this setup on your side?
Thanks
Re: Issues with localnat
I have a 600E, my least favourite router with its adam2 bootloader, it did have pspboot for a while... and I didn't need JTAG, but once loaded bootloader shouldn't matter.
But if you are using a 1-port router (I did above) - you must have a switch behind it to have more than 1 lan device? Could the switch be too clever?
A potential failure mode of the localnat is if either server of client finds out the local IP address of either and tries to send/reply locally.
I wonder if you could achieve what you want using the router hosts file to always use the local IP address?
But if you are using a 1-port router (I did above) - you must have a switch behind it to have more than 1 lan device? Could the switch be too clever?
A potential failure mode of the localnat is if either server of client finds out the local IP address of either and tries to send/reply locally.
I wonder if you could achieve what you want using the router hosts file to always use the local IP address?
Re: Issues with localnat
Hi mstombs
yes, I have thought about solving my requirement through hosts file entries / DNS as well but not managed so far:
After I add the entry to my /etc/hosts, it is not immediately taken into account for DNS queries from other devices in the network. However, the preconfigured mygateway1.AR7RD entry is resolved correctly so I assume the entry must be present when the DNS service is first started.
Even if I select 'Save all' from the UI, the new entry is gone after a reboot.
How do I get an additional entry in the hosts file to survive a reboot?
Thanks
yes, I have thought about solving my requirement through hosts file entries / DNS as well but not managed so far:
After I add the entry to my /etc/hosts, it is not immediately taken into account for DNS queries from other devices in the network. However, the preconfigured mygateway1.AR7RD entry is resolved correctly so I assume the entry must be present when the DNS service is first started.
Even if I select 'Save all' from the UI, the new entry is gone after a reboot.
How do I get an additional entry in the hosts file to survive a reboot?
Thanks
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Issues with localnat
You can schedule the addition of the entry to take place on every bootup: firmware-faq/#autoexechwurst205 wrote:How do I get an additional entry in the hosts file to survive a reboot?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Issues with localnat
Hi chief
thanks for the link.
I tried
and the same with RT_cmd_1 but it won't add the lines to the hosts file. getenv retrieves the values ok after reboot.
What am I doing wrong?
Cheers
thanks for the link.
I tried
Code: Select all
setenv RT_init_1 "echo '$ip $name.dyndns.org' >>/etc/hosts"
What am I doing wrong?
Cheers
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Issues with localnat
The hosts file is probably being overwritten on getting a WAN connection. Try this
If that doesn't work, then try this
This will add the line every time there is a WAN connection.
Code: Select all
setenv autoexec.sh "echo '$ip $name.dyndns.org' >>/etc/hosts"
Code: Select all
setenv RT_connect_1 "echo '$ip $name.dyndns.org' >>/etc/hosts"
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Issues with localnat
Thanks, the RT_connect_1 finally worked.
However,
on the router now works fine and resolves to $ip.
on any PC in the LAN however retrieves the WAN IP of the router and not the hosts file entry.
I assume that the hosts file entry must be present when the dns service is started to be taken into account. Can I restart the DNS service on the router?
Thanks
However,
Code: Select all
ping $name.dyndns.org
Code: Select all
nslookup $name.dyndns.org $router_ip
I assume that the hosts file entry must be present when the dns service is started to be taken into account. Can I restart the DNS service on the router?
Thanks
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Issues with localnat
This will do ithwurst205 wrote:Can I restart the DNS service on the router?
Code: Select all
killall -9 dproxy
Code: Select all
setenv RT_connect_1 "echo '$ip $name.dyndns.org' >>/etc/hosts && sleep 1 && killall -9 dproxy"
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Issues with localnat
ok, cool, that worked.
I had to shorten the string though because setenv only seemed to accept about 66 characters (at least the following getenv printed only the first 66) but it works without the sleep.
Thanks
I had to shorten the string though because setenv only seemed to accept about 66 characters (at least the following getenv printed only the first 66) but it works without the sleep.
Thanks