Issues with localnat

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Issues with localnat

Post by hwurst205 » Mon Mar 05, 2012 5:06 am

Hi everyone
I installed the latest firmware on my DSL-502T in order to be able to reach my portforwards from the LAN using the external IP.
Now, this does not seem to work properly. Obviously, I enabled localnat.sh in the settings.

When I reboot the router, it sometimes works once or for a very short period of time but then stops working, i.e. I cannot reach my forwarded ports from the LAN (while everything else still works fine incl. access to the forwarded ports from WAN).

I tried individual port forwards as well as DMZ and the localnat scripts seems to work ok.
Can anyone help?
Cheers
Stefan
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Issues with localnat

Post by mstombs » Mon Mar 05, 2012 10:34 pm

Apologies - there has been a previous report that localnat no longer works - but I have never gottten round to reproducing and attempting to fix - are you also using upnp?
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Tue Mar 06, 2012 4:25 am

Hi mstombs

no I am not using UPNP and just a single port forward at the moment (port 14652):

Code: Select all

/var # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 319 packets, 41860 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   204 INT_PRE    all  --  br0    *       0.0.0.0/0            $WAN_IP
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:14652 to:10.1.1.31:14652

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   204 INT_POST   all  --  *      br0     10.0.0.0/8           0.0.0.0/0
  264 24485 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 9 packets, 865 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INT_POST (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   204 SNAT       tcp  --  *      *       0.0.0.0/0            10.1.1.31          tcp dpt:14652 to:10.1.1.1:14652

Chain INT_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   204 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:14652 to:10.1.1.31:14652
/var # iptables -nvL
Chain INPUT (policy ACCEPT 395 packets, 25973 bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  1245 CFG        tcp  --  *      *       10.1.1.31            0.0.0.0/0          tcp dpt:80 Records Packet's Source Interface

   23  3036 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0
    2    80 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 29975 packets, 8339K bytes)
 pkts bytes target     prot opt in     out     source               destination
  120  6804 TCPMSS     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
43875 9098K ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            10.1.1.31          tcp dpt:14652
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 377 packets, 84726 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4  2304 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
    0     0 DROP       icmp --  *      ppp0    0.0.0.0/0            0.0.0.0/0          icmp type 3
    0     0 DROP       icmp --  *      ppp0    0.0.0.0/0            0.0.0.0/0          state INVALID
/var #
In the above case, the interesting thing was that the first connection attempt (1 packet) worked but the following 3 did not. You can see all 4 packets above though.

Thanks
S.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Issues with localnat

Post by mstombs » Tue Mar 06, 2012 10:53 am

Thanks - that output is exactly what was required next to investigate -

localnat.sh is surprisingly well documented, the only lingering issue I recall from 4 years ago is that it stopped working when the debug echo statements and 'sleeps' taken out - so they were left in. Assumed at the time that the little router needed time to handle the relatively big memory demands of the iptables command piped through multiple greps (I'm now sure it could be simplified). It makes heavy use of shell string handling, provided by BusyBox without "awk" I recall, and BusyBox has been upgraded several times since RT2.5 ...

I will not have ever tested using the 10/8 local IP range - can you confirm that 10.1.1.1 is correctly your router lan IP.

- but as you say localnat.sh seems to have worked, so the problem must be deeper. I will also have only tested using low port No ports http 80, telnet 23 and similar, but cannot see why this would not work...

If I had a test setup next stop would be using wireshark to check the actual comms to/from the router
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Tue Mar 06, 2012 11:24 am

Hi mstombs

yes, 10.1.1.1 is the router IP and I did already sniff the traffic. The only thing you see is a SYN packet to the router but no answer.

I'll try changing the IP range and use a low port.

Any other ideas?

Thanks.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Issues with localnat

Post by mstombs » Wed Mar 07, 2012 9:34 pm

You are not going to llke this - but "It works for me"

Have checked out RT2.95 and RT2.97 with DMZ looping back to same PC - running exact firmware version

Firmware version: RouterTech_3.6.0D_20120130_2.97 (psbl-4mb-flash; 20120130221409)

This maybe important - please advise which router/firmware doesn't work for you - I'm sure I can fire up equivalent router/ firmware

One thing I have noticed is the packet/byte counters do not count every packet - maybe only the first connection one

This is after browsing my own website for a bit - always with the WANIP (numeric) is the address line

Code: Select all

/var # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1256 packets, 91265 bytes)
 pkts bytes target     prot opt in     out     source               destination
   21  1452 INT_PRE    all  --  br0    *       0.0.0.0/0            $mywanip
   15   664 DNAT       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          to:192.168.2.2

Chain POSTROUTING (policy ACCEPT 15 packets, 664 bytes)
 pkts bytes target     prot opt in     out     source               destination
   21  1452 INT_POST   all  --  *      br0     192.168.2.0/24       0.0.0.0/0
  220 14198 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 150 packets, 9736 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INT_POST (1 references)
 pkts bytes target     prot opt in     out     source               destination
   21  1452 SNAT       all  --  *      *       0.0.0.0/0            192.168.2.2        to:192.168.2.1

Chain INT_PRE (1 references)
 pkts bytes target     prot opt in     out     source               destination
   21  1452 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0          to:192.168.2.2
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Thu Mar 08, 2012 9:39 pm

Hi mstombs

many thanks for your help.

After having run it for a few days, it appears that the localnat functionality works somehow intermittently.

I want to use the same servername in my email clients for LAN and WAN connections, so I use a dyndns name, which resolves back to the router.
The clients are set to poll email every few minutes. I use different clients on different devices (laptop, android,...).

When being on the LAN, it can sometimes take an hour before a poll gets through but eventually it will (even without router reboot).

I am using a DSL-502t (first generation) with 2.97 firmware (from this image: RouterTech_3.6.0D_20120130_2.97_AR7RD-1Port_Adam2_firmware.upgrade.img)

Any chance that you test this setup on your side?

Thanks
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Issues with localnat

Post by mstombs » Thu Mar 08, 2012 10:33 pm

I have a 600E, my least favourite router with its adam2 bootloader, it did have pspboot for a while... and I didn't need JTAG, but once loaded bootloader shouldn't matter.

But if you are using a 1-port router (I did above) - you must have a switch behind it to have more than 1 lan device? Could the switch be too clever?

A potential failure mode of the localnat is if either server of client finds out the local IP address of either and tries to send/reply locally.

I wonder if you could achieve what you want using the router hosts file to always use the local IP address?
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Fri Mar 09, 2012 10:13 am

Hi mstombs

yes, I have thought about solving my requirement through hosts file entries / DNS as well but not managed so far:

After I add the entry to my /etc/hosts, it is not immediately taken into account for DNS queries from other devices in the network. However, the preconfigured mygateway1.AR7RD entry is resolved correctly so I assume the entry must be present when the DNS service is first started.

Even if I select 'Save all' from the UI, the new entry is gone after a reboot.

How do I get an additional entry in the hosts file to survive a reboot?

Thanks
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Issues with localnat

Post by thechief » Fri Mar 09, 2012 12:27 pm

hwurst205 wrote:How do I get an additional entry in the hosts file to survive a reboot?
You can schedule the addition of the entry to take place on every bootup: firmware-faq/#autoexec
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Fri Mar 09, 2012 12:58 pm

Hi chief

thanks for the link.

I tried

Code: Select all

setenv RT_init_1 "echo '$ip $name.dyndns.org' >>/etc/hosts"
and the same with RT_cmd_1 but it won't add the lines to the hosts file. getenv retrieves the values ok after reboot.

What am I doing wrong?

Cheers
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Issues with localnat

Post by thechief » Fri Mar 09, 2012 1:38 pm

The hosts file is probably being overwritten on getting a WAN connection. Try this

Code: Select all

setenv autoexec.sh "echo '$ip $name.dyndns.org' >>/etc/hosts"
If that doesn't work, then try this

Code: Select all

setenv RT_connect_1 "echo '$ip $name.dyndns.org' >>/etc/hosts"
This will add the line every time there is a WAN connection.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Sat Mar 10, 2012 2:03 am

Thanks, the RT_connect_1 finally worked.

However,

Code: Select all

ping $name.dyndns.org 
on the router now works fine and resolves to $ip.

Code: Select all

nslookup $name.dyndns.org $router_ip
on any PC in the LAN however retrieves the WAN IP of the router and not the hosts file entry.

I assume that the hosts file entry must be present when the dns service is started to be taken into account. Can I restart the DNS service on the router?

Thanks
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Issues with localnat

Post by thechief » Sat Mar 10, 2012 10:03 am

hwurst205 wrote:Can I restart the DNS service on the router?
This will do it

Code: Select all

killall -9 dproxy
So you can change your original command to something like

Code: Select all

setenv RT_connect_1 "echo '$ip $name.dyndns.org' >>/etc/hosts && sleep 1 && killall -9 dproxy"
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
hwurst205
Newbie
Newbie
Posts: 8
Joined: Sat Mar 03, 2012 11:16 am

Re: Issues with localnat

Post by hwurst205 » Sat Mar 10, 2012 10:30 am

ok, cool, that worked. :D :D :D

I had to shorten the string though because setenv only seemed to accept about 66 characters (at least the following getenv printed only the first 66) but it works without the sleep.

Thanks :!: :!:
Post Reply