NAT Hairpinning on Isolated WLAN?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Mon Oct 23, 2017 4:11    Post subject: NAT Hairpinning on Isolated WLAN? Reply with quote
I've got a stumper here. Why can't I hit the WAN interface from an isolated WLAN interface?

Setup is simple (see diagram): LAN is on default br0, WLAN (eth1) is on br1. Firewall rules put in place to isolate br1 from br0 so that guest wireless devices on br1 cannot access the LAN on br0.

Problem: While firewall rules effectively isolate br1 from br0, they also prevent br1 from accessing the WAN interface which is problematic because I still want guest wireless devices to be able to hit my WAN IP and access port-forwarded services. Basically, "NAT Hairpinning" or "WAN NAT redirection" is not working. It seems like anything that prevents access to br0 also prevents hairpinning.

Here are the FW rules to isolate br1 from br0 (from wiki):

Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP (breaks hairppinning)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP (breaks hairppinning)
iptables -I INPUT -i br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)


All of these rules are necessary to isolate the bridges while allowing wireless devices access to the internet. However, all of these rules either break hairpinning or allow communication between bridges which is problematic. I want guest wireless devices to be isolated from the LAN while able to access the internet and the WAN interface. Expert input is appreciated.



diagram - Copy.jpg
 Description:
 Filesize:  88.63 KB
 Viewed:  5493 Time(s)

diagram - Copy.jpg



_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131


Last edited by diyegr on Wed May 09, 2018 4:33; edited 4 times in total
Sponsor
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Mon Oct 23, 2017 4:16    Post subject: Reply with quote


Last edited by diyegr on Wed May 09, 2018 4:56; edited 3 times in total
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Oct 23, 2017 4:51    Post subject: Reply with quote
Don't really know what you have there.
What router you have?
What dd-wrt build is on it?
What router does WLAN on eth1 or eth2?
Did you make VLANs and bridge the wireless to it?

I guess I must be missing something ... or maybe just been up too long Rolling Eyes
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Mon Oct 23, 2017 14:36    Post subject: Reply with quote


Last edited by diyegr on Wed May 09, 2018 4:57; edited 3 times in total
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Oct 23, 2017 14:41    Post subject: Reply with quote
diyegr wrote:
Of course I forget to include router info Embarassed

RT-N66U / DD-WRT v3.0-r29134

Eth1 and Eth2 are the 2.4GHz and 5GHz interfaces respectively (on the same router).

I don't have that router but remember 'bout half the stuff you are doing didn't work very well in the old builds.

You might chk 'New Build' threads ... seems like they have installed latest on that box .... plus it has some cool new features Cool
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Oct 23, 2017 14:46    Post subject: Reply with quote
diyegr wrote:
Eth1 and Eth2 are the 2.4GHz and 5GHz interfaces respectively (on the same router).

see that just shows what i don't know Razz

a new build and doing guest network on a WAP the easy way would prolly be your best option
see this post .. there is still a link in there somewheres
:::::> http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1100415#1100415

EDIT:
-----this works fine if router is the gateway (WAN is enabled)
https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

say you have a printer or some server on main at 10.10.10.55 and you want to allow the guest network access you use

iptables -I FORWARD -i br1 -o br0 -d 10.10.10.55 -m state --state NEW -j ACCEPT

just change br1 to whatever interface the guest network is on --- wl0.1, wl1.1, ath1.2 , br2 or whatever
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Mon Oct 23, 2017 15:01    Post subject: Reply with quote
mrjcd wrote:
diyegr wrote:
Eth1 and Eth2 are the 2.4GHz and 5GHz interfaces respectively (on the same router).

see that just shows what i don't know Razz

a new build and doing guest network on a WAP the easy way would prolly be your best option
see this post .. there is still a link in there somewheres
:::::> http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1100415#1100415


Thanks, I've already got guest WiFi configured (just like in the link you provided) but the issue here is how do I allow the guest WiFi access to the WAN interface (public IP of the router).

There has got to be a way to isolate a WLAN (prevent it from accessing other LANs) while at the same time allowing it to access the WAN interface. This is referred to as "hairpinning" and is supported by DD-WRT as evidenced by the ability of devices on the primary LAN to ping the WAN IP without any issues. Devices on the WLANs however are unable to.

_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Oct 23, 2017 15:05    Post subject: Reply with quote
diyegr wrote:
mrjcd wrote:
diyegr wrote:
Eth1 and Eth2 are the 2.4GHz and 5GHz interfaces respectively (on the same router).

see that just shows what i don't know Razz

a new build and doing guest network on a WAP the easy way would prolly be your best option
see this post .. there is still a link in there somewheres
:::::> http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1100415#1100415


Thanks, I've already got guest WiFi configured (just like in the link you provided) but the issue here is how do I allow the guest WiFi access to the WAN interface (public IP of the router).

There has got to be a way to isolate a WLAN (prevent it from accessing other LANs) while at the same time allowing it to access the WAN interface. This is referred to as "hairpinning" and is supported by DD-WRT as evidenced by the ability of devices on the primary LAN to ping the WAN IP without any issues. Devices on the WLANs however are unable to.


yea sure just go cobble together the firewall rules from bottom of this page
https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

I'm just sayin if you had a new build 'bout all that is done for you when you set it up Rolling Eyes
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Mon Oct 23, 2017 15:19    Post subject: Reply with quote
mrjcd wrote:

yea sure just go cobble together the firewall rules from bottom of this page
https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

I'm just sayin if you had a new build 'bout all that is done for you when you set it up Rolling Eyes


That actually looks very interesting as it entails placing the WLANs on a different bridge. I see potential, will give it a try. Thanks!

_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Sun Jan 14, 2018 23:44    Post subject: Reply with quote
Update:

No method of creating a guest wireless network on the DD-WRT allows WAN NAT Hairpinning (even with upgraded firmware). Guest devices can only reach the internet but not the WAN interface.

_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131


Last edited by diyegr on Wed May 09, 2018 4:36; edited 1 time in total
Roger W
DD-WRT Novice


Joined: 23 Apr 2014
Posts: 22

PostPosted: Tue Jan 23, 2018 8:28    Post subject: Reply with quote
To throw a wrench in your testing, I believe NAT hairpinning has become broken for *all* scenarios during the time this thread was idle. I just upgraded from a build from early November (working) to the current build (not working). My scenario isn't even across isolated networks.

For reference, I found others discussing this too:
https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1113986#1113986

To progress on your testing, I'd suggest using build 11-04-2017-r33679 , which from my personal experience worked with "normal" hairpinning, so you can test your isolation scenario.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Tue Jan 23, 2018 12:27    Post subject: Reply with quote
Roger W wrote:
I believe NAT hairpinning has become broken for *all* scenarios...

yea it is generally screwed on most routers using last couple public releases ... and completely screwed on EA8500 with any k4.9 or k4.14 builds of last several weeks Rolling Eyes

k3.18.x completely broken NAT loopback on wndr3700v4 last two public releases ....yea this is atheroes --- but the point is Twisted Evil
Roger W
DD-WRT Novice


Joined: 23 Apr 2014
Posts: 22

PostPosted: Wed Jan 24, 2018 1:36    Post subject: Reply with quote
eibgrad wrote:
Rather than SNAT'ing the inbound traffic w/ the router's own lan IP *only* when the connection attempt comes from inside the LAN, it also does the same when coming from the internet side of the WAN, which is unnecessary.


Odd, that doesn't match my experience, if I understand correctly. I've never configured a GUI option relating to NAT loopback, but it has always "just worked", without SNATing unnecessarily.

For example, I run a couple common services (HTTP and Windows Remote Desktop) on my PC, and forward these through non-standard ports to sidestep the majority of lazy port scans. My http logs correctly show internet-based source addresses for my traffic. And when my phone is on my internal WLAN, I can (usually, it's broken this month as we know) use my public-facing dynamic dns hostname and remapped port to connect to my local PC's remote desktop. In fact, the reason I'm onthe forum looking up discussions of loopbacks is to confirm this is a known new issue.

Does my description match what you'd expect to find? A local device can use the firewall's remapped ports and external IP to connect to a local device, and yet internet traffic flows through with its original source address.
Roger W
DD-WRT Novice


Joined: 23 Apr 2014
Posts: 22

PostPosted: Wed Jan 24, 2018 5:47    Post subject: Reply with quote
eibgrad wrote:
This is why in my own PBR scripts ( https://pastebin.com/u/eibgrad ), I don't allow either NAT loopback nor QoS (which also uses marks) to be used at the same time as my scripts. Just too much risk of a conflict. However, I do reimplement NAT loopback, but without using marks. In fact, I implement it very close to the way tomato does!


Makes sense, I haven't had cause to script to these tables, but I see the risk you mention. Related to your linked scripts, though, I did recently try and set up an openvpn server on several devices with current builds and found that to send my CPU to 100% of a core. Same issue tracked here:
http://svn.dd-wrt.com/ticket/5807 so I gave up for now on setting up the vpn.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Jan 24, 2018 9:43    Post subject: Reply with quote
Ebtables was/is broken on BS builds due to a compiler error it hangs with 100% CPU utilization.

I can send you my ebtables from Kong's build (Arm linux 4.4.) which is working.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum