NAT Hairpinning on Isolated WLAN?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Wed May 09, 2018 4:51    Post subject: Reply with quote
@Roger W @eibgrad @egc

I never received notifications for your posts so I just saw them, thanks for pitching in!

I went ahead and cleaned up my original posts, added more accurate and useful info and replaced the diagram with a cleaner one.

WAN NAT redirection on DD-WRT has always worked fine for me when both LAN and WLAN were on br0 and there were no rules separating them. The issue is only when the two are isolated to prevent guest devices from accessing the LAN.

While firewall rules effectively isolate br1 from br0, they also prevent br1 from accessing the WAN interface which is problematic because I still want guest wireless devices to be able to hit my WAN IP and access port-forwarded services.

Here are the FW rules isolating br1 from br0 (from wiki):

Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP (breaks hairppinning)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP (breaks hairppinning)
iptables -I INPUT -i br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)


All of these rules are necessary to isolate the bridges while allowing wireless devices access to the internet. However, all of these rules either break hairpinning or allow communication between bridges which is problematic.



diagram - Copy.jpg
 Description:
 Filesize:  88.63 KB
 Viewed:  1943 Time(s)

diagram - Copy.jpg



_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131
Sponsor
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Thu Jun 14, 2018 3:53    Post subject: Reply with quote
Update:

It appears that the latest builds include a "Hairpin Mode" option for bridges. This sounds exactly like what I'm looking for however the feature appears to be broken as when it's applied, WiFi no longer works (see attached images). Wondering if anyone has gotten this to work.



cannot_connect_wifi_158.jpg
 Description:
 Filesize:  8.79 KB
 Viewed:  1818 Time(s)

cannot_connect_wifi_158.jpg



hairpin_mode.jpg
 Description:
 Filesize:  102.25 KB
 Viewed:  1818 Time(s)

hairpin_mode.jpg



_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131
diyegr
DD-WRT Novice


Joined: 20 Dec 2014
Posts: 11

PostPosted: Fri Jun 15, 2018 3:13    Post subject: Reply with quote
eibgrad wrote:

Why does it have to be all or nothing?


Perhaps my pathological perfectionist tendencies?! Smile

eibgrad wrote:

Why not block access between br1 and br0 in general, but make exceptions based on the port forward(s) required internal IP, protocol, and internal port?


That's actually a great suggestion, since the ports are going to be exposed to the outside anyway. Would still love to see that "Hairpin Mode" option working though.

_________________
Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum