How to bypass CTF (Port Forward rule not working)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Sun Aug 29, 2021 17:53    Post subject: Reply with quote
jacdc wrote:
jacdc wrote:
tedm wrote:
I have a Netgear R6300V2 with CTF enabled (it also has FA hardware but that's not enabled) r47206 The port forward I have works fine. port 3551


Tks.

J


Can you share the output of your iptables showing this port forward rule for port 3551?

iptables -vnL -t nat

I also use DNSMasq - would this interfere with the Port Forwarding?

Thanks.

J


Here you go. IP's have been modified to conceal the real IPs

DD-WRT v3.0-r47206 std (c) 2021 NewMedia-NET GmbH
Release: 08/19/21
Board: Netgear R6300V2

DD-WRT-MAIN-BEACH login: root
Password:
==========================================================

___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/

DD-WRT v3.0
https://www.dd-wrt.com


==========================================================


BusyBox v1.33.1 (2021-08-19 02:56:46 +07) built-in shell (ash)

root@DD-WRT-MAIN-BEACH:~# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 868K packets, 82M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 50.198.10.177 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.178/31 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.180/30 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.184/30 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
396 20592 DNAT tcp -- * * 50.198.10.188/31 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.190 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.177 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.178/31 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.180/30 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.184/30 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
1 52 DNAT tcp -- * * 50.198.10.188/31 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.190 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
23010 1696K DNAT icmp -- * * 0.0.0.0/0 68.15.12.178 to:172.16.100.1
11821 709K DNAT tcp -- * * 0.0.0.0/0 68.15.12.178 tcp dpt:3551 to:172.16.100.15:3551
66604 3546K TRIGGER all -- * * 0.0.0.0/0 68.15.12.178 TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 24893 packets, 2043K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 391 packets, 74963 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 420K packets, 30M bytes)
pkts bytes target prot opt in out source destination
327K 33M SNAT all -- * vlan2 172.16.100.0/24 0.0.0.0/0 to:68.15.12.178
0 0 RETURN all -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
390 74629 MASQUERADE all -- * br0 172.16.100.0/24 172.16.100.0/24
root@DD-WRT-MAIN-BEACH:~#
Sponsor
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Tue Aug 31, 2021 2:28    Post subject: Reply with quote
tedm wrote:
jacdc wrote:
jacdc wrote:
tedm wrote:
I have a Netgear R6300V2 with CTF enabled (it also has FA hardware but that's not enabled) r47206 The port forward I have works fine. port 3551


Tks.

J


Can you share the output of your iptables showing this port forward rule for port 3551?

iptables -vnL -t nat

I also use DNSMasq - would this interfere with the Port Forwarding?

Thanks.

J


Here you go. IP's have been modified to conceal the real IPs

DD-WRT v3.0-r47206 std (c) 2021 NewMedia-NET GmbH
Release: 08/19/21
Board: Netgear R6300V2

DD-WRT-MAIN-BEACH login: root
Password:
==========================================================

___ ___ _ _____ ______ ____ ___
/ _ \/ _ \___| | /| / / _ \/_ __/ _ __|_ / / _ \
/ // / // /___/ |/ |/ / , _/ / / | |/ //_ <_/ // /
/____/____/ |__/|__/_/|_| /_/ |___/____(_)___/

DD-WRT v3.0
https://www.dd-wrt.com


==========================================================


BusyBox v1.33.1 (2021-08-19 02:56:46 +07) built-in shell (ash)

root@DD-WRT-MAIN-BEACH:~# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 868K packets, 82M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 50.198.10.177 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.178/31 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.180/30 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.184/30 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
396 20592 DNAT tcp -- * * 50.198.10.188/31 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.190 68.15.12.178 tcp dpt:8080 to:172.16.100.1:80
0 0 DNAT tcp -- * * 50.198.10.177 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.178/31 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.180/30 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.184/30 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
1 52 DNAT tcp -- * * 50.198.10.188/31 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
0 0 DNAT tcp -- * * 50.198.10.190 68.15.12.178 tcp dpt:23 to:172.16.100.1:23
23010 1696K DNAT icmp -- * * 0.0.0.0/0 68.15.12.178 to:172.16.100.1
11821 709K DNAT tcp -- * * 0.0.0.0/0 68.15.12.178 tcp dpt:3551 to:172.16.100.15:3551
66604 3546K TRIGGER all -- * * 0.0.0.0/0 68.15.12.178 TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 24893 packets, 2043K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 391 packets, 74963 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 420K packets, 30M bytes)
pkts bytes target prot opt in out source destination
327K 33M SNAT all -- * vlan2 172.16.100.0/24 0.0.0.0/0 to:68.15.12.178
0 0 RETURN all -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
390 74629 MASQUERADE all -- * br0 172.16.100.0/24 172.16.100.0/24
root@DD-WRT-MAIN-BEACH:~#


Thank you for this, this matches my IP tables...didn't see any packets hitting your port forward (8080-->80) but for mine, packets come in but nothing goes back out.

J
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76

PostPosted: Wed Sep 01, 2021 21:38    Post subject: Reply with quote
Hi all,
Is there a solution for this issue?
A working iptables rule?

With CTF enabled i'm getting up to 900Mbit, but its no option if i can't access my own nextcloud anymore from internal.

_________________
Netgear R7000
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Thu Sep 02, 2021 5:22    Post subject: Reply with quote
cyberdev wrote:
Hi all,
Is there a solution for this issue?
A working iptables rule?

With CTF enabled i'm getting up to 900Mbit, but its no option if i can't access my own nextcloud anymore from internal.


Hi cyberdev - nothing yet and MARK method to have forwarded traffic bypass CTF in iptables did not work either (for me). Tried a couple of new ddwrt release since 47206... still doesn't work. For now, I use Wireguard to access all forwarded services behind firewall... works well enough but taxing on my device(s) and R7000 CPU for prolonged sessions.

J
cyberdev
DD-WRT User


Joined: 14 Sep 2008
Posts: 76

PostPosted: Sun Sep 05, 2021 19:51    Post subject: Reply with quote
Thanks for feedback - hope there will be a fix / workaround soon.
Some years ago there was an simliar issue, that could be fixed with iptables rule:

iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE

Thread:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=84480&postdays=0&postorder=asc&highlight=15943m&start=15

But also this doesnt help at the moment. Sad


Btw.: If i remember correct, the Port forwarding was working fine, only i'm not able to connect to the external address from my internal network (loopback)

_________________
Netgear R7000
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Thu Sep 23, 2021 18:24    Post subject: Reply with quote
cyberdev wrote:
Thanks for feedback - hope there will be a fix / workaround soon.
Some years ago there was an simliar issue, that could be fixed with iptables rule:

iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE

Thread:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=84480&postdays=0&postorder=asc&highlight=15943m&start=15

But also this doesnt help at the moment. Sad


Btw.: If i remember correct, the Port forwarding was working fine, only i'm not able to connect to the external address from my internal network (loopback)


Hi @cyberdev - thanks, I opened an SVN ticket here:
https://svn.dd-wrt.com/ticket/7472

Not sure if this is the official process and this thread (here) seems to have run its course in terms of fixes for this issue. I also tried a clean (NVRAM reset) with a more recent (3 days old build - r47474) and the same issue comes up - Port forwarding works until I enable CTF as the Shortcut Forwarding Engine.

I guess for now I can keep hoping/trying a new build to see if this gets fixed but do you know what BS/others would need to delve into why this is not working or get some progress on that side of things (dev.)? I can't ship them a router and from what I have read, this CTF is a closed source module that ddwrt dev. wouldn't know much about it works and interacts (with iptables)?

Thanks.

J
diogosena
DD-WRT User


Joined: 11 Jun 2011
Posts: 50

PostPosted: Thu Sep 30, 2021 13:41    Post subject: Reply with quote
I was having the same problem, port forwards won't work only when using CTF.

Wiped all, flash newest firmware (DD-WRT v3.0-r47495), and now it works.
(Don't use any nvram backups)
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Fri Oct 01, 2021 15:07    Post subject: Reply with quote
diogosena wrote:
I was having the same problem, port forwards won't work only when using CTF.

Wiped all, flash newest firmware (DD-WRT v3.0-r47495), and now it works.
(Don't use any nvram backups)


Hi diogosena - thank you for sharing this information. I will try the current release (r47495) with my R7000 and confirm if this is working again. What port forward did you test/confirm with (non-standard port like 15000 etc. or with a standard SSH (22)?

Thanks.
J
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Fri Oct 01, 2021 19:03    Post subject: Reply with quote
jacdc wrote:
diogosena wrote:
I was having the same problem, port forwards won't work only when using CTF.

Wiped all, flash newest firmware (DD-WRT v3.0-r47495), and now it works.
(Don't use any nvram backups)


Hi diogosena - thank you for sharing this information. I will try the current release (r47495) with my R7000 and confirm if this is working again. What port forward did you test/confirm with (non-standard port like 15000 etc. or with a standard SSH (22)?

Thanks.
J


Hi @diogosena - I went ahead and installed 47495 with an NVRAM/restart. Unfortunately, with a basic setup and a single port forward (port 32400), I am still unable to reach my NAT'd internal IP (192.168.100.99) from outside my network. I tested this after 2 restarts once the R7000 was flashed so that CTF/FA options were available in the Setup tab. Once I selected these, the port forward rule for 32400 timed out. I then select the Shortcut Forwarding Engine to 'SFE' and almost immediately traffic to 192.168.100.99:32400 started to flow and I could reach the service listening on that port.

Hopefully Brainslayer/others know what is causing this (just can't fix at the moment)? I reverted back to 47206 and will continue to use Wireguard to bypass using port forward rules...CTF is just too good to not use with my 1Gbps up/down ISP connection and hardwired Ethernet clients! Smile

J
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Oct 01, 2021 19:42    Post subject: Reply with quote
Either I have completely missed the information, or you have not specified if your R7000 is behind any other device connected to your ISP. There is also the possibility that you are over-engineering this situation.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Fri Oct 01, 2021 21:30    Post subject: Reply with quote
kernel-panic69 wrote:
Either I have completely missed the information, or you have not specified if your R7000 is behind any other device connected to your ISP. There is also the possibility that you are over-engineering this situation.


Setup is simple - R7000 is behind a fiber to ethernet OTN. R7000 was flashed and NVRAM reset... no configuration was restored in testing the latert ddwrt build. Takes 2 reboots for CTF to be a selectable kernel module in ddwrt UI. I selected that and then set a simple port forward rule to forward traffic to my device connected to R7000 ethernet at 192.158.100.99 port 32400. With CTF emabled connection times out. Selecting SFE as ShortCut Forwarding Engine (under Setup tab) immediately, traffic flows to this IP and port (didn't even have to restart R7000).

I would keep using Wireguard to avoid these port forward rules but not all my devices have that client that need to connect to my home network.

Thanks.

J
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Oct 02, 2021 0:42    Post subject: Reply with quote
Is your *ONT* a modem in bridge mode or?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sat Oct 02, 2021 1:02    Post subject: Reply with quote
kernel-panic69 wrote:
Is your *ONT* a modem in bridge mode or?

I assume so... it has a single ethernet port and an RJ9 for VOIP service. Ethernet runs to WAN port on R7000.

J
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Fri Oct 08, 2021 18:43    Post subject: Reply with quote
kernel-panic69 wrote:
Is your *ONT* a modem in bridge mode or?


Hi @kernel-panic69- any other suggestions or is the MARK method in firewall confirmed not to work with CTF/FA enabled? New firmware release I should try?

Thanks.
J
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Oct 08, 2021 19:48    Post subject: Reply with quote
I presume all this effort is for a plex server to be accessible from the internet.

https://www.purevpn.com/blog/plex-port-forwarding/

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 2 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum