How to bypass CTF (Port Forward rule not working)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5  Next
Author Message
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sat Aug 21, 2021 18:09    Post subject: How to bypass CTF (Port Forward rule not working) Reply with quote
Router/Version: Netgear R7000
File/Kernel: DD-WRT v3.0-r47206 std (08/19/21) /Linux 4.4.281 #3861 SMP Wed Aug 18 06:09:31 +07 2021 armv7l
Previous/Reset:R46604 yes, nvram reset after flash.
Issues/Errors:Download speeds are closer to what I expect for Fiber 1 Gbit connection and getting ~850 Mbit up and down. However, ALL Port Forward rules except standard ports (21, 23, and Wireguard) DO NOT forward.


Hello,
With the most recent bslayer release of ddwrt (47206), I am trying to use the Port Forward rules I had in-place and specifically a port forward to an internal IP : 192.168.100.99
Port: 32400

I have tried multiple iterations of the following iptables command:
"iptables -I PREROUTING -t mangle -p tcp --dport 32400 -j MARK --set-mark 0x1/0x7"

in an attempt to forward port 32400 traffic going to my WAN IP -->forward to my internal device at 192.168.100.99. Using this iptables command, I still cannot access (times out) when going to <my external IP/domain>:32400/web/index.html.

NOTE: I have confirmed that the internal IP/server is listening on port 32400 by accessing it successfully at:

https://192.168.100.99:32400/web/index.html

I have posted about this here as well:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329993


Attached are the iptables, system log and dmesg from my R7000 router.

NOTE: @egc - mentions this MARK method should be possible to bypass CTF for port forwards...just isn't clear if Port Forwards will be officially supported in a future ddwrt release (questions for @BSlayer and team)?
Thank you.

John



system_logs_dmesg.zip
 Description:

Download
 Filename:  system_logs_dmesg.zip
 Filesize:  424.44 KB
 Downloaded:  186 Time(s)


ddwrt_iptables_logs.zip
 Description:

Download
 Filename:  ddwrt_iptables_logs.zip
 Filesize:  4.71 KB
 Downloaded:  175 Time(s)

Sponsor
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sat Aug 21, 2021 21:37    Post subject: Re: How to bypass CTF (Port Forward rule not working) Reply with quote
Also for reference, here is the connection/layout for the device I need to port forward to:

192.168.100.1 (Gateway/LAN IP)
--> 192.168.100.99 (This is the device I want to forward port 32400 to)

192.168.100.99 is connected to a second Netgear R7000's ethernet port.

This secondary R7000 AP has its WAN port disabled and is essentially a switch for the .99 and other devices. I can SSH/access the .99 device from my LAN (wifi and other machines that are all on the same .100 subnet) without issue. I can also access directly https://192.168.100.99:32400/web/index.html

Connection explanation:

192.168.100.99 connects to -->R7000's ethernet port 2 (this AP has its WAN port disabled and its IP 192.168.100.5) --> connects to the eth2 switch port on 192.168.100.1 (LAN Gateway IP/ main R7000 router/AP)

NOTE: Connecting to my network via Wireguard allows me to connect to https://192.168.100.99:32400 as I am essentially on the LAN but I would like to avoid having to use Wireguard to access my devices that I could normally connect to with a simple port forwarding rule.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sun Aug 22, 2021 6:20    Post subject: Reply with quote
As an aside, using WireGuard is the safer way Smile

CTF is brand new and a lot needs to be discovered/researched.

Rumor has it you can bypass it like discussed earlier.


First research if CTF is the culprit.
So disable it, reboot and see if Port forwarding is working.
Enable it (only CTF not CTF&FA), reboot and check again.
If it does not work try with the workaround.

Then try with CTF&FA (your R7000 should support CTF&FA)

SFE should support port forwarding

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sun Aug 22, 2021 7:46    Post subject: Reply with quote
egc wrote:
As an aside, using WireGuard is the safer way Smile

CTF is brand new and a lot needs to be discovered/researched.

Rumor has it you can bypass it like discussed earlier.


First research if CTF is the culprit.
So disable it, reboot and see if Port forwarding is working.
Enable it (only CTF not CTF&FA), reboot and check again.
If it does not work try with the workaround.

Then try with CTF&FA (your R7000 should support CTF&FA)

SFE should support port forwarding


Hi - thank you for the testing suggestions to isolate if CTF is the issue. I did try disabling/enabling CTF before and just to confirm I repeated the following steps:

Setup --> Set SFE to Disabled (was set to CTF).
Clicking Save/Apply - immediately I could connect to my internal FTP and service listening on port 32400. I also had Flow Acceleration set to 'CTF & FA'.

My Fiber speed (1 Gbit) dropped to 250 up/down testing with my Ethernet connected PC.

I then selected SFE (Flow Acceleration set to 'Disabled')--Save/Apply (this time router forced soft reset to enable SFE).

Results:
Port Forwards: Working
Up/Down speeds: Slight improvement - 350 Mbit up and down (my fiber connection is symmetric)
--------------
Selecting CTF under Setup -->Shortcut Forwarding Engine dropdown, Save/Apply

Results:
Port Forwards: Not Working
Up/Down speeds ~ 700 Mbit
---------------------------

Enabling Flow Acceleration (CTF) with SFE (CTF) - Save/Apply - router was automatically soft-rebooted.

Results:
Port Forwards: Not working
Up/Down Speeds: 750 Mbit
---------------
Enabling CTF (under SFE) and Flow Acceleration to CTF & FA
Save/Apply - router was automatically soft-rebooted.

Port Forwards: Not Working

Up/Down speeds:950 Mbit
==================
Conclusion: CTF feature does not allow use of Port Forwards rules. It appears that a standard FTP port (21) forwarding rule does "work" with CTF enabled. However, when I tried connecting to this service, my FileZilla server replied but could not form a proper PASV response and my FTP client got the following reply/error :
"Server sent passive reply with unroutable address 192.168.100.4, using host address instead.
Timeout detected. (data connection)
Could not retrieve directory listing
Error listing directory '/'.
"
192.168.100.4 is the FTP server that I port forward (21) to.

Again this points to an "incompatibility" with CTF for port forwarding and I tried the following iptables command to mark this traffic to bypass CTF:

"iptables -I PREROUTING -t mangle -p tcp --dport 32400 -j MARK --set-mark 0x1/0x7"

but I am still getting a timeout/unable to connect to my forwarded ports (21/32400)

Can you confirm if this is the correct iptables command I should be using to bypass for my LAN host listening on port 32400 (tcp) at 192.168.100.99 (private IP) or do I need to add an additional PREROUTING/FORWARD etc. rule to get packets all the way through and back etc.?

Thanks!


J
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sun Aug 22, 2021 8:27    Post subject: Reply with quote
The workaround is marking packets which should then bypass CTF, you should mark them with mark 1.

That is what you are doing.

Check with iptables -vnL -t mangle if the rule is hit, you should see the packet counter increase.

If not just mark all packets (so not use the port)

I am currently working on an "Import tunnel" option for WireGuard to import a config file e.g. from your provider or from your own WG server to setup a WG tunnel with just three mouse clicks Smile

As I am just a lousy developer who sucks at html/javascript it is a slow process so no time for anything else Sad

But it is on my list for coming autumn Smile



Naamloos.png
 Description:
 Filesize:  51.75 KB
 Viewed:  7640 Time(s)

Naamloos.png



_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
wabe
DD-WRT Guru


Joined: 17 Jun 2006
Posts: 889

PostPosted: Sun Aug 22, 2021 9:55    Post subject: Re: How to bypass CTF (Port Forward rule not working) Reply with quote
jacdc wrote:
Router/Version: Netgear R7000
File/Kernel: DD-WRT v3.0-r47206 std (08/19/21) /Linux 4.4.281 #3861 SMP Wed Aug 18 06:09:31 +07 2021 armv7l
Previous/Reset:R46604 yes, nvram reset after flash.
Issues/Errors:Download speeds are closer to what I expect for Fiber 1 Gbit connection and getting ~850 Mbit up and down. However, ALL Port Forward rules except standard ports (21, 23, and Wireguard) DO NOT forward.


Hello,
With the most recent bslayer release of ddwrt (47206), I am trying to use the Port Forward rules I had in-place and specifically a port forward to an internal IP : 192.168.100.99
Port: 32400

I have tried multiple iterations of the following iptables command:
"iptables -I PREROUTING -t mangle -p tcp --dport 32400 -j MARK --set-mark 0x1/0x7"

in an attempt to forward port 32400 traffic going to my WAN IP -->forward to my internal device at 192.168.100.99. Using this iptables command, I still cannot access (times out) when going to <my external IP/domain>:32400/web/index.html.

NOTE: I have confirmed that the internal IP/server is listening on port 32400 by accessing it successfully at:

https://192.168.100.99:32400/web/index.html

I have posted about this here as well:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329993


Attached are the iptables, system log and dmesg from my R7000 router.

NOTE: @egc - mentions this MARK method should be possible to bypass CTF for port forwards...just isn't clear if Port Forwards will be officially supported in a future ddwrt release (questions for @BSlayer and team)?
Thank you.

John

I'm running dd-wrt on an Asus RT-AC68U with a couple of port forwards. My settings are as follow:
"Shortcut Forwarding Engine" set to CTF and "Flow acceleration" to Disable. With these settings I get the full bandwidth I'm paying for (250 Mbit) and the port forwards work. Have you reset the router after upgrading the firmware?

_________________
Netgear R7000 on Build 55109
Asus AC-AC68U rev. C1 (AP) on Build 55109
Asus AC-68U rev. A1 on Build 54604
Asus AC-68U rev. A1 on Build 53339
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sun Aug 22, 2021 18:57    Post subject: Re: How to bypass CTF (Port Forward rule not working) Reply with quote
wabe wrote:
jacdc wrote:
Router/Version: Netgear R7000
File/Kernel: DD-WRT v3.0-r47206 std (08/19/21) /Linux 4.4.281 #3861 SMP Wed Aug 18 06:09:31 +07 2021 armv7l
Previous/Reset:R46604 yes, nvram reset after flash.
Issues/Errors:Download speeds are closer to what I expect for Fiber 1 Gbit connection and getting ~850 Mbit up and down. However, ALL Port Forward rules except standard ports (21, 23, and Wireguard) DO NOT forward.


Hello,
With the most recent bslayer release of ddwrt (47206), I am trying to use the Port Forward rules I had in-place and specifically a port forward to an internal IP : 192.168.100.99
Port: 32400

I have tried multiple iterations of the following iptables command:
"iptables -I PREROUTING -t mangle -p tcp --dport 32400 -j MARK --set-mark 0x1/0x7"

in an attempt to forward port 32400 traffic going to my WAN IP -->forward to my internal device at 192.168.100.99. Using this iptables command, I still cannot access (times out) when going to <my external IP/domain>:32400/web/index.html.

NOTE: I have confirmed that the internal IP/server is listening on port 32400 by accessing it successfully at:

https://192.168.100.99:32400/web/index.html

I have posted about this here as well:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329993


Attached are the iptables, system log and dmesg from my R7000 router.

NOTE: @egc - mentions this MARK method should be possible to bypass CTF for port forwards...just isn't clear if Port Forwards will be officially supported in a future ddwrt release (questions for @BSlayer and team)?
Thank you.

John

I'm running dd-wrt on an Asus RT-AC68U with a couple of port forwards. My settings are as follow:
"Shortcut Forwarding Engine" set to CTF and "Flow acceleration" to Disable. With these settings I get the full bandwidth I'm paying for (250 Mbit) and the port forwards work. Have you reset the router after upgrading the firmware?


Hi - thank you for this suggestion. I went ahead and factory reset my R7000 router and installed R47206 with just "factory" settings. I then configured one of my port forwards (FTP over TLS) and tested with no other customizations. As soon as I set the SFE option to CTF and Flow Acceleration to 'Disabled', my up/down speeds improved close to the 1 Gbit I have from my ISP. However, my FTP port forward rule had the same issue as before...connection would time out.

I will continue testing/changing my iptables to see if I can get this to work so that traffic to my forwarded ports bypasses CTF. I would prefer not to give up CTF especially since my connection is faster than the standard Shortcut Forwarding Engine (SFE) can provide (tops out at 400 mbit from my testing).

As @egc mentioned, this is a "brand new" kernel module that was made available to ddwrt compatible routers so more testing/updates will be needed. Hopefully, we can get Port Forwards available again (at least for Netgear routers) along with more feedback from other users with different brand routers. I have a workaround as well using Wireguard but I would prefer to keep/use these port forward rules - WG is a little taxing on my R7000 and is can slow down further when other clients on my network are downloading/streaming.


John
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Sun Aug 22, 2021 20:04    Post subject: Reply with quote
egc wrote:
The workaround is marking packets which should then bypass CTF, you should mark them with mark 1.

That is what you are doing.

Check with iptables -vnL -t mangle if the rule is hit, you should see the packet counter increase.

If not just mark all packets (so not use the port)

I am currently working on an "Import tunnel" option for WireGuard to import a config file e.g. from your provider or from your own WG server to setup a WG tunnel with just three mouse clicks Smile

As I am just a lousy developer who sucks at html/javascript it is a slow process so no time for anything else Sad

But it is on my list for coming autumn Smile



Hi - so I checked this iptables rule again and can see the rule is getting hit (running iptables -vnL -t mangle after I added the rule from the command line on router):
---------
Chain PREROUTING (policy ACCEPT 1316 packets, 262K bytes)
pkts bytes target prot opt in out source destination
2 92 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32400 MARK xset 0x1/0x7
------

I then added another PREROUTING rule (type nat) which also gets hit:
Chain PREROUTING (policy ACCEPT 935 packets, 177K bytes)
pkts bytes target prot opt in out source destination
17 884 MARK tcp -- * * 0.0.0.0/0 135.180.175.xxx tcp dpt:32400 MARK xset 0x1/0x7


using the following iptables command:
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 32400 -j MARK --set-mark 0x1/0x7

I can't specify a -j <target type> of DNAT as a NAT rule and -j MARK in the same rule...iptables only allows one.

The existing PREROUTING chain has the following (worked with CTF enabled):
35 1844 DNAT tcp -- * * 0.0.0.0/0 135.180.175.xxx tcp dpt:32400 to:192.168.100.99:32400


so I am missing the destination IP (private LAN IP) it seems but I can't add a '--to <private LAN IP:port> like this (iptables throws an error - "iptables v1.8.5 (legacy): multiple -j flags not allowed"):

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 32400 -j DNAT --to 192.168.100.99:32400 -j MARK --set-mark 0x1/0x7

I still cannot get forwarded to this private LAN IP so let me know if there is anything I can try - I am trying to add a port forward rule following this write-up from command line:
https://wiki.dd-wrt.com/wiki/index.php/Iptables#Port_Forward_Example

<Port forwarding to a specific LAN IP>

May just go with Wireguard for all connections...but want to see if this CTF bypass can be made to work using the MARK option in iptables.


John
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Wed Aug 25, 2021 10:05    Post subject: Reply with quote
I have a Netgear R6300V2 with CTF enabled (it also has FA hardware but that's not enabled) r47206 The port forward I have works fine. port 3551

Everything I have read about CTF indicates CTF passes all port forwards through the regular Linux IP stack other than the dynamic ones it creates in it's internal connection tracking table. When enabled CTF examines every packet that goes through the router and makes a decision whether to kick it to it's internal translation routines or to the operating system's routines (which are significantly slower)

But of course CTF has to know that the kernel has special rule processing (port forwards, etc.) for a packet pattern. Possibly because you are using iptables directly and not the dd-wrt GUI there's some pattern that you are using that isn't recognized by CTF? Possibly because you are not using a port under 1024 or an otherwise well-known port and are just port forwarding some port number you pulled out of your hat? Or because you are trying to change the port from one to another in the forward?

Maybe try wiping it and setting it up vanilla and put the port into the GUI and make it a port under 1024? Then see if that fixes it?
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Wed Aug 25, 2021 19:42    Post subject: Reply with quote
tedm wrote:
I have a Netgear R6300V2 with CTF enabled (it also has FA hardware but that's not enabled) r47206 The port forward I have works fine. port 3551

Everything I have read about CTF indicates CTF passes all port forwards through the regular Linux IP stack other than the dynamic ones it creates in it's internal connection tracking table. When enabled CTF examines every packet that goes through the router and makes a decision whether to kick it to it's internal translation routines or to the operating system's routines (which are significantly slower)

But of course CTF has to know that the kernel has special rule processing (port forwards, etc.) for a packet pattern. Possibly because you are using iptables directly and not the dd-wrt GUI there's some pattern that you are using that isn't recognized by CTF? Possibly because you are not using a port under 1024 or an otherwise well-known port and are just port forwarding some port number you pulled out of your hat? Or because you are trying to change the port from one to another in the forward?

Maybe try wiping it and setting it up vanilla and put the port into the GUI and make it a port under 1024? Then see if that fixes it?


So I tried removing the port forward rule and using standard port 80 however the listening server behind NAT/Firewall can only listen on port 32400. I tried using port 80 but I am still unable to connect from the outside. I do suspect that this CTF issue may be related to not using "standard" ports under 1024 because another service I have running (different server) is listening on port 21 with additional port range forwarding on ports 50000 -- 50099. I can connect to that FTP port and server but because I have a Passive FTP response, the initial connection times out (likely due to the passive range ports being used).

I am not trying to set any more MARK rules in iptables at this point...just trying different port numbers (under 1024) in the Port Forwarding tab in DDWRT UI.

Tks.

J
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Thu Aug 26, 2021 3:09    Post subject: Reply with quote
jacdc wrote:
tedm wrote:
I have a Netgear R6300V2 with CTF enabled (it also has FA hardware but that's not enabled) r47206 The port forward I have works fine. port 3551

Everything I have read about CTF indicates CTF passes all port forwards through the regular Linux IP stack other than the dynamic ones it creates in it's internal connection tracking table. When enabled CTF examines every packet that goes through the router and makes a decision whether to kick it to it's internal translation routines or to the operating system's routines (which are significantly slower)

But of course CTF has to know that the kernel has special rule processing (port forwards, etc.) for a packet pattern. Possibly because you are using iptables directly and not the dd-wrt GUI there's some pattern that you are using that isn't recognized by CTF? Possibly because you are not using a port under 1024 or an otherwise well-known port and are just port forwarding some port number you pulled out of your hat? Or because you are trying to change the port from one to another in the forward?

Maybe try wiping it and setting it up vanilla and put the port into the GUI and make it a port under 1024? Then see if that fixes it?


So I tried removing the port forward rule and using standard port 80 however the listening server behind NAT/Firewall can only listen on port 32400. I tried using port 80 but I am still unable to connect from the outside. I do suspect that this CTF issue may be related to not using "standard" ports under 1024 because another service I have running (different server) is listening on port 21 with additional port range forwarding on ports 50000 -- 50099. I can connect to that FTP port and server but because I have a Passive FTP response, the initial connection times out (likely due to the passive range ports being used).

I am not trying to set any more MARK rules in iptables at this point...just trying different port numbers (under 1024) in the Port Forwarding tab in DDWRT UI.

Tks.

J


For reference @tedm - here is my iptables from command line (set by the DDWRT Port Forwarding tab:

Chain PREROUTING (policy ACCEPT 8340 packets, 1119K bytes)
pkts bytes target prot opt in out source destination
17 1378 DNAT icmp -- * * 0.0.0.0/0 135.xxx.175.xxx to:192.168.100.1
21 1124 DNAT tcp -- * * 0.0.0.0/0 135.xxx.175.xxx tcp dpt:21 to:192.168.100.4:21
0 0 DNAT udp -- * * 0.0.0.0/0 135.xxx.175.xxx udp dpt:21 to:192.168.100.4:21
4 240 DNAT tcp -- * * 0.0.0.0/0 135.xxx.175.xxx tcp dpt:17 to:192.168.100.99:32400
0 0 DNAT udp -- * * 0.0.0.0/0 135.xxx.175.xxx udp dpt:17 to:192.168.100.99:32400
10 520 DNAT tcp -- * * 0.0.0.0/0 135.xxx.175.xxx tcp dpts:50000:50099 to:192.168.100.4
0 0 DNAT udp -- * * 0.0.0.0/0 135.xxx.175.xxx udp dpts:50000:50099 to:192.168.100.4
1728 128K TRIGGER all -- * * 0.0.0.0/0 135.xxx.175.xxx TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 3382 packets, 208K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2093 packets, 347K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1376 packets, 105K bytes)
pkts bytes target prot opt in out source destination
40 2845 SNAT all -- * br0 0.0.0.0/0 0.0.0.0/0 to:192.168.100.1
3358 619K SNAT all -- * vlan2 0.0.0.0/0 0.0.0.0/0 to:135.xxx.175.xxx
2 146 SNAT all -- * vlan2 192.168.100.0/24 0.0.0.0/0 to:135.xxx.175.xxx
0 0 SNAT all -- * vlan2 192.168.1.0/24 0.0.0.0/0 to:135.xxx.175.xxx
0 0 SNAT all -- * vlan2 xxx.16.1.0/24 0.0.0.0/0 to:135.xxx.175.xxx
0 0 SNAT all -- * vlan2 xxx.16.2.0/24 0.0.0.0/0 to:135.xxx.175.xxx
0 0 RETURN all -- * br1 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast


Traffic is getting through to my NAT'd devices on these ports but I suspect the return route/path is not defined and or getting blocked/lost somehow? Can you share the output of your iptables showing this port forward rule for port 3551?

iptables -vnL -t nat

I also use DNSMasq - would this interfere with the Port Forwarding?

Thanks.

J
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Aug 26, 2021 13:42    Post subject: Reply with quote
I just made a quick test

R6400v2 using build 47258

CTF&FA enabled

Port forward using build in Port Forward to my QNAP NAS forwarding port 13131 to 13131

Works without a problem



Naamloos.png
 Description:
 Filesize:  25.66 KB
 Viewed:  7296 Time(s)

Naamloos.png



_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Aug 26, 2021 13:51    Post subject: Reply with quote
Disabled the GUI and made rules by hand:
Code:
root@R6400-v2:~# iptables -t nat -I PREROUTING -p tcp --dport 13131  -j DNAT --to 192.168.1.72:13131
root@R6400-v2:~# iptables -I FORWARD -p tcp -d 192.168.1.72 --dport 13131 -j ACCEPT


No problem whatsoever

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Fri Aug 27, 2021 7:37    Post subject: Reply with quote
egc wrote:
Disabled the GUI and made rules by hand:
Code:
root@R6400-v2:~# iptables -t nat -I PREROUTING -p tcp --dport 13131  -j DNAT --to 192.168.1.72:13131
root@R6400-v2:~# iptables -I FORWARD -p tcp -d 192.168.1.72 --dport 13131 -j ACCEPT


No problem whatsoever

@egc - thank you for this, I tried the latest build (47256) but I am still unable to access externally my server listening on port 32400. Look.ing at the iptables output for both FORWARD and PREROUTING (NAT), I can see packets coming in but the request just eventually times out.

Same result running from command line after removing all Port Forward rules from GUI.

J
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Aug 27, 2021 10:35    Post subject: Reply with quote
I have seen this kind of behaviour when using VPN servers with enabled CVE mitigation or when connection tracking is disabled when the router is in Router mode (instead of default Gateway)

However you should have other problems also so I do not think this is the case

Unfortunately it is the only thing I can think of right now.

To be sure check raw and mangle tables
raw is usually empty and mangle usually has the TCPMSS clamping but I am not a real iptables expert

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum