ISP modem/router in bridge mode. R7000 as gateway.
I'm trying to self host Nextcloud and have it working using port forward and can access it externally using the external IP and internally using the internal IP. I'm trying to use only the external IP even when connected to LAN, but it doesn't work.
I did some searching and found out about NAT loopback.
Filter WAN NAT Redirection is unchecked.
Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
The above seemed to work for a brief minute, but Nextcloud had an error. The external URL stopped working, so I couldn't figure out if it was a problem with the SSL certificate or whatever.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sun Sep 19, 2021 19:19 Post subject:
did you tick that box at the GUI>security>nat loopback
as well when trying stuff on your router try all those via CLI (ssh/telnet) in that way if not working as it should, you just reboot... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Sun Sep 19, 2021 21:10 Post subject:
You shouldn't have to do anything, you seem to be quoting old articles and information. It should work with that unchecked. If not, some kind of debug information is needed.
Chain INPUT (policy ACCEPT 10589 packets, 950K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4187 packets, 307K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 43 packets, 2159 bytes)
num pkts bytes target prot opt in out source destination
1 4905 1085K SNAT all -- * vlan2 192.168.1.0/24 0.0.0.0/0 to:EXTERNAL.IP
2 4161 300K SNAT all -- * vlan2 0.0.0.0/0 0.0.0.0/0 to:EXTERNAL.IP
3 0 0 RETURN all -- * wl1.1 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
4 0 0 MASQUERADE all -- * wl1.1 0.0.0.0/0 0.0.0.0/0
5 0 0 RETURN all -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
6 29 6564 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Code:
root@Router-Gateway:~# iptables -t mangle -A PREROUTING -i ! vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000
Bad argument `vlan2'
Try `iptables -h' or 'iptables --help' for more information.
root@Router-Gateway:~# iptables -t mangle -A PREROUTING -i ! vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000
Bad argument `vlan2'
Try `iptables -h' or 'iptables --help' for more information.
FYI. iptables no longer accepts placing the negation (!) after the option and before the argument. It must now be before the option.
Code:
root@Router-Gateway:~# iptables -t mangle -A PREROUTING ! -i vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000