[SOLVED] LAN request looping back via WAN IP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
BiberBb
DD-WRT Novice


Joined: 01 Sep 2013
Posts: 9

PostPosted: Wed Nov 16, 2022 16:51    Post subject: [SOLVED] LAN request looping back via WAN IP Reply with quote
Hi everyone

my R7000 (Firmware: DD-WRT v3.0-r44340 std (09/10/20)) does something very peculiar and I look for your help here to understand why.

Setup is simple:
WAN IP is 192.168.178.6 (connected to Fritz on 192.168.178.1)
LAN IP is 192.168.1.1/24, running DCHP etc.

When I now ssh into the router and ping my laptop on 192.168.1.120, tcpdump on the laptop tells me it receives the ping from 192.168.178.6, i.e. the router's WAN IP.

The router is not even shy telling me the same thing. Looking at its conntrack, there is this line:
ipv4 2 icmp 1 27 src=192.168.1.1 dst=192.168.1.120 type=8 code=0 id=9017 packets=5 bytes=420 src=192.168.1.120 dst=192.168.178.6 type=0 code=0 id=9017 packets=5 bytes=420 mark=0 use=2


My first thought was that my routing table was messed up, but things look rather straight forward there:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.178.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2

(Also checked policy routing tables, nothing there)


I tried being smart telling the router to explicitly use br0 for the ping
Code:
ping -I br0 192.168.1.120

but same result. The laptop receives the icmp packages from the routers WAN IP.

CAN ANYONE EXPLAIN THIS???

To make it even more confusing for me, I tried pinging from the other direction (laptop -> router).
Surprisingly enough, in this case the router responds with its LAN interface.

Please stop my suffering and help me get my head around this behaviour...

Thank you in advance and best regards
Biberbb
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Nov 16, 2022 17:30    Post subject: Reply with quote
So I see something different, your router sends the ICMP packet via 192.168.1.1 to 192.168.1.120 and your notebook sends the reply back to 192.168.178.6.

Last edited by ho1Aetoo on Wed Nov 16, 2022 17:31; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Nov 16, 2022 17:30    Post subject: Reply with quote
44340 is very old build, the last is 50841 with lots of security fixes and binary updates...
i guess nobody here will diagnose such an old build...please update and reset + manually rebuild settings do not use save file from different builds...and than try again...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
BiberBb
DD-WRT Novice


Joined: 01 Sep 2013
Posts: 9

PostPosted: Wed Nov 16, 2022 18:15    Post subject: Reply with quote
Thanks for the quick responses.

@ho1Aetoo
This is the tcpdump snipped as the laptop sees it:
17:25:06.455387 IP 192.168.178.6 > 192.168.1.120: ICMP echo request, id 9017, seq 4, length 64
17:25:06.455457 IP 192.168.1.120 > 192.168.178.6: ICMP echo reply, id 9017, seq 4, length 64

So the packages are definitely coming from the routers WAN IP, no doubt about that...
Any other thought?

@Alozaros
Upgrading will be my last resort. I have played around with recent builds a while ago, and was disappointed to encounter many (!) bugs and instabilities. The 44340 has proven very reliable for me so far.

Thanks and best regards
Biberbb
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Nov 16, 2022 22:15    Post subject: Reply with quote
BiberBb wrote:

@Alozaros
Upgrading will be my last resort. I have played around with recent builds a while ago, and was disappointed to encounter many (!) bugs and instabilities. The 44340 has proven very reliable for me so far.

Thanks and best regards
Biberbb


well..you are missing security vs smoked stability...my R7000 is rock-solid on the last build 50841.. and it usually is...but i know what im doing with it (its in my signature) and what i want to achieve with it...
Not to mention heavy exploited CVE's due to a lack of updates and bug fixes (your old build)...DNSmasq, OpenSSL, Dropbear, OpenVPN and other binaries full of holes and bugs...but you know your thing...
Do you have NAT to wan redirection or SFE enabled...on the old builds there ware a bugs with those...
To be honest you need to expose your settings, couse at the moment is only 20%(showing your results) and 80% guessing... Rolling Eyes

If you need help you start with details of your set up, results, things you tried results you had, current build running, router model and ect....all possible details...otherwise the level of help will get down to zero (0)...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Nov 17, 2022 7:46    Post subject: Reply with quote
Ir can also be a mis-placrd. NAT rule that NAT traffic out the LAN.
BiberBb
DD-WRT Novice


Joined: 01 Sep 2013
Posts: 9

PostPosted: Thu Nov 17, 2022 8:38    Post subject: Reply with quote
Thank you for your responses!

@Per Yngve Berg
Thank you - you are spot on! I found a straying iptables rule in the postrouting nat table, rewriting the src to the WAN IP. Probably a not properly cleaned-up left-ofter from settings-playing god knows back when... how embarassing Sad Rolling Eyes


@Alozaros
Thank you also for your long answer. I looked into the NAT to WAN and SFE, and while not being the root cause of my problem, learned interesting new things about these functions.
I also will consider upgrading to a more recent build in time - so thanks also for that recommendation.

Sorry that the problem was a self-made one, probably wasting all of yours time - and again thanks!

Best regards
Biberbb
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum