Posted: Fri Dec 15, 2023 6:50 Post subject: NAT loopback not working with SFE set to CTF
Thought this one would be easier to figure out, but nothing I can find seems to address it directly for dd-wrt. Long story short, I have a server behind a dd-wrt router that I access using a public domain name, and everything's working fine from outside the network both with and without the "Shortcut Forwarding Engine" set to CTF. However, when it comes accessing that same server from within the network using the domain name, it stops working when CTF is enabled, but works fine when set to either SFE or Disabled. CTF is required to fully utilize my current WAN speeds, so I'd really like to see if I can get it working before I give up and get a new router.
I've seen suggestions that this can be addressed via an iptables rule to mark packets coming from within the network with 0x01/0x07, but it's unclear to me whether this is a working solution for dd-wrt or only for tomato firmwares.
The router is an Asus RT-AC68R running DD-WRT v3.0-r53469 std (09/08/23).
Entering the local address is the only workaround I have right now, but there's a variety of services on the server tied to different subdomains which are pretty easy to remember by name, but less so trying to remember which port does what. It's also a bit of a hassle on mobile devices that can access everything fine remotely, but not at home.
Having the addresses in a local DNS server isn't workable as far as I can tell, since these services are hosted as containers in a single kubernetes cluster and none of them use "standard" ports on the local network.
Is it really the case that CTF just does not work with NAT loopback on dd-wrt, full stop?
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Okay, I'll be the Huckleberry Snagglepuss Barista here and ask for further amplifying information on what the larger picture is. Should we presume that the ports are related to protocols or separate domain names here? _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Okay, I'll be the Huckleberry Snagglepuss Barista here and ask for further amplifying information on what the larger picture is. Should we presume that the ports are related to protocols or separate domain names here?
Each exposed port on the machine is tied to a specific subdomain via a reverse proxy, which itself is listening on port 30443 since the administration page for the server is already on port 443.
Per Yngve Berg wrote:
Create Service Records instead of A Records in DNS. The contain a port.
I...didn't know that was a thing. I thought DNS had no concept of ports at all. I'll give it a look, why not. As long as I can get the primary domain to hit the reverse proxy on port 30443, I assume that'll take care of the rest of the subdomains the same as before.
Still, I'm left wondering why CTF + NAT loopback is a complete nonstarter. Supposedly it's possible to get working on the Tomato firmware, but it doesn't look like there was ever a resolution for dd-wrt. I had assumed it was just because my iptables skills are...somewhat lacking, but I guess there's some architectural or performance reason this won't work on dd-wrt?
Each exposed port on the machine is tied to a specific subdomain via a reverse proxy, which itself is listening on port 30443 since the administration page for the server is already on port 443.
Sounds like an overcomplicated mess when virtual interface/IPs could probably make it simpler, but it's not my circus nor my monkeys.
Per Yngve Berg wrote:
Create Service Records instead of A Records in DNS. The contain a port.
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Each exposed port on the machine is tied to a specific subdomain via a reverse proxy, which itself is listening on port 30443 since the administration page for the server is already on port 443.
Sounds like an overcomplicated mess when virtual interface/IPs could probably make it simpler, but it's not my circus nor my monkeys.
Per Yngve Berg wrote:
Create Service Records instead of A Records in DNS. The contain a port.
It's actually pretty straightforward, all the services are hosted in docker and when adding a new one I can just open up nginx proxy manager and add a new subdomain tied to the service port, no need to forward any ports or create virtual interfaces. Management doesn't need to involve the router at all other than forwarding 443 => 30443, which I rather enjoy esp when it comes time to update the firmware.
As far as the service record thing, the command you reference is for specifying an upstream DNS server...doesn't really apply here since it just redirects the DNS query itself. A SRV record is specified as, for example:
Code:
srv-host=example.com,192.168.0.200,30443
I'm able to get dnsmasq to return the correct value when quering the SRV record using nslookup, but there seems to be some secret sauce for getting the browser to request a SRV record rather than an A record. Also tried specifying the service and protocol type as in the below, with the same results:
CTF is propritary Broadcom. The devs at dd-wrt has no control over it.
Yeah totally, I'm aware it's a black box. Was just hoping there might be a way to exempt certain traffic before it gets stuffed into the box, though that's not looking promising