Posted: Mon Mar 07, 2011 22:29 Post subject: NAT Loopback (port forwarding) fix for builds 15760-19969
NAT loopback is once again working since build 19969. This fix should only be needed for builds between 15760-19969.
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block and add the rule before the CONNMARK rule.
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001
Other ways to fix the loopback problem can be found in this bug ticket:
http://svn.dd-wrt.com:8000/ticket/1868 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Last edited by phuzi0n on Thu Oct 18, 2012 2:19; edited 5 times in total
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Can't you put this in a new ticket?
It's your idea, so I don't want to.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 31 Aug 2009 Posts: 2448 Location: Third Rock from the Sun
Posted: Wed Mar 09, 2011 5:39 Post subject:
phuzi0n wrote:
It's in the original ticket. It would be good if people try it out just to make sure there's no problems with it. Now that I can compile k2.6 builds, I'll start writing patches myself.
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Fri Mar 11, 2011 0:11 Post subject:
Yeah this code takes care of my RT-N16 that connects to a 520gu ftp server on a Client Bridge unit. I am able to access my ftp server from my local LAN.
redhawk
Clipboard01.jpg
Description:
Filesize:
90.12 KB
Viewed:
215803 Time(s)
_________________ The only stupid question....is the unasked one.
Last edited by redhawk0 on Tue Mar 15, 2011 11:59; edited 2 times in total
Don't get your hopes up too much. Just focus on testing it please. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 08 Mar 2011 Posts: 22 Location: Saskatchewan, Canada
Posted: Sun Mar 13, 2011 3:41 Post subject:
Are there any known disadvantages to using this fix (potential security flaw, breaking other features, etc.)?
Working well so far with my WRT310N V2 running std-nokaid-small - build 15940:
Code:
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Keep up the great work by the way, it is very much appreciated.
Mark
PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode. _________________ *Linksys WRT310N v2 with DD-WRT v24-sp2 (12/18/10) std-nokaid-small - build 15940
Last edited by wavracer on Fri Feb 24, 2017 6:38; edited 1 time in total
Are there any other known disadvantages (other than bad QoS scripts) to using this fix (potential security flaw, breaking other features, etc.)?
Nope, it shouldn't break any of the built in features. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 16 Mar 2011 Posts: 111 Location: Saskatoon, SK, Canada
Posted: Wed Mar 23, 2011 14:52 Post subject:
This has been running well on my E2000 with build 15943 for a couple days now. It hasn't affected anything negatively. My PPTP server still works, and is accessible from inside and outside my LAN, and that's all I need.
wavracer wrote:
PS - the first line is because I connect through a 2Wire 2701HG-S Gateway for my Internet in DMZplus mode.
@wavracer: Are you on Sasktel? I'm will send you a PM so as to not muck up this thread with off topic stuff.