Firewall question

Jo-Philipp Wich jo at mein.io
Wed Feb 9 11:04:39 PST 2022 

Hello Hartmut,

[...]

> If I check the logs from apache2, I see from lan network only the gateway
> or router ip and no client ip's. From guest network, I see every individual
> client ip's.

Yeah, for lan this is expected. The automatic NAT reflection consists of one
DNAT rule to forward the current_ext_iface_addr:port to the internal
destination and one SNAT rule to rewrite the source of such reflected traffic
to the external (or internal) router IP in order to force responses via the
router which in turn forwards them back to the original requesting client.

Without that additional SNAT, the replies would come from a different source
(DNAT target's internal IP) than were the request was initially sent to
(external WAN IP) from a requesting host's pov. Such unexpected response is
usually ignored and discard by the network stack of the requesting host.

Unfortunately that also means that the DNAT target never sees the actual
source IP for reflected traffic.

I do not understand however how the guest routing works in your network
currently...

> Does exist a way to see the individual client ip's from lan network too? Or
> is this only possible, if I configure a third network for the linux
> server?

I am not sure what you mean with 3rd network. Does it mean the server has an
address in the guest subnet? Maybe you can describe its network setup in more
detail...

> 
> It is possible to do the things of hotplug script by a standard firewall
> rule in '/etc/config/firewall' ?

You mean a DNAT rule that specifically uses the current WAN IP as destination
match (not all WAN interfaces) and not doing reflection?

The following should be equivalent:

config redirect
    option name 'guest: Redirect wan HTTPS from port 443 to 192.168.199.80 on
port 8443'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option family 'ipv4'
    option src_ip '10.1.0.0/16'
    #option src_ip 'guest' # alternative that does not hardcode guest subnet
    option src_dip 'wan' # sic! "wan" is resolved to the current IP
    option src_dport '443'
    option dest_ip '192.168.199.80'
    option dest_port '8443'
    option reflection '0'


~ Jo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20220209/ac40aeae/attachment.sig>

More information about the openwrt-devel mailing list