Home
Setting up Port Forwarding and Dealing with Loopbacks on OpenWrt Kamikaze 8.09.1
Instructions for setting up port forwarding and dealing with loopbacks on OpenWrt Kamikaze 8.09.1
So I'm a real lover of OpenWrt, but they have got to do something about how difficult it is to do a simple port forward, and especially loopback forwarding. To make matters worse, the way for handling port forwarding has changed between White Russian and Kamikaze without publishing good documentation on the changes. (I understand this was caused by a change in the underlying program that handles port forwarding.) The following is what I had to do to get my system working the way I need it. As usual, your mileage may vary.
To add a simple port forward, the following 14 lines must be added to the end of your /etc/config/firewall file:
config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '25' option 'dest_ip' '192.168.1.5' option 'dest_port' '25' config 'rule' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'dest_ip' '' option 'dest_port' '25' option 'target' 'ACCEPT'
For some reason, these didn't want to work when I added them to the /etc/firewall.user file.
For each port you need forwarded, another section with all 14 lines must be added. Update the three port lines and the destination IP line accordingly. My full /etc/config/firewall file looks like this:
config defaults option syn_flood 1 option input ACCEPT option output ACCEPT option forward REJECT config zone option name lan option input ACCEPT option output ACCEPT option forward REJECT config zone option name wan option input REJECT option output ACCEPT option forward REJECT option masq 1 config forwarding option src lan option dest wan option mtu_fix 1 # include a file with users custom iptables rules config include option path /etc/firewall.user ### EXAMPLE CONFIG SECTIONS # do not allow a specific ip to access wan #config rule # option src lan # option src_ip 192.168.45.2 # option dest wan # option proto tcp # option target REJECT # block a specific mac on wan #config rule # option dest wan # option src_mac 00:11:22:33:44:66 # option target REJECT # block incoming ICMP traffic on a zone #config rule # option src lan # option proto ICMP # option target DROP # port redirect port coming in on wan to lan #config redirect # option src wan # option src_dport 80 # option dest lan # option dest_ip 192.168.16.235 # option dest_port 80 # option proto tcp ### FULL CONFIG SECTIONS #config rule # option src lan # option src_ip 192.168.45.2 # option src_mac 00:11:22:33:44:55 # option src_port 80 # option dest wan # option dest_ip 194.25.2.129 # option dest_port 120 # option proto tcp # option target REJECT #config redirect # option src lan # option src_ip 192.168.45.2 # option src_mac 00:11:22:33:44:55 # option src_port 1024 # option src_dport 80 # option dest_ip 194.25.2.129 # option dest_port 120 # option proto tcp # Port 25 config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '25' option 'dest_ip' '192.168.1.5' option 'dest_port' '25' config 'rule' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'dest_ip' '' option 'dest_port' '25' option 'target' 'ACCEPT' # Port 80 config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '80' option 'dest_ip' '192.168.1.5' option 'dest_port' '80' config 'rule' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'dest_ip' '' option 'dest_port' '80' option 'target' 'ACCEPT' # Port 443 config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '443' option 'dest_ip' '192.168.1.5' option 'dest_port' '443' config 'rule' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'dest_ip' '' option 'dest_port' '443' option 'target' 'ACCEPT' # Port 995 config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'src_dport' '995' option 'dest_ip' '192.168.1.5' option 'dest_port' '995' config 'rule' option 'src' 'wan' option 'proto' 'tcp' option 'src_ip' '' option 'dest_ip' '' option 'dest_port' '995' option 'target' 'ACCEPT'
This works for forwarding ports from the WAN to the LAN. Now we move on to dealing with loopback port forwarding. After skimming the mess that comprises the suggestions for dealing with loopback port forwarding in OpenWrt on the web, I decided to solve the problem in a simpler way: custom hostname entries in my OpenWrt router.
There are two advantages to solving the problem this way.
- It's a whole lot cleaner.
- Connections to the server from inside the network run a lot faster because they don't have to navigate the router.
However, there is also a downside:
- Local DNS entries only work when attempting to contact the server using fully qualified domain names.
In my case, this was all I needed to do, so it seemed like the perfect solution.
I set this up using LuCI, the web interface. Under Administrstion, Network, Hostnames, you can enter the static hostname information. For all systems on the internal network that get their DNS information from the OpenWrt router this information overrides the internet DNS information.
So, for example, I host www.sbtechsolutions.biz on my internal network at 192.168.1.5. In LuCI I set the Hostname to be www.sbtechsolutions.biz and the IP Address to be 192.168.1.5. Click Save and Apply and everything works. Now my laptop will connect directly to 192.168.1.5 when I go to http://www.sbtechsolutions.biz when I am on my local wireless network. When I am away it resolves to the external IP of my OpenWrt router and port forwards to 192.168.1.5.
The information entered into LuCI is saved in /etc/hosts. My resulting file looks like this:
# This file is autogenerated, use /etc/hosts.local instead 127.0.0.1 localhost. 192.168.1.5 www.sbtechsolutions.biz
Inspiration for these instructions was taken from Allan Willems Joergensen.
