Force routing through receiving interface rather than default gateway

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Frank Monroe

Occasional Visitor
I have an RT-AC5300 running ASUS Merlin 386.2. I have opened up a port to a server inside my LAN by using the iptables command listed below. I am using this command instead of the GUI because I also want VPN clients on the ASUS router to allow the port to be forwarded. The port forwarding seems to be working. However, the response from the server is always being routed through default gateway on the router. Is there a way to configure the router so that it sends the response to the connection through the interface in which it came? Thanks in advance.

iptables -A PREROUTING -t nat -p tcp --dport xxxx -j DNAT --to-destination x.x.x.x
 

Frank Monroe

Occasional Visitor
There is no difference between your iptables command and doing it through the GUI. This is a routing problem as you suspected.

For the solution see Example 2 here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)
Excuse my ignorance, but the only way I can get this to work at all is by adding it to PREROUTING. If I add it to VSERVER, which is what the GUI does, it doesn't forward.

And thanks for the link. Thats actually where I stared. I have been trying to interpret that document and by trial and error for two days now and have had no success. The forward part is working. Its the routing back that I am having an issue.
 
Last edited:

eibgrad

Very Senior Member
As @ColinTaylor suggests, this is NOT a port forwarding problem w/ the GUI vs. your own port forwarding rule. The GUI will do the job just fine.

The problem is that for clients on the LAN that are bound to the OpenVPN client, their replies from port forwarding over the WAN are being routed out the VPN (which the stateful firewall will NOT permit). And that's because the router doesn't have any known route back to the remote client other than the default gateway, which is pointing to the VPN.

There are several ways to address it.

1) Remove the server from the OpenVPN client by using Routing Policy and NOT including its source IP in your rule(s).

2) Use an OpenVPN client for remote access rather than access the server directly over the WAN.

3) If the remote client's public IP is well known (e.g., a workplace, frequented wifi cafe), add a static route that binds it to the WAN.

4) Port forward over the VPN rather than the WAN (assuming your VPN provider offers that feature).

5) Port-based PBR (policy based routing).

IOW, there are a multitude of ways to skin this cat, but you have to decide which best suits your purposes. Not all solutions are good in all situations.

FWIW, I recently helped someone configure their Plex server for remote access over the WAN using port-based PBR. Perhaps you'll find it helpful if you decide to take that approach.

 

Frank Monroe

Occasional Visitor
As @ColinTaylor suggests, this is NOT a port forwarding problem w/ the GUI vs. your own port forwarding rule. The GUI will do the job just fine.


4) Port forward over the VPN rather than the WAN (assuming your VPN provider offers that feature).
Actually, the command I sent earlier was not the complete command I am using. What I sent is missing the tun interface. I am actually trying to forward an inbound port only through a particular VPN cient. The actual iptables command I am using is listed below. The forwarding is working as I can see the connection start. In addition, if I change the VPN client on the router to forward all traffic from the destination host through the VPN client gateway, the process works. The problem is, I only want traffic associated with the forwarded port to be routed back instead of all traffic. My issue is, I cannot find a way to configure the routing to accomplish this.

iptables -A PREROUTING -t nat -i tun13 -p tcp --dport xxxx -j DNAT --to-destination x.x.x.x
 

eibgrad

Very Senior Member
The problem is, I only want traffic associated with the forwarded port to be routed back instead of all traffic. My issue is, I cannot find a way to configure the routing to accomplish this.

So what you're saying is that you have the rather unusal case of NOT wanting the server to be bound to the OpenVPN client except for this one port (usually it's the complete opposite).
 

Frank Monroe

Occasional Visitor
So what you're saying is that you have the rather unusal case of NOT wanting the server to be bound to the OpenVPN client except for this one port (usually it's the complete opposite).
I have a server that hosts a web server on a nonstandard port. On my router, I have a VPN client connection to a VPN service that allows me to open that particular port on the public side of the VPN. On my router, I have forwarded the port of the web server. This all works fine if I force all of the traffic from the server through the VPN. However, I do not want the other traffic on that server to use the VPN. I just want the connections from the pubic side of the VPN that have connected to the web server.
 

eibgrad

Very Senior Member
I have a server that hosts a web server on a nonstandard port. On my router, I have a VPN client connection to a VPN service that allows me to open that particular port on the public side of the VPN. On my router, I have forwarded the port of the web server. This all works fine if I force all of the traffic from the server through the VPN. However, I do not want the other traffic on that server to use the VPN. I just want the connections from the pubic side of the VPN that have connected to the web server.

Yes, that's what I said.
 

eibgrad

Very Senior Member
If we assume you're using Routing Policy for other purposes, it seems to me you can simply leverage the router's existing alternate routing table for these purposes (rather than managing your own).

Code:
FW_MARK='0x7000/0x7000'
SERVER_IP='192.168.1.100'
SERVER_PORT='80'
VPN_IF='tun13'
VPN_TID='ovpnc3'

# port forward to webserver over openvpn client network interface
iptables -I PREROUTING -t nat -i $VPN_IF -p tcp --dport $SERVER_PORT -j DNAT --to $SERVER_IP

# mark packets from webserver
iptables -t mangle -I PREROUTING -i br0 -s $SERVER_IP -p tcp --sport $SERVER_PORT -j MARK --set-mark $FW_MARK

# route marked packets from webserver over openvpn client
ip rule add fwmark $FW_MARK table $VPN_TID prio 9990

IOW, mark those packets coming from the webserver such that they get routed over the alternate routing table already established by the OpenVPN client due to Routing Policy. In a sense, you're just creating a rule that otherwise the GUI itself can't handle.

I have no way to test it since my VPN provider doesn't support port forwarding, but that's the general idea.

P.S. As noted in that script I linked to earlier, you *might* need to disable reverse port forwarding as well. Again, since I can't test it, that's something you'll need consider adding if it doesn't work.
 

Frank Monroe

Occasional Visitor
What you listed here is real close to what I had been trying. The difference between yours and mine, I used -A instead of -I on the top two commands. Also, for the second command, I used the wrong interface. And finally, I used 0x4000/0x4000 for the mark. I got that from the examples.

At any rate, its working perfectly. Thanks a lot.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top