Help with OpenWRT firewall & miniupnpd settings - IPsec / Back to my Mac

[tristanc]

Hello all, first-time poster, long-time lurker here. I'm looking for some assistance with the configuration of a physically remote OpenWRT setup detailed below. I've cross-posted from https://forum.openwrt.org/viewtopic.php?id=55797 as there may be a wider issue with 4G / double NAT etc...

Device: Raspberry Pi
Release: Barrier Breaker
Version: r44365
External access: 4G dongle attached to wwan0
Internal access: wireless access point attached to eth0
Topography: 4G dongle has its own network giving 192.168.1.100 to wwan0, external access through 192.168.1.1. I've configured the dongle to put 192.168.1.100 in its DMZ (this is an attempt to avoid double NAT issues). The internal network is on 192.168.3.x.

Aim: To be able to access the computers attached to the local network using Apple's Back to my Mac service.

Issue: After initial set-up (miniupnpd NOT installed) I was able to access the machines via Back to my Mac (ssh / screen sharing etc) but with a warning about upnp / natpmp not working on the router - and the performance wasn't great. I then installed miniupnpd hoping this would allow the internal machines to open ports and thus the services to run properly. I now have no access to the machines via Back to my Mac.

Luckily, I set up a reverse ssh tunnel using autossh prior to doing all this, so I can get in to the Pi from my location!

I'd really appreciate if someone could look at my config files and see if something is incorrectly set. Below are my network, dhcp, firewall and upnp files. As I wrote above, I had services working (but with warnings) before miniupnpd was installed, which makes me think the issue may lie in the firewall / upnp configs...

Many thanks!

# cat network 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wwan'
    option ifname 'wwan0'
    option proto 'dhcp'

config globals 'globals'
    option ula_prefix 'fdc6:56ef:a600::/48'

# cat dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0' #added to enable SRV records -> https://jamezpolley.com/2009/09/openwrt-dnsmasq-miniupnpd-and-back-to-my-mac/
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'local'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
#    option server 8.8.8.8
#    option server 8.8.4.4

config dhcp 'lan'
    option interface 'lan'
    option start '3'
    option limit '250'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'
    option ra_management '1'
#    list dhcp_option '6,192.168.1.1'
    list dhcp_option '6,8.8.8.8'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

# cat firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'lan'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option mtu_fix '1'
    option input 'REJECT'
    option forward 'REJECT'
    option masq '1'
    option network 'wan wan6 wwan'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

# cat upnpd

config upnpd 'config'
    option enable_natpmp '1'
    option enable_upnp '1'
    option download '1024'
    option upload '512'
    option internal_iface 'lan'
    option port '5000'
    option upnp_lease_file '/var/upnp.leases'
    option uuid 'XXXXXXXXXXXXXXXXXX'
    option log_output '0'

config perm_rule
    option action 'allow'
    option ext_ports '1024-65535'
    option int_addr '0.0.0.0/0'
    option int_ports '1024-65535'
    option comment 'Allow high ports'

config perm_rule
    option action 'deny'
    option ext_ports '0-65535'
    option int_addr '0.0.0.0/0'
    option int_ports '0-65535'
    option comment 'Default deny'

 

[System Error Message]

If you are using NAT and want to access local devices you need to use port forwarding using the rules.

The strange thing is that your LAN interface is defined as 192.168.3.0 while your actual LAN devices are getting 192.168.1.0 IPs from your router. You need to change the dhcp addresses or LAN interface address otherwise your devices cannot communicate because the gateway isnt on the same network.

The WAN interface you defined is the interface of the usb dongle and should be getting your WAN IP. If your ISP does NAT you would get a LAN IP from this which makes remote access and port forwarding impossible (unless it is 1-2-1 NAT). For the port forwarding tutorial please refer to the openwrt wiki for accessing a specific device remotely. If you want to access the network remotely you will need to use VPN.

Please also give an output of ifconfig ( you can blank out most of the WAN IP before posting), your configuration looks correct but again you may need to either port forward or use VPN depending on what you want. It is interesting that you can install openwrt onto raspberry pi but i find it limiting because of lack of number of ethernet ports and gigabit ethernet.

To use IPSEC you will need a tunnel to use it with such as with L2TP or even GRE. VPN/tunnel is considered an interface so to make it work you will need to create that interface in openwrt and include it in your LAN zone. Because VPN is also a service/server you will need to create an allow rule in the firewall in WAN zone at the ports involved to allow connections. If you configured your LAN zone to have NAT than you will not need to do any additional configurations. You will also need to bridge your VPN/tunnel interface with your other LAN interfaces too.

 

[tristanc]

Thanks for the help.

If you are using NAT and want to access local devices you need to use port forwarding using the rules.

The strange thing is that your LAN interface is defined as 192.168.3.0 while your actual LAN devices are getting 192.168.1.0 IPs from your router. You need to change the dhcp addresses or LAN interface address otherwise your devices cannot communicate because the gateway isnt on the same network.

Perhaps I needed to give more details. The 4G dongle is a Huawei E8278. This model features onboard wifi (disabled for this use) and its own DHCP server, web server for admin etc. This means the dongle presents the gateway 192.168.1.1 with the Pi USB interface given 192.168.1.100.

I then share this connection using OpenWRT acting as DHCP on the internal LAN on 192.168.3.x

In an attempt to avoid double NAT I configured the dongle to put 192.186.1.100 in its DMZ - the thinking being that it would act as transparent as possible. I guess this isn't the case?

The WAN interface you defined is the interface of the usb dongle and should be getting your WAN IP. If your ISP does NAT you would get a LAN IP from this which makes remote access and port forwarding impossible (unless it is 1-2-1 NAT). For the port forwarding tutorial please refer to the openwrt wiki for accessing a specific device remotely. If you want to access the network remotely you will need to use VPN.

I am thinking I actually have triple NAT... Firstly carrier grade NAT for the dongle's external connection, then the dongle's internal network, then the Pi's internal network.

So whilst http / ssh traffic works from the inside, getting in from the outside would be impossible in this configuration?

Please also give an output of ifconfig ( you can blank out most of the WAN IP before posting), your configuration looks correct but again you may need to either port forward or use VPN depending on what you want. It is interesting that you can install openwrt onto raspberry pi but i find it limiting because of lack of number of ethernet ports and gigabit ethernet.

eth0      Link encap:Ethernet  HWaddr B8:27:EB:4D:B7:34  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:fe4d:b734/64 Scope:Link
          inet6 addr: fdc6:56ef:a600::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:632475 errors:0 dropped:12139 overruns:0 frame:0
          TX packets:949249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:218062986 (207.9 MiB)  TX bytes:624914219 (595.9 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16566 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1744563 (1.6 MiB)  TX bytes:1744563 (1.6 MiB)

wwan0     Link encap:Ethernet  HWaddr 0C:5B:8F:27:9A:64  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e5b:8fff:fe27:9a64/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:674823 errors:0 dropped:0 overruns:0 frame:0
          TX packets:431151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:521626960 (497.4 MiB)  TX bytes:1835982889 (1.7 GiB)

Thanks again for the reply.

From further reading I've done, it looks like I'll have to work out how to run the dongle as a ppp device rather than an nmc / HiLink device. This, I hope, would disable the dongle's internal server, thus removing this NAT stage, and presenting an 'external' IP to the Pi to act as gateway...

Tristan

 

[System Error Message]

try to run the dongle in bridge mode and do the dialing from the pi. Once you've sorted that out it should be much easier. DMZ does work but is not necessary for VPN, port forwarding one or 2 ports is sufficient.

for double NAT you can double port forward or use DMZ + port forward. Its very simple such as forwarding port 800 from dongle to port 800 on pi and the same thing on the pi to the target machine.

IPSEC needs a tunnel which can be L2TP, GRE and so on. If you intend to gain access to your network externally than i suggest you create an L2TP interface/server on the pi in openwrt and use IPSEC on that. using another sort of tunnel like GRE requires that the person connecting or other end also supporting it.

 

[tristanc]

Thanks again.

I've posted elsewhere to find out how to bridge the dongle: http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=3&t=2227

Agreed, it would be a lot easier! However, I am not sure is this is going to be possible as the device doesn't respond with a 'MODEM' port given a AT^SETPORT=? command.

If not, I may have to give the port forwarding go - but would this work with multiple DHCP clients? There are multiple devices connected to the LAN - and it is key that (1) Apple's FaceTime works (it does under the current setup) and (2) Apple's Back to my Mac screen sharing works (this did work before I installed miniupnpd and perhaps implemented the DMZ, but now doesn't...)

Btmm works on TCP 443, 500, 4488, 5223 & UPD 1900, 4500, 5350, 5351, 5353, 49152-65535 according to http://support.apple.com/en-gb/HT202944 & http://en.wikipedia.org/wiki/Back_to_My_Mac

Although I've reached my limit knowing which ones to forward / open.

 

[tristanc]

I take it back - Josh at usbmodeswitch has replied and he thinks I should be able to use the dongle's ppp fallback mode.

 

[System Error Message]

Once you configure the modem you just need to create the L2TP server with IPSEC, put it in LAN zone and bridge it with the rest of your LAN interfaces and set the L2TP service to allow in WAN. VPN is just another service just as ssh or ftp is so the configurations should be similar for allowing connections from WAN.

Once you have L2TP up and running you will need to implement IPSEC with it and you should than be able to access your network remotely as long as the device you use supports IPSEC over L2TP.

If you cant get your modem to ppp fallback mode DMZ should work fine. Throughput would be limited to your 4G speeds and pi processing power for the VPN. Without DMZ the only ports you need to forward are the ones that L2TP and IPSEC use.

 

[tristanc]

No luck with the fallback mode as yet... Although this does look the most promising method of resolving the issue and getting a stable / simple solution.