Solved Potential bug with UDP NAT loopback/hairpinning

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RMerlin

Asuswrt-Merlin dev
The main reasons why my custom NAT loopback was removed were:

- Requires packet marks that can conflict with Trend Micro (they reserve almost all bits for their own use)
- The mangle rule can be lost whenever the Trend Micro engine decides it needs to reconfigure the mangle table

So since that was no longer reliable, it was removed a few years ago.
 

Jargon

Occasional Visitor
I think you'd have to enable JFFS custom scripts and configs in the GUI (Administration - System) and create a firewall-start script that contains your iptables command.
Thanks for the direction and all the help with this. The script is in place and happily doing its thing now.

The main reasons why my custom NAT loopback was removed were:

- Requires packet marks that can conflict with Trend Micro (they reserve almost all bits for their own use)
- The mangle rule can be lost whenever the Trend Micro engine decides it needs to reconfigure the mangle table

So since that was no longer reliable, it was removed a few years ago.
Yea, I read about the reliability issue from the commit logs and previous discussions around it. Interesting (and annoying) about the Trend Micro stuff though.

And thank you for your hard work on this fantastic firmware! :)
 

Jargon

Occasional Visitor
My next LTS fork release will move the udp rule from mangle FORWARD to PREROUTING...

I was going to enquire about the possibility of doing this to @RMerlin but I wasn't sure it if it would cause other problems.

https://github.com/RMerl/asuswrt-me...b10485/release/src/router/rc/firewall.c#L4498 (edit: wrong repo, my bad)

https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L6135

This line is never hit because there is no way to set ctf_pt_udp (that I can tell) apart from with nvram set and, as @ColinTaylor mentioned, it's too late in the flow to actually do anything. It would be awesome if the rule here could also be moved to PREROUTING as well so that it can be enabled with nvram set (or maybe enabled by default) without the need for custom user scripts.

Ofc, I could just be misunderstanding what that rule actually does :)
 
Last edited:

Jack Yaz

Part of the Furniture
I was going to enquire about the possibility of doing this to @RMerlin but I wasn't sure it if it would cause other problems.

https://github.com/RMerl/asuswrt-me...b10485/release/src/router/rc/firewall.c#L4498

This line is never hit because there is no way to set ctf_pt_udp (that I can tell) apart from with nvram set and, as @ColinTaylor mentioned, it's too late in the flow to actually do anything. It would be awesome if the rule here could also be moved to PREROUTING as well so that it can be enabled with nvram set (or maybe enabled by default) without the need for custom user scripts.

Ofc, I could just be misunderstanding what that rule actually does :)
equivalent in the current codebase https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L6135
 

gras

New Around Here
Connecting from LAN to WAN IP (or ddns name) was possible for me. I had both google and opendns servers in "DNS Server 1" and 2 fields under Advanced Settings -> LAN -> DHCP Server.

Then I changed "Advertise router's IP in addition to user-specified DNS" to "Yes" and blanked the DNS Server 1 and 2 fields under Advanced Settings -> LAN -> DHCP Server. This effectively let the router become the primary DNS server for machines on the LAN, and let it resolve internal hostnames, so I could do things like"ping machineX" and connect to LAN minecraft servers by machine name and port. Unfortunately, the router didn't resolve it's own WAN address, so other things stopped working.

A simple fix for me, was to go to Advanced Settings -> WAN -> Internet Connection (tab) -> WAN DNS Setting (scroll down) -> enter google, opendns or other DNS servers in DNSServer1 and 2, and (importantly) set "Forward local domain queries to upstream DNS" to yes.
- With these settings, I can still resolve internal host names, but also access the WAN IP (with port forwarding working) from the LAN.

While it propably has some drawbacks, compared to the lost loopback setting, it does work with the mentioned settings that's available on Asuswrt-Merlin 386.3_2. Perhaps also on stock firmware. My router is an RT-AC88U that is meshed with an RT-AC68U (node).

I hope this helps someone. It took me some time to figure out :)
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top