[Answered] Question with iptables FORWARD log

[Technolink]

Hey everyone,

I followed this guide to setup WOL for a Plex server using iptables to log when a certain port is forwarded to, then a while loop in wan-start that picks up on the log and does a WOL for the Plex server.

This worked great for the last year, but I noticed a few weeks ago it stopped working. I think the problem is I'm no longer seeing the "PLEX LAN Connection" logs in my /tmp/syslog.log.

I checked the iptables and the rules are still being applied. For sanity I set the router back to default settings (after also doing the 384.5 update) and redid the guide, still nothing. iptables -nvL reveals the rules aren't being hit at all. Here's the dump: https://pastebin.com/qDtbeeQX

I'm sure Plex is still using port 32400. I ran WireShark on my server to double check and it was seeing a lot of traffic on that port whenever I start a Plex client.

Does anyone know how to troubleshoot the iptables to see why the rules aren't being hit? Any help is much appreciated!

 

[ColinTaylor]

Your WAN interface is now vlan2 instead of eth0. This happens when you switch between having hardware acceleration enabled and not.

 

[Technolink]

Your WAN interface is now vlan2 instead of eth0. This happens when you switch between having hardware acceleration enabled and not.

Thanks for the quick response. I went ahead and added a 3rd rule for vlan2, but it also isn't being hit. I'm doing my testing all on local LAN, so it should be on br0. WAN isn't working right now (unrelated ISP issues).

I should probably mention I'm using a RT-AC68P on 384.5.

 

[ColinTaylor]

I'm doing my testing all on local LAN, so it should be on br0.

AFAICT that script won't work for LAN-only traffic because the traffic is switched not routed, therefore it never gets as far as the iptables rules.

 

[Technolink]

AFAICT that script won't work for LAN-only traffic because the traffic is switched not routed, therefore it never gets as far as the iptables rules.

Ah ha! So what must have happened here was that the WOL for LAN traffic was never working, and Plex must have been reaching out over the WAN even for local machines (maybe just doing a probe or something). My ISP blocked incoming WAN traffic so I don't have that option anymore.

So now I just need to find a solution to detect LAN-only traffic. Do you know of any way to interact with switched traffic? I'm not too familiar with iptables and networking, but I can write a bash script if I know what to target.

 

[ColinTaylor]

Ah ha! So what must have happened here was that the WOL for LAN traffic was never working, and Plex must have been reaching out over the WAN even for local machines (maybe just doing a probe or something).

Were you previously using your WAN IP address and port forwarding that to your internal server? If so, you could still try that from inside your LAN.

 

[Technolink]

Were you previously using your WAN IP address and port forwarding that to your internal server? If so, you could still try that from inside your LAN.

Yes I was previously using WAN IP (with dynamic DNS to bind to a url) + port forwarding to access the internal server. It won't work anymore because my ISP is blocking incoming traffic, so using my WAN IP even with port forwarding won't get me to my internal network anymore

I'm working with my ISP, they put my neighborhood behind a NAT and want to charge business pricing for a static IP now. I'll probably end up putting a VM up in AWS with a public ip, then tunnel from there, but that's work for another day.

 

[ColinTaylor]

Yes I was previously using WAN IP (with dynamic DNS to bind to a url) + port forwarding to access the internal server. It won't work anymore because my ISP is blocking incoming traffic, so using my WAN IP even with port forwarding won't get me to my internal network anymore

It shouldn't matter provided you use the WAN IP address of your router (not a DDNS name). Because the IP address is not part of your LAN it will be routed through the router. The router will realise that the IP address belongs to itself and send it back to the LAN (i.e. NAT loopback). So even though the traffic never leaves to router it is still routed, meaning it is effected by iptables rules.

 

[Technolink]

That works! Using the WAN IP I see the "Plex LAN Connection" being logged now, and WOL packet being sent. I had to go to all my Plex clients and manually add the server using that address, but that's fine.

I did get tripped up on the WAN IP. I thought that was my public ip, which wasn't working. For anyone else reading this that wants to know, the WAN ip can be found by SSHing into the router and running

nvram get wan_ipaddr

Thanks Colin for all of your help!