FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

11942 questions

14214 answers

22417 comments

35393 members

0 votes
1,033 views 5 comments
by

Hi,

I want to use Portforwarding on my RUT955.

I have made the settings in the WEBUI as they are described in the manual. I enabled  NAT Loopback.

Do i have to set the default "Firewall->Forward" setting to "accept" or are the settings for port forwarding sufficient?

I get the following traffic over and over via the TCPDUMB.

  • TCP Out-Of-Order
  • TCP Dup ACK
  • TCP Retransmission

The Networkt looks like this.

Server: 192.x.x.173

RUT955 WAN (static): 10.x.x.10

Device in LAN: 10.y.y.1                 (different subnet to wan)

Is the redirection converted twice or is that correct?

by
The Port Forwarding looks like this

Source zone: wan

Destination zone: lan

Source Port: 50042

NAT Loopback: enable

Destination Address: 10.y.y.1

Destination Port: 50042
by

I see in the system log

1.

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 1264 82112 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
    0     0 SNAT       tcp  --  *      *       10.y.y.0/27         10.y.y.1            tcp dpt:50000 /* !fw3: Forward to TCP 50000 (reflection) */ to:10.y.y.30
    0     0 SNAT       udp  --  *      *       10.y.y.0/27         10.y.y.1            udp dpt:50040 /* !fw3: Forward to UDP 50040 (reflection) */ to:10.y.y.30
    0     0 SNAT       tcp  --  *      *       10.y.y.0/27         10.y.y.1            tcp dpt:80 /* !fw3: Forward to TCP 80 (reflection) */ to:10.y.y.30
    0     0 SNAT       tcp  --  *      *       10.y.y.0/27         10.y.y.1            tcp dpt:60100 /* !fw3: Forward to TCP 60100 (reflection) */ to:10.y.y.30
    0     0 SNAT       tcp  --  *      *       10.y.y.0/27         10.y.y.1            tcp dpt:50042 /* !fw3: Forward to TCP 50042 (reflection) */ to:10.y.y.30
    0     0 SNAT       tcp  --  *      *       10.y.y.0/27         10.y.y.1            tcp dpt:50043 /* !fw3: Forward to TCP 50043 (reflection) */ to:10.y.y.30



Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 3202  187K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       10.y.y.0/27         10.x.x.10          tcp dpt:50000 /* !fw3: Forward to TCP 50000 (reflection) */ to:10.y.y.1:50000
    0     0 DNAT       udp  --  *      *       10.y.y.0/27         10.x.x.10          udp dpt:50040 /* !fw3: Forward to UDP 50040 (reflection) */ to:10.y.y.1:50040
    0     0 DNAT       tcp  --  *      *       10.y.y.0/27         10.x.x.10          tcp dpt:80 /* !fw3: Forward to TCP 80 (reflection) */ to:10.y.y.1:80
    0     0 DNAT       tcp  --  *      *       10.y.y.0/27         10.x.x.10          tcp dpt:60100 /* !fw3: Forward to TCP 60100 (reflection) */ to:10.y.y.1:60100
    0     0 DNAT       tcp  --  *      *       10.y.y.0/27         10.x.x.10          tcp dpt:50042 /* !fw3: Forward to TCP 50042 (reflection) */ to:10.y.y.1:50042
    0     0 DNAT       tcp  --  *      *       10.y.y.0/27         10.x.x.10          tcp dpt:50043 /* !fw3: Forward to TCP 50043 (reflection) */ to:10.y.y.1:50043

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 2786  171K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:50000 /* !fw3: Forward to TCP 50000 */ to:10.x.x.1:50000
 1229 78656 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:50040 /* !fw3: Forward to UDP 50040 */ to:10.x.x.1:50040
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Forward to TCP 80 */ to:10.x.x.1:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:60100 /* !fw3: Forward to TCP 60100 */ to:10.x.x.1:60100
  885 44840 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:50042 /* !fw3: Forward to TCP 50042 */ to:10.x.x.1:50042
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:50043 /* !fw3: Forward to TCP 50043 */ to:10.x.x.1:50043

1 Answer

0 votes
by

Hello,

This is because Duplicate ACKs. They happen when the receiving end (RUT955) sees a gap in received packets. When this occurs, DUP ACKs trigger TCP Fast retransmit. This is normal if you see a few of these in general situations (even on the web) and it's very common to see many of these with Port Forwarding without masquerading.

If you do a packet capture on the sending side (server), you will not see this (again, because it's taken care of by the router thanks to TCP fast retransmit). If you wish to get rid of these messages on the receiving side (RUT955), you need to add masquerading from LAN to server.

by

If you wish to get rid of these messages on the receiving side (RUT955), you need to add masquerading from LAN to server.

How would these setup looks like

by

Further more i getting problems with the forwarding. When I restart the router it usually works and after a while it does not work at all. I have to restart the router then.

Look at the logging:

Here the forwarding works request from 192.x.x.173 to 10.x.x.10:50042 forwarded to 10.y.y.1

Here the forwarding doesnt works for this specific port (50042). Port 50040 is working fine.

by

Regarding the masquerade, please try adding this to Network → Firewall → Custom Rules:

iptables -t nat -I POSTROUTING -m tcp -p tcp -d 10.y.y.1 --dport 80 -j MASQUERADE
iptables -t nat -I POSTROUTING -m tcp -p tcp -d 10.y.y.1 --dport 50040 -j MASQUERADE
iptables -t nat -I POSTROUTING -m tcp -p tcp -d 10.y.y.1 --dport 50042 -j MASQUERADE
iptables -t nat -I POSTROUTING -m tcp -p tcp -d 10.y.y.1 --dport 50043 -j MASQUERADE
iptables -t nat -I POSTROUTING -m tcp -p tcp -d 10.y.y.1 --dport 60000 -j MASQUERADE

Don't forget to replace 10.y.y.1 with the actual IP. :)

But I must admit, I may not be getting the full picture here. If it doesn't work, can you send me a Troubleshoot file via private message? It can be downloaded from the System → Administration → Troubleshoot page.