FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
672 views 9 comments
by anonymous
Hello,

i have got a simple LAN interface 192.168.1.0/24. My router runs on 192.168.1.1/32. If I enter my IP in the browser or the domain name mapped to 192.168.1.1/32 from my local DNS server I can see the Teltonika start screen and log in.

So far so good. Now I have created a port forwarding from WAN:443 --> LAN:443. Let's say on LAN:443 a web server is listening (in fact there is another firewall in between but I thinks that is not important, let's say the endpoint is a web server listening on 443).

When I enter my domain name (webserver.example.com) hostet by my domain provider (not local DNS) that maps to my public IP from my handy I can reach the web server correctly. If  I enter the same domain name in my computer at home connected to my LAN, I get the RFC1918 error.

According to my opinion if hairpinning is enabled on the port forwarding rules, the router does not send the data to the internet. It directly redirects it back. However, I want to access my webserver from my computer in my LAN as if I would be away from my home network.

What I don't understand is how, on the one hand my Teltonika web server can be listening on port 443 (or 80) but on the other hand the port forwarding can be performed to my own hosted web server? Where is the Teltonika web server listening? On localhost, 127.0.0.1 or on the LAN interface 192.168.1.0/24?

Thanks a lot.

Regards

1 Answer

0 votes
by anonymous

Hello,

By default, uhttpd listens on all interfaces:

uhttpd  4611 root    3u     IPv4       8887      0t0       TCP *:443 (LISTEN)
uhttpd  4611 root    4u     IPv6       8888      0t0       TCP *:443 (LISTEN)

You need to disable "Rebind protection" in Network->DNS->General Settings.

Regards,

by anonymous

Hello,

I have created a topology of my network to clarify what I want to have...

I have got two zones defined in my RX11 WAN and LAN. WAN has got public static IP. LAN defines a zone that is connected to an OPNSense firewall as second firewall. In the SLAN zone defined behind my OPNSense, a webserver and a client exist.

If I enter the domain name for the webserver (example.com) it is resolved to the public static IP 184.x.x.x.

I expected that hairpinning (as defined by the red error) works if I call example.com fromt my client 192.168.2.15.

However, it doesn't. I always get the Forbidden-Rejected request from RFC1918 IP to public server address. Interesstingly the SSL certificate is not the certificate from my webserver but from the RX11 server.

I played with

  • Network -->DNS-->Rebind protection
  • System-->Administration-->Access Control-->WebUI-->Ignore private IPs on public interfaces
The first parameter does not seem to change anything. If I disable the second one, I get the RX11 Web GUI on example.com !!! This must be the RX11 Web GUI listening on 192.168.1.1, i.e. the LAN interface (not the WAN interface because I disabled "Enable remote HTTPS access")!!!
For me the situation is as following:
If I call example.com, the public static IP address is correctly resolved. The client sends a packet through the OPNSense firewall to the RX11 router (SLAN-->LAN-->WAN). For what reason ever, the public static IP 184.x.x.x is not port forwarded to the WebServer 192.168.2.200
Of course, I have got a port forwarding rule to forward incoming traffic from ISP over WAN to WebServer. This works perfectly.
Thanks for help.
Regards
by anonymous
This seems to be a wan nat redirection issue.

What is the output of:

iptables -t nat -n -L | grep 443

on the RUTX11 ?
by anonymous

The iptables output is...

This is the port forwarding rule overview...

This is the complete port forwarding rule...

And this are the zone rules...

As I already mentioned, if I type in example.com I am always redirected to the Teltonika Admin GUI (if rebind protection is disabled).

The port forwarding works from outside, if I connect with my LTE smartphone.

Thanks.

Regards

by anonymous
Could you add a firewall rule similar to nginx443 but with the "Source zone" set to lan and retry the access from 192.168.2.15?
by anonymous
This is not possible. My web server and my client are both in „slan“ this is a „zone“ behind the second firewall (see diagram above). I can not select „any“ source zone in,port forwarding rule. I suppose this is the problem why the hair pinning also doesn‘t work.

However, i think you provided a good hint. Perhaps I have to masquerade after my second firewall from slan to lan?
by anonymous
You can try with masquerade set, or if you have a zone containing 192.168.2.0/24 set it as source zone in the previous fw rule.
by anonymous

Another way is to add custom fw rules to do the translation:

iptables -t nat -A PREROUTING -p tcp -m tcp -i br-lan --dport 443 -j DNAT --to-destination 192.168.2.200:10443
iptables -t nat -A POSTROUTING -p tcp -m tcp --sport 10443 -j SNAT --to-source 184.x.x.x:443

Could you test this one ?

by anonymous
No, this also doesn't work.

I used my iPad to connect to br-lan via WLAN, i.e. I am now in the LAN zone and the hairpinning also doesn't work. The reason why the hairpinning doesn't work does not rely on the SLAN interface behind the opnsense firewall. There is something else wrong.

Do I understand it correctly, that if the "Enable NAT loopback" option is enabled on a port forwarding rule, IP packets that reach the WLAN zone for being send outwards are checked for destination IP 184.xxx.xxx.xxx and if this IP matches the packets are forwarded back as if they would come from the internet to the WAN zone?

Thanks.
by anonymous

Then the solution is to disable the nginx443 rule and do everything manually:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.200:10443
iptables -A FORWARD -p tcp -d 192.168.2.200 --dport 10443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m tcp --sport 10443 -j SNAT --to-source 184.x.x.x:443