Force routing through receiving interface rather than default gateway

[Frank Monroe]

I have an RT-AC5300 running ASUS Merlin 386.2. I have opened up a port to a server inside my LAN by using the iptables command listed below. I am using this command instead of the GUI because I also want VPN clients on the ASUS router to allow the port to be forwarded. The port forwarding seems to be working. However, the response from the server is always being routed through default gateway on the router. Is there a way to configure the router so that it sends the response to the connection through the interface in which it came? Thanks in advance.

iptables -A PREROUTING -t nat -p tcp --dport xxxx -j DNAT --to-destination x.x.x.x

 

[ColinTaylor]

There is no difference between your iptables command and doing it through the GUI. This is a routing problem as you suspected.

For the solution see Example 2 here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

 

[Frank Monroe]

There is no difference between your iptables command and doing it through the GUI. This is a routing problem as you suspected.

For the solution see Example 2 here: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

Excuse my ignorance, but the only way I can get this to work at all is by adding it to PREROUTING. If I add it to VSERVER, which is what the GUI does, it doesn't forward.

And thanks for the link. Thats actually where I stared. I have been trying to interpret that document and by trial and error for two days now and have had no success. The forward part is working. Its the routing back that I am having an issue.

 

[eibgrad]

As @ColinTaylor suggests, this is NOT a port forwarding problem w/ the GUI vs. your own port forwarding rule. The GUI will do the job just fine.

The problem is that for clients on the LAN that are bound to the OpenVPN client, their replies from port forwarding over the WAN are being routed out the VPN (which the stateful firewall will NOT permit). And that's because the router doesn't have any known route back to the remote client other than the default gateway, which is pointing to the VPN.

There are several ways to address it.

1) Remove the server from the OpenVPN client by using Routing Policy and NOT including its source IP in your rule(s).

2) Use an OpenVPN client for remote access rather than access the server directly over the WAN.

3) If the remote client's public IP is well known (e.g., a workplace, frequented wifi cafe), add a static route that binds it to the WAN.

4) Port forward over the VPN rather than the WAN (assuming your VPN provider offers that feature).

5) Port-based PBR (policy based routing).

IOW, there are a multitude of ways to skin this cat, but you have to decide which best suits your purposes. Not all solutions are good in all situations.

FWIW, I recently helped someone configure their Plex server for remote access over the WAN using port-based PBR. Perhaps you'll find it helpful if you decide to take that approach.

Solved - 386.1_2: openvpn-event causes “Linux route add command failed”

Thanks for the link. Now I see why I was confused. I didn't realize table 254 was the main table. Usually when referencing tables, at least those well-known, you use the name, if only for reasons of clarity. ip rule add fwmark 0x7000/0x7000 table main prio 9990 Anyway, I have a problem w/...

www.snbforums.com

 

[Frank Monroe]

As @ColinTaylor suggests, this is NOT a port forwarding problem w/ the GUI vs. your own port forwarding rule. The GUI will do the job just fine.


4) Port forward over the VPN rather than the WAN (assuming your VPN provider offers that feature).

Actually, the command I sent earlier was not the complete command I am using. What I sent is missing the tun interface. I am actually trying to forward an inbound port only through a particular VPN cient. The actual iptables command I am using is listed below. The forwarding is working as I can see the connection start. In addition, if I change the VPN client on the router to forward all traffic from the destination host through the VPN client gateway, the process works. The problem is, I only want traffic associated with the forwarded port to be routed back instead of all traffic. My issue is, I cannot find a way to configure the routing to accomplish this.

iptables -A PREROUTING -t nat -i tun13 -p tcp --dport xxxx -j DNAT --to-destination x.x.x.x

 

[eibgrad]

Yeah, that was a rather consequential small detail to accidentally leave out.

 

[eibgrad]

The problem is, I only want traffic associated with the forwarded port to be routed back instead of all traffic. My issue is, I cannot find a way to configure the routing to accomplish this.

So what you're saying is that you have the rather unusal case of NOT wanting the server to be bound to the OpenVPN client except for this one port (usually it's the complete opposite).

 

[Frank Monroe]

So what you're saying is that you have the rather unusal case of NOT wanting the server to be bound to the OpenVPN client except for this one port (usually it's the complete opposite).

I have a server that hosts a web server on a nonstandard port. On my router, I have a VPN client connection to a VPN service that allows me to open that particular port on the public side of the VPN. On my router, I have forwarded the port of the web server. This all works fine if I force all of the traffic from the server through the VPN. However, I do not want the other traffic on that server to use the VPN. I just want the connections from the pubic side of the VPN that have connected to the web server.

 

[eibgrad]

I have a server that hosts a web server on a nonstandard port. On my router, I have a VPN client connection to a VPN service that allows me to open that particular port on the public side of the VPN. On my router, I have forwarded the port of the web server. This all works fine if I force all of the traffic from the server through the VPN. However, I do not want the other traffic on that server to use the VPN. I just want the connections from the pubic side of the VPN that have connected to the web server.

Yes, that's what I said.

 

[eibgrad]

If we assume you're using Routing Policy for other purposes, it seems to me you can simply leverage the router's existing alternate routing table for these purposes (rather than managing your own).

FW_MARK='0x7000/0x7000'
SERVER_IP='192.168.1.100'
SERVER_PORT='80'
VPN_IF='tun13'
VPN_TID='ovpnc3'

# port forward to webserver over openvpn client network interface
iptables -I PREROUTING -t nat -i $VPN_IF -p tcp --dport $SERVER_PORT -j DNAT --to $SERVER_IP

# mark packets from webserver
iptables -t mangle -I PREROUTING -i br0 -s $SERVER_IP -p tcp --sport $SERVER_PORT -j MARK --set-mark $FW_MARK

# route marked packets from webserver over openvpn client
ip rule add fwmark $FW_MARK table $VPN_TID prio 9990

IOW, mark those packets coming from the webserver such that they get routed over the alternate routing table already established by the OpenVPN client due to Routing Policy. In a sense, you're just creating a rule that otherwise the GUI itself can't handle.

I have no way to test it since my VPN provider doesn't support port forwarding, but that's the general idea.

P.S. As noted in that script I linked to earlier, you *might* need to disable reverse port forwarding as well. Again, since I can't test it, that's something you'll need consider adding if it doesn't work.

 

[Frank Monroe]

Thanks a lot.. I will check this out as soon as I return.

 

[Frank Monroe]

What you listed here is real close to what I had been trying. The difference between yours and mine, I used -A instead of -I on the top two commands. Also, for the second command, I used the wrong interface. And finally, I used 0x4000/0x4000 for the mark. I got that from the examples.

At any rate, its working perfectly. Thanks a lot.