Solved Potential bug with UDP NAT loopback/hairpinning

[RMerlin]

The main reasons why my custom NAT loopback was removed were:

- Requires packet marks that can conflict with Trend Micro (they reserve almost all bits for their own use)
- The mangle rule can be lost whenever the Trend Micro engine decides it needs to reconfigure the mangle table

So since that was no longer reliable, it was removed a few years ago.

 

[Jargon]

I think you'd have to enable JFFS custom scripts and configs in the GUI (Administration - System) and create a firewall-start script that contains your iptables command.

Thanks for the direction and all the help with this. The script is in place and happily doing its thing now.

The main reasons why my custom NAT loopback was removed were:

- Requires packet marks that can conflict with Trend Micro (they reserve almost all bits for their own use)
- The mangle rule can be lost whenever the Trend Micro engine decides it needs to reconfigure the mangle table

So since that was no longer reliable, it was removed a few years ago.

Yea, I read about the reliability issue from the commit logs and previous discussions around it. Interesting (and annoying) about the Trend Micro stuff though.

And thank you for your hard work on this fantastic firmware!

 

[john9527]

So adding this line seems to fix the problem with the nc test (you would presumably need to use mask 0x7 instead of 0x1ff) :

My next LTS fork release will move the udp rule from mangle FORWARD to PREROUTING...

 

[Jargon]

My next LTS fork release will move the udp rule from mangle FORWARD to PREROUTING...

I was going to enquire about the possibility of doing this to @RMerlin but I wasn't sure it if it would cause other problems.

https://github.com/RMerl/asuswrt-me...b10485/release/src/router/rc/firewall.c#L4498 (edit: wrong repo, my bad)

https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L6135

This line is never hit because there is no way to set ctf_pt_udp (that I can tell) apart from with nvram set and, as @ColinTaylor mentioned, it's too late in the flow to actually do anything. It would be awesome if the rule here could also be moved to PREROUTING as well so that it can be enabled with nvram set (or maybe enabled by default) without the need for custom user scripts.

Ofc, I could just be misunderstanding what that rule actually does

 

[Jack Yaz]

I was going to enquire about the possibility of doing this to @RMerlin but I wasn't sure it if it would cause other problems.

https://github.com/RMerl/asuswrt-me...b10485/release/src/router/rc/firewall.c#L4498

This line is never hit because there is no way to set ctf_pt_udp (that I can tell) apart from with nvram set and, as @ColinTaylor mentioned, it's too late in the flow to actually do anything. It would be awesome if the rule here could also be moved to PREROUTING as well so that it can be enabled with nvram set (or maybe enabled by default) without the need for custom user scripts.

Ofc, I could just be misunderstanding what that rule actually does

equivalent in the current codebase https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L6135

 

[Jargon]

equivalent in the current codebase https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/firewall.c#L6135

Ugh yes, thank you! That was what I had meant to link to. Browser history bamboozled me!

 

[gras]

Connecting from LAN to WAN IP (or ddns name) was possible for me. I had both google and opendns servers in "DNS Server 1" and 2 fields under Advanced Settings -> LAN -> DHCP Server.

Then I changed "Advertise router's IP in addition to user-specified DNS" to "Yes" and blanked the DNS Server 1 and 2 fields under Advanced Settings -> LAN -> DHCP Server. This effectively let the router become the primary DNS server for machines on the LAN, and let it resolve internal hostnames, so I could do things like"ping machineX" and connect to LAN minecraft servers by machine name and port. Unfortunately, the router didn't resolve it's own WAN address, so other things stopped working.

A simple fix for me, was to go to Advanced Settings -> WAN -> Internet Connection (tab) -> WAN DNS Setting (scroll down) -> enter google, opendns or other DNS servers in DNSServer1 and 2, and (importantly) set "Forward local domain queries to upstream DNS" to yes.
- With these settings, I can still resolve internal host names, but also access the WAN IP (with port forwarding working) from the LAN.

While it propably has some drawbacks, compared to the lost loopback setting, it does work with the mentioned settings that's available on Asuswrt-Merlin 386.3_2. Perhaps also on stock firmware. My router is an RT-AC88U that is meshed with an RT-AC68U (node).

I hope this helps someone. It took me some time to figure out