[bug] port forwarding from WAN interface handled wrong when VPN client running

tcpdump.zip (564 Bytes)

  • MT-1300, FW 3.212 from 2022/03/01 (BETA version, not snapshot)
  • wireguard tunnel established
  • “Use VPN for all processes on the router” disabled (same with enabled)

When VPN (wireguard) client is connected there is no port forwarding from WAN to LAN possible unless I have the connecting IP in VPN exceptions (VPN Policies | Do not use VPN for the following).

Had a look with tcpdump (see attachment):
The answers are sent with the correct IP (IP of the WAN interface, in this case eth0.2) over the wrong interface (in this case wg0).
That can hardly work.

Pls fix!

1 Like

…had another short look into the issue:
You could use packet tagging and tagging based routing to ensure that packets from forwarded ports are routed correctly.

possible solution that needed to be checked/beautified and integrated into GL-inets scripts:

### use Firewall | Port Forwards when VPN is running and is default gateway 
## only the very 1st time:
# add routing table for port forwarding
cat /etc/iproute2/rt_tables | grep "201 fw" >/NUL || echo 201 fw >> /etc/iproute2/rt_tables

## after each reboot
# add default gateway of ISP to routing table "fw"
ip route add default via $Gateway-of-router dev $WAN-interface table fw
# add rule to use routing table "fw" for packets marked "0x1"
ip rule add fwmark 1 table fw

## after each firewall restart
# for each DNAT-target
iptables -A PREROUTING -i br-lan -t mangle -p $Protocol -s $DNAT-target --sport $DNAT-target-port -j MARK --set-mark 1

same principle worked for forwading into guest net

HTH!

1 Like

I’ll do some testing and then try to fix it.

Example for easier implementation by end users:

  • LAN 192.168.8.1/24 (AFAIK the standard setting of GL-inet routers)
  • GuestNet 192.168.9.1/24 (AFAIK the standard setting of GL-inet routers)
  • router 192.168.8.1
  • gateway address 12.13.14.15 (see pic)
  • forwarding of port 12345 to 192.168.8.100
  • $WAN-interface is for connection via
    – cable → eth0.2
    – WISP → apcli0
    @alzhao please add the other interface names

HowTo

  • note “Gateway” address from Gl-inet Webinterface (see pic below)
  • replace all values in the example by the names/numbers that fit your environment
  • open SSH shell (e.g. puTTY)
  • enter (copy&paste) these lines:

cat /etc/iproute2/rt_tables | grep “201 fw” >/NUL || echo 201 fw >> /etc/iproute2/rt_tables
ip route add default via 12.13.14.15 dev $WAN-interface table fw
ip rule add fwmark 1 table fw
iptables -A PREROUTING -i br-lan -t mangle -p tcp -s 192.168.8.100 --sport 12345 -j MARK --set-mark 1

for forwarding to guestnet (to e.g. 192.168.9.100) replace the last line with

iptables -A PREROUTING -i br-guest -t mangle -p tcp -s 192.168.9.100 --sport 12345 -j MARK --set-mark 1

1


Be aware though that above solution it’s not integrated into GL-inets scripts so if your router reloads/restarts the firewall for whatever reason (VPN client (re)connected?) you may need to manually enter the firewall entry anew.
Try
iptables-save | grep 12345 || iptables -A PREROUTING -i br-lan -t mangle -p tcp -s 192.168.218.100 --sport 12345 -j MARK --set-mark 1
in that case on the command line.

Hello, I’m upping this topic because I have quite the same problem with 3.213 firmware on GL-AX1800 Flint. However it seems occuring using the WAN IP from outside the LAN.

The simplest way I found to reproduce it is:

  • A PC (LAN IP: 192.168.8.112), running a netcat listener on a given port (ex: nc -lk -p 44444)
  • A mobile device, that can switch between WiFi (within LAN) and LTE (in WAN side), running telnet <WAN_IP> 44444 on Termux
  • The following port forwarding rule enabled on the router: TCP/UDP wan 44444 lan 192.168.8.112 44444 Enabled
  • VPN policy is enabled but “Use VPN for all processes on the router.” is disabled.

Result:

  • When Wireguard client is off, telnet command succeeds, with both WiFi (within LAN) and LTE (outside LAN)
  • When Wireguard client is on, telnet command succeeds when connected to WiFi, but fails with LTE (Connection timed out)

I also think there’s something to fix here, wan port forwarding shouldn’t stop working when a VPN client is enabled.