Port forwarding issue with http, https and ssh

Hi,

I’m running a small webserver on the lan side. On my turris omnia, I have configured port forwarding for http (80), https (443) and ssh (22) to the webserver:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.0.2'
        option dest_port '443'
        option name 'https'

(similar entries for http and ssh)

When trying to access the webserver from the wan side (e.g. from the internet) everything works fine. But when I try to access the webserver from inside the lan, using the public IP address (by means of its DDNS name), I end up at the forris/luci interface. I have NAT loopback enabled for the port forwards, so why is this not working?

When I forward a different port, one that’s not in use on the Turris Omnia itself, then it works:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1443'
        option dest_ip '192.168.0.2'
        option dest_port '443'
        option name 'https'

But of course I don’t want to use a different port.

Jef

If 192.168.0.2 is the Omnia router IP address - ports mustt bet be redirected ??

No, 192.168.0.2 is the IP address of the webserver. The Turris Omnia router has IP addresses 192.168.0.1 (lan) and 81.82.x.y (wan).

My version work ready

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '443'
	option dest_ip '192.168.2.110'
	option dest_port '443'
	option name 'NAS HTTPS'
	option proto 'tcp udp' 

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1443'
        option dest_ip '192.168.0.2'
        option dest_port '443'
        option name 'https'

The problem appears to be related to the fact that lighttpd on the turris omnia binds to all interfaces (including the wan interface). Because if I stop lighttpd, then the port forwarding suddenly works just fine.

When I run “netstat -lntp” on my turris, you can clearly see that lighttpd binds on 0 0.0.0.0:443 (ipv4) and :::443 (ipv6)., which means all interfaces:

# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6780/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      3068/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2193/sshd
tcp        0      0 0.0.0.0:9080            0.0.0.0:*               LISTEN      2503/python
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6780/lighttpd
tcp        0      0 :::80                   :::*                    LISTEN      6780/lighttpd
tcp        0      0 :::53                   :::*                    LISTEN      3068/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      2193/sshd
tcp        0      0 :::443                  :::*                    LISTEN      6780/lighttpd
tcp        0      0 :::9443                 :::*                    LISTEN      2504/socat

Why is lighttpd not restricted to the lan interface only? Same goes for the other services (sshd, dnsmasq).

For lighttpd:

find the configuration file in: /etc/lighttpd/lighttpd.conf

Insert a line: server.bind = “localhost”

And replace localhost with the IP address you want the server to listen on (like the LAN side IP) - ref: https://redmine.lighttpd.net/projects/1/wiki/Server_bindDetails

For the other two its similar - edit the config file. For more see:

sshd - ref: http://www.debianadmin.com/howto-bind-ssh-to-selected-ip-address.html
dnsmasq - ref: https://serverfault.com/questions/799200/bind-dnsmasq-dns-to-just-localhost-127-0-0-1

Hmm, it seems that the problem is not caused by lighttpd (or sshd/dnsmasq) after all. The problem appears to be related to ipv6.

My router has both an ipv4 and ipv6 address, and I did setup DDNS records for both. When trying to connect from the wan side, it tries to use the ipv4 address. And then port forwarding works fine. But when connecting from the lan side, it uses the ipv6 address. And since port forwards apply only to ipv4, I’m connecting to the lighttpd on the router instead of the webserver in my lan. When I force to use an ipv4 connection (curl --ipv4), the port forwarding works from inside the lan too.

Is it possible to setup port forwarding for ipv6?