1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

accessing 2nd router from outside lan - port forward issue?

Discussion in 'Tomato Firmware' started by ghoffman, Jul 1, 2012.

  1. ghoffman

    ghoffman Addicted to LI Member

    see this discussion at tomatousb.org:

    http://tomatousb.org/forum/t-468874/can-t-access-second-router-s-gui-from-internet


    basically, the issue is:
    cable modem with external address tracked at 'mylan.dyndns.org'
    tomatousb (shibby 095) on e3000 as main router, internal IP address 192.168.1.1
    secondary APs and clients at 192.168.1.201, 192.168.1.202,....192.168.1.205
    these AP's are configured for remote management on port 8080, local management requests on 80.

    port forwarding on main router:
    8081 -> 192.168.1.201 port 8080
    8082 -> 192.168.1.202 port 8080
    etc

    if i try to access the main router from outside at mylan.dyndns.org:8080: all good
    if i try to access a secondary AP at mylan.dyndns.org:8081 - no go

    if i change port forwarding to
    8081 -> 192.168.1.201 port 80: still no good.



    this used to work with tomato, and with dd-wrt. something changed in tomatousb over the past few months.
     
  2. mvsgeek

    mvsgeek Addicted to LI Member

    This works for me :

    Main router - 192.168.1.1

    Local Access : HTTP & HTTPS
    HTTP Port : 80
    HTTPS Port : 443

    Remote Access: HTTPS
    Port : 8081

    Port Forwarding : TCP 8087 --> 192.168.1.7:443


    Secondary - 192.168.1.7

    Local Access : HTTP & HTTPS
    HTTP Port : 80
    HTTPS Port : 443

    Remote Access: HTTPS
    Port : 8087


    From my Droid phone :

    https://external.ip:8081 --> log in to Main router
    https://external.ip:8087 --> log in to Secondary

    I can also access both routers via ssh using a Droid app called Connectbot.

    Update : Changing the Local Access HTTPS Port on Secondary from 443 to 8087, and forwarding 8087 to 8087 on Main, also works.

    Update #2: Even with Remote Access on Secondary disabled, it still works. Looks like Secondary AP's use the ports as defined in the 'Local Access' section.
     
  3. Engineer

    Engineer Network Guru Member

    Remote access is only for the WAN port IIRC. It should be on the local access ports since it's coming across the LAN ports.
     
  4. gfunkdave

    gfunkdave LI Guru Member

    Engineer is correct. Remote access is for the WAN port. If the APs are plugged into the LAN ports they can just use normal Local access.
     
  5. ghoffman

    ghoffman Addicted to LI Member

    thank you - the trick - for whatever reason - was to disable remote access on the secondary routers. then port forwarding to 80 works.
     
  6. ghoffman

    ghoffman Addicted to LI Member

    update:
    this configuration 'stopped working'.
    e3000 as primary router, shibby 95 usb-vpn build, uptime now 19 days. the following is cut-and-paste from the info screen on my main router (the e3000 at local address 192.168.1.1, external IP address accessible via my dyndns account) that i am just now accessing remotely at http://xxxxxxxx.dyndns.org:8080


    Name xxxxxxxx
    Model Linksys E3000
    Chipset Broadcom BCM4716 chip rev 1 pkg 10
    CPU Freq 480MHz
    Flash Size 8MB

    Time Thu, 12 Jul 2012 19:00:50 -0500
    Uptime 19 days, 08:25:48
    CPU Load (1 / 5 / 15 mins) 0.02 / 0.02 / 0.00
    Total / Free Memory 60.63 MB / 48.29 MB(79.64%)

    i have forwarded ports as follows (again, cut from the router management screens):
    Port Forwarding
    On Proto Src Address Ext Ports Int Port Int Address Description
    UDP 1000,2000 192.168.1.2 ex: 1000 and 2000
    Both 1000-2000,3000 192.168.1.2 ex: 1000 to 2000, and 3000
    Both 1.1.1.0/24 1000-2000 192.168.1.2 ex: 1000 to 2000, restricted
    TCP 1000 2000 192.168.1.2 ex: different internal port
    On TCP 8081 80 192.168.1.1
    On TCP 8082 80 192.168.1.2
    On TCP 8083 80 192.168.1.3
    On TCP 8084 80 192.168.1.4
    On TCP 8085 80 192.168.1.5
    On TCP 8201 80 192.168.1.201
    On TCP 8202 80 192.168.1.202
    On TCP 8203 80 192.168.1.203
    On TCP 8204 80 192.168.1.204
    On TCP 8205 80 192.168.1.205
    On TCP 8250 80 192.168.1.250
    On TCP 9100 9100 192.168.1.250
    TCPUDPBoth

    but i cannot access any of the routers or devices at the forwarded addresses from outside my lan.
    as an example:
    http://xxxxxxx.dyndns.org:8084
    should give me the device on my lan at 192.168.1.4, port 80 (the management screen on that router)
    but it does not work from outside my lan - and it did when i answeder the above question affirmatively - and there have been no router reboots or configuration changes in the interim.

    something *must* be unstable with port forwarding ?

    ideas?
    thank you in advance.
     
  7. ghoffman

    ghoffman Addicted to LI Member

    the above failure to be able to access local lan devices from forwarded ports also applies to toastman tomato-E3000USB-NVRAM60K-1.28.7500.2MIPSR2Toastman-RT-VPN.bin
     
  8. gingernut

    gingernut LI Guru Member

    Try turning off remote management on your AP's, just leave it on in you main gateway, and forward to internal port 80, this is how I have it and it works fine.

    On
    Proto: TCP
    Scr address: (Blank)
    Ext Ports: 8081
    Int Ports: 80
    Int Address: 192.168.2.2
     
  9. ghoffman

    ghoffman Addicted to LI Member

    i have remote management turned off.
    as i mentioned - it worked previously, and has stoppd working.
    i have recently upgraded to shibby 097, and the problem persists.
     
  10. mvsgeek

    mvsgeek Addicted to LI Member

    Dumb question, but does it work with your dotted decimal IP address instead of dyndns?
     
  11. ghoffman

    ghoffman Addicted to LI Member

    unfortunately, that does not fix the problem. i have completely restarted, clleared nvram, reconfigured; the problem persists.
    is there a way i can monitor the port-forward table and requests?
    thanks again in advance.
     
  12. koitsu

    koitsu Network Guru Member

    Yep, you use tcpdump from the CLI to examine packets flowing across the WAN interface. I explain how to do this for the MSTSC/RD protocol in another post, where the issue turned out to be the systems on the OPs LAN, despite his previous insisting that the systems were fine:

    http://www.linksysinfo.org/index.php?threads/tomato-1-28-port-forwarding-rdc.38180/#post-184869

    You will need to get familiar with pcap syntax and so on.

    I can assure you there is something amiss with your setup (port forwarding does work, universally in all Tomato and TomatoUSB firmwares), such as you have a complex setup and you're not giving us full details of the surrounding network/etc., or your ISP may be doing filtering (e.g. packets destined to your WAN IP on ports 80xx are filtered before they reach you). tcpdump will provide answers to most of this.

    Alternately you could get on the TomatoUSB router which has the port forwards and try doing "telnet 192.168.1.x 80" (NOT port 808x!) for each of the APs. If you do not get a connection then the problem is not with the port forwarding (the problem could then be firewall configurations, incorrect MAC addresses in ARP tables, or something physical). All this test would prove is that the TomatoUSB router itself can talk to those APs on port 80.

    Another possibility is that you're using an ISP which uses NAT (I know of an ISP in Norway who does this), rather than give customers an actual Internet address directly. The only solution for that is to set up port forwards on both devices (the bridge/modem/device the ISP gives you, and your own router).

    Edit: Another possibility which I forgot to mention: if these individual APs (192.168.1.2, 192.168.1.3, etc.) have firewalls on them, then the firewalls will need to be modified to permit traffic from any source address (e.g. 0.0.0.0/0) to port 80 and not limited to, for example, 192.168.1.0/24. The source addresses which the machines which will see traffic from (destined to port 80) are public/Internet addresses.

    Just an FYI point on that: NAT does not re-write the source address with forwarded packets, but does re-write the port number. In other words: if Internet user 1.2.3.4 tries to connect to 8.9.9.9 on TCP port 8082 (where 8.9.9.9 is your WAN IP), and Tomato/TomatoUSB is set to forward TCP port 8082 to 192.168.1.2 TCP port 80, then the 192.168.1.2 machine will see the packet as coming from 1.2.3.4:{randomport} destined to 8.9.9.9:80 (not 8082).

    Here's proof of my claim, where I have the following forwarding entry in TomatoUSB for my setup:

    Code:
      Proto Src Address Ext Ports Int Port Int Address    Description
    On TCP              6502      22      192.168.1.51  icarus - sshd
    
    What the 192.168.1.51 machine actually sees (meaning running tcpdump on 192.168.1.51 itself) when someone connects to my WAN IP on TCP port 6502:

    Code:
    05:06:18.242945 IP 209.126.140.25.52161 > 192.168.1.51.22: Flags [S], seq 2505537494, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2387517086 ecr 0], length 0
    05:06:18.242977 IP 192.168.1.51.22 > 209.126.140.25.52161: Flags [S.], seq 3183285344, ack 2505537495, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1579644956 ecr 2387517086], length 0
    05:06:18.270676 IP 209.126.140.25.52161 > 192.168.1.51.22: Flags [.], ack 1, win 1040, options [nop,nop,TS val 2387517115 ecr 1579644956], length 0
    
    In that example the client IP is 209.126.140.25.. You can see the port numbers getting transparently re-written (e.g. destination port shows up as port 22, not 6502), and you can see the full SYN / SYN+ACK / ACK TCP handshake going on -- meaning bidirectional communication is working fine, and also proves that the aforementioned Tomato/TomatoUSB port forward works perfectly fine.

    P.S. -- I sure hope that if you're providing Internet-based access to your APs that you have some kind of firewall rules in place only allowing connections from certain IPs on the Internet. I sure as hell would not want to allow connections from anyone on the Internet to the administrative pages on my APs inside of my LAN, regardless of what port number you pick (i.e. 8081, 8082, etc.). Very, very insecure otherwise.
     
  13. ghoffman

    ghoffman Addicted to LI Member

    @koitsu -
    thank you very much for the detailed information. it was helpful.
    however, - the problem is a bug in the eth0-br0 brigding in toastman 1.28.7500.2 and shibby v095 and 097.

    what i found:

    on toastman 1.28.7500:
    external access to lan works.
    and: i can access all wireless bridges not only form the main router but from other devices that connect through br0 (wired devices)

    on the new toastman and shibby builds: this does not work. i cannot access wireless devices from devices on my wired lan or vice-versa, although all devices can access the internet. it is not an ap-isolation problem per se. i susspect that this same problem is somehow affecting aspects of wan-lan bridging.
    this problem affects both the standarrd and vlan builds in toastman.

    i hope this helps with development somehow. please direct this information to the most appropriate people.
    thank you!
     

Share This Page