1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Broadcast forwarding.

Discussion in 'DD-WRT Firmware' started by Kot_Behemot, Nov 23, 2005.

  1. Kot_Behemot

    Kot_Behemot Network Guru Member

    Hi,
    I know it was already at this forum about it, but I did read all the posts about it and it didnt help.

    I have a lan at home connected by WRT54G with DD-WRT #22 to Lan at flat complex. I would like to use BorgChat with people outside my home. BorgChat works on broadcast at port 7550. How do I allow forwarding of broadcast at specyfic port in both sides?

    Thanks in advance for your help.
     
  2. robmack

    robmack Network Guru Member

    Broadcast or multicast

    Do you really mean broadcast and not multicast (224.x.x.x address)? If broadcast, is it network broadcast or MAC broadcast (all ones)?

    Could you setup a VPN between the sites using something like SSH and associate Borgchat with it?
     
  3. Kot_Behemot

    Kot_Behemot Network Guru Member

    Yes, I relly mean broadcast. Unfortunatlly I can not change config of computers outside of my house (i do not have access to them).

    I do not know what kind of broadcast is it :/ I will put here what ethereal says about packet sent by me (the dest ip is set in the program).

    Frame 17 (126 bytes on wire, 126 bytes captured)
    Ethernet II, Src: 00:0b:2b:00:66:ec, Dst: ff:ff:ff:ff:ff:ff
    Internet Protocol, Src Addr: Behemot (192.168.1.2), Dst Addr: 255.255.255.255 (255.255.255.255)
    User Datagram Protocol, Src Port: 7550 (7550), Dst Port: 7550 (7550) Data (84 bytes)

    As you can noice my ip is 192.168.1.1 and mac is 00:0b:2b:00:66:ec and ip of gateway (to the flat complex lan) is 192.168.1.1 and my ip in flat complex lan is 192.168.0.79
     
  4. 4Access

    4Access Network Guru Member

    There are a number of potential solutions. The two easiest ones I can think of are:

    1. Have everybody you want to chat with that's not on your LAN install hamachi and then create a network you all join. (It might also require adding the hamachi virtual IP addresses to the UDP Broadcast tab in the BorgChat Connection Options.)


    2. Find out what the public IP address is of the remote LAN you want to comunicate with.

    Add that IP address to the UDP Broadcast tab in the BorgChat Connection Options.

    For example clients on LAN A will need to add the public IP address of LAN B to their BorgChat options. Clients on LAN B will need to add the public IP address of LAN A to their BorgChat options.

    Configure the routers on both ends to forward port 7550 to 192.168.1.255

    (Assuming of course, that the LAN is using the 19.168.1.1 - 192.168.1.254 range.)

    Good luck.

    :thumb:
     
  5. Kot_Behemot

    Kot_Behemot Network Guru Member

    Thx, but it is not possible in my case- i do not have access to other computers then mine :/. I can only change router configuration and conf of my comps in home lan.

    I was thinking about sth like this:
    iptables -t nat -A PREROUTING -p udp -d 192.168.0.255 --dport 7550 -j DNAT --to-destination 192.168.1.2

    but when i want to
    iptables -L PREROUTING it says that this table doesnt exist (??).
     
  6. 4Access

    4Access Network Guru Member

    So you can get them to install BorgChat on their PC's but nothing else?!? If you can't get them to make changes to their PC or router then you have no options. It's not possible. (Unless you already have some means of communicating with the remote clients - maybe via a VPN etc. )


    While this rule is valid it will only work if you've got some kind of VPN between the router & remote network setup. But if you already have any kind of a VPN setup then it would be much easier to simply add 192.168.1.2 to the UDP Broadcast tab in the BorgChat Connection Options:
    [​IMG]
    (This is assuming you want to chat with a PC that has IP address 192.168.1.2)


    Try iptables -t nat -L PREROUTING ;)
     
  7. Kot_Behemot

    Kot_Behemot Network Guru Member

    They already have borg instaled and they comunicate with each other without any problem- i want to connect to already working lan.

    The connection is like this:
    [my comp]-->[myLAN]-->[myROUTER]-->[lanoutside]-->[internet]

    so i can configure everything that is needed to be configured (i just do not know how :) )


    Yes it is true (i added 192.168.0.255 in my borg and i believe it would work). The problem is it works only in one direction (form me to outside). I do not get packets from others (the router in logs has info about droping them :/ ).

    I just need to forward packets on router from outside to my comp.



    Try iptables -t nat -L PREROUTING ;)[/quote]

    I found it myself :), but thx anyway.
    It didnt change a thing- it is listed, but packets are dropped as well as before.

    Edit: I forgot to say that i can use only one ip in flat complex lan, so i use nat.
     
  8. 4Access

    4Access Network Guru Member

    OK with that explantion of your network I think I understand. You're NOT actually trying to transmit the chat traffic across the internet. You simply want to communicate between two subnets that are seperated by your WRT54G which is performing NAT. Right?!

    If that's the case then it sounds like you had it mostly figured out already...

    To getting chat traffic from your PC to the "outsidelan" what you mentioned already sounds like it should work:
    Then to forward chat traffic from the "lanoutside" network to your PC, the rule you posted might work.
    Code:
    iptables -t nat -A PREROUTING -p udp -d 192.168.0.255 --dport 7550 -j DNAT --to-destination 192.168.1.2
    That's assuming your computer is 192.168.1.2. But in the packet dump you posted it looks like BorgChat is broadcasting to the global broadcast 255.255.255.255 not just the subnet broadcast 192.168.0.255. In that case you may need to change the rule to:
    Code:
    iptables -t nat -A PREROUTING -i vlan1 -p udp -d 255.255.255.255 --dport 7550 -j DNAT --to-destination 192.168.1.2
    Notice that I added "-i vlan1" so it only matches traffic coming in on the WAN port. (vlan1 is the WAN interface on WRT54G v2 - v4 hardware. If you have a WRT54G v1.x then you'll need to replace vlan1 with eth1)

    To make sure there aren't any other rules interfering with it you could try inserting it at the top of the chain (-I PREROUTING) instead of appending it to the end of the chain (-A PREROUTING)

    But then you still need one more rule:

    iptables -I FORWARD 6 -d 192.168.1.2 -p udp --dport 7550 -j ACCEPT

    You might want to check and make sure that inserting the rule as #6 in the chain (-I FORWARD 6) is appropriate, but I think that's a safe place for most configurations.
     
  9. rljo

    rljo Network Guru Member

    Forgive me if this has no relevance as my experience here is VERY limited, but, is this similar in its cause to the WOL problem with the wrt? In other words, I believe the wrt's do not allow a broadcast address of......xxx.xxx.xxx.255? The workaround posted for wol was to create a forwarding rule for the appropriate port to 192.168.1.254, then use the following command:
    ip neigh add 192.168.2.254 lladdr ff:ff:ff:ff:ff:ff nud permanent dev br0
     
  10. Kot_Behemot

    Kot_Behemot Network Guru Member

    Sorry for a week without any reply- i didnt have acces to net for this time.
    I tried to put those rules in iptables:

    iptables -I PREROUTING 2 -t nat -i vlan1 -p udp --dport 7550 -j LOG --log-prefix "borg on prerouting"

    iptables -I PREROUTING 3 -t nat -i vlan1 -p udp --dport 7550 -j DNAT --to-destination 192.168.1.2

    iptables -I FORWARD 2 -p udp --dport 7550 -j LOG --log-prefix "borg on forward"

    iptables -I FORWARD 3 -p udp --dport 7550 -j ACCEPT

    and in /messages i get only info about accepting packet on POSTROUTING, and no info about accepting on forward (it is strange, i think, caus the packet should travel through FORWARD either.)

    Of course the 192.168.1.2 doesnt get the packets from net on 7550 (checked with ethereal).
     
  11. 4Access

    4Access Network Guru Member

    That's because the first two rules need to be inserted into the PREROUTING chain. (Typo?)

    @rljo
    I'll try to find time later today to check into WOL.
     
  12. Kot_Behemot

    Kot_Behemot Network Guru Member

    Yeah that was a mistype (i put it correctly in router, and mistyped here).

    If i do iptables -L PREROUTING -v -t nat i get (thats only a part):

    Code:
      12  1164 LOG        udp  --  vlan1  any     anywhere             anywhere            udp dpt:7550 LOG level warning prefix `borg na preroute  '
       12  1164 DNAT       udp  --  vlan1  any     anywhere             anywhere            udp dpt:7550 to:192.168.1.2:7550
    
    and in forward (i put it at first place to be sure it isnt taken by any other rule):

    Code:
        0     0 LOG        udp  --  any    any     anywhere             anywhere            udp dpt:7550 LOG level warning prefix `borg on fw '
    so what the hell can happen with it between PREROUTING and forward?? Maybe DNAT is not working properly??

    Thanks for your help 4 Access and all that participate in this discussion.
     
  13. Kot_Behemot

    Kot_Behemot Network Guru Member

    I see it will be hard for me to make it work properlly :/. I have one more question to ask: what is the difference in the way (tables to travel) if i DNAT to same subnet packet came from, and if i DNAT to other subnet??
    Caus if i DNAT to same subnet the packet is send properlly (wierd), but still isn't mentioned in forward table.
     
  14. 4Access

    4Access Network Guru Member

    Sorry I haven't had time to look into this yet. Maybe tomorrow. I did find this post by Honki in the http://forum.bsr-clan.de/ forum which seems to confirm the info you got. (Maybe you got your info from him?) I haven't had a chance to test it yet but Honki did open but 301 regarding this issue so maybe it will be resolved by BrainSlayer...
     
  15. 4Access

    4Access Network Guru Member

    I'm not 100% sure... I believe both travel through the FORWARD chain... but I'm also not quite sure how it could be helpful for you to "DNAT to the same subnet"...

    This is a tougher issue that I originall expected. I've only done a little research but I believe part of the problem (if not most of it) is that iptables will not forward a packet addressed to a broadcast address if the router is connected to the destination subnet. For example, in your situation the problem with a packet sent from 192.168.1.2 to 192.168.0.255 is that the router is listening on the 192.168.0.x network and therefore the router (rightfully) considers a packet sent to 192.168.0.255 as one destined for itself so therefore the packet gets routed through the INPUT chain instead of the FORWARD chain even though it originated on the 192.168.1.x subnet.

    I haven't had time to search for work arounds but I'm curious about this topic so I am hoping to find time to look into it further. It's possible the solution may be similar to what's involved to get WOL working like rljo suggested.


    As for why your logging rules don't work I'm not sure what to suggest. All I can say is that at this point I believe that the following rules:

    iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 7550 -j DNAT --to-destination 192.168.1.2

    iptables -I FORWARD -p udp --dport 7550 -j ACCEPT

    should allow the broadcasted chat traffic from the "lanoutside" network on the WAN side of the WRT to be forwarded to your 192.168.1.2 PC on the LAN side of the WRT. The poblem is going the other direction, from the LAN to the WAN since you need to sent the traffic to everybody on the WAN side of the router...
     
  16. Kot_Behemot

    Kot_Behemot Network Guru Member

    Hello again,
    I found latelly a bit more time to reconsider this issue- I installed a newer verison of ddwrt, and tried to (once again) forrward this kind of packets from the outside of my lan to inside of my lan. The problem persists, so I would like to ask You all once again for help.
    Maybe some o you had similar problem and would like to share some info on how to solve this matter.
    I will shortlly revise this one:
    Packets send on broadcast address on wan side are not being routed to inside of my lan.
    I put those rules in my iptables:
    iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 7550 -j DNAT --to-destination 192.168.1.2 //to change dest address in order to put it through FORWARD chain
    iptables -I FORWARD -p udp --dport 7550 -j ACCEPT // to accept those packets

    Now, what doesn't work- packets hits PREROUTING part (counter is rising all the time), and do not hit FORWARD part - counter is zero all the time.

    Is it some fault in iptables, or is it fault in ddwrt, which i should report to developer. Or maybe is it hw fault.

    Sorry for my long inactivity in this thread, but after one month of everyday battle with this matter i was just hopeless. Now I found more energy for this :).
    Thanks for previous replies, and hope for more.
     
  17. Kot_Behemot

    Kot_Behemot Network Guru Member

    up (one last time - hope nobody will be mad at me)
     

Share This Page