Port forwarding oddity/bug

Discussion in 'Tomato Firmware' started by n4mwd, Apr 22, 2013.

  1. n4mwd

    n4mwd Serious Server Member

    I have been testing my asterisk voicemail to email system and I noticed that a connection from (the router IP) was remaining connected to the IMAP server after the voicemail was emailed. Connections from my laptop came and went as I checked my email. I manually force dropped the connection to at the mail server and it would just reappear a few minutes later. At first, I thought this was related to my testing of the asterisk voicemail system, but after a lot of experimentation, I discovered it was actually my cell phone.

    Now here is the issue. The cell phone's IP address is something like Yet, when it got to the mail server, it was This is why I thought the router was doing this.

    Both my laptop and cell phone connect via wifi. The laptop shows the correct IP on the mail server and the cell phone does not.

    Here is the difference. The laptop is only used at the house so it connects to the internal server name "myserver" at port 143. Because my ISP blocks 143, I used tomato to port forward 800 to 143. Because I use the cell phone from everywhere, it has to connect to my external address at port 800 which gets forwarded to port 143 internally.

    So the question is why does the port forwarding change the sender's IP address to the router's?
    Is this something that only happens when behind the NAT?
    If this happens from external addresses too, then this is a major security risk because the mail server doesn't require authentication for local addresses.
  2. koitsu

    koitsu Network Guru Member

    Please read everything I have said slowly and in full.

    I've read your post fully 3 times now, because I could not for the life of me figure out what you were complaining about. Then I realised what you're complaining about is that connections from devices on your LAN to connections on a mail server also on your LAN (but you're connecting to the WAN IP address), show up as connecting from (your router itself) rather than from the actual client IP.

    The reason this happens is because the client ( is connecting to the WAN IP, thus the packet has to go through the NAT translation layer, and has to rely on NAT loopback.

    Stop doing this immediately. LAN connections should go to other devices on the LAN only, do not use the WAN IP. In fact, using the WAN IP with NAT loopback can result in major performance hits (I can find you the thread proving that if you want).

    And now you will respond with this: "but I don't want to have to change the FQDN/hostname configured in every time I go away from my home and have to change it back, that's annoying!".

    And I agree: so then don't!

    Assuming clients on your LAN are using for their DNS server (i.e. dnsmasq on your router), you can have dnsmasq return a LAN IP address for an FQDN (which will only affect LAN clients doing DNS lookups) by adding this to the dnsmasq custom configuration section in the GUI:




    Let's talk about this providing actual useful IP addresses/descriptions:

    Cell phone IP (when on LAN) =
    Cell phone IP (when roaming) =
    IMAP server IP =
    Router IP (LAN) =
    Router IP (WAN) =

    Then when cell phone attempts to connect to some.host.name, it'll do a DNS lookup and get back (instead of, and then connect to the LAN IP. At the same time, when the cell phone is not on your LAN and connects to some.host.name, it'll connect to the WAN IP (since Internet DNS resolution will resolve it to the WAN IP; I assume you're using something like DynDNS).

    Make sense?

    Now about the TCP port number and port forwarding:

    Because LAN --> LAN connections do not involve the Port Forwarding table (that's just for inbound WAN --> LAN), you will need to make your IMAP server listen on TCP port 800. This should be incredibly easy to do with proper configuration files/variables that pertain to the IMAP server. I've used Dovecot for years and it lets you do this, as do many other IMAP servers.

    Alternately (and I do not recommend this, because it's much more sane/logical to have the IMAP server listen on a different port), you may be able to use packet forwarding/rewriting rules on the IMAP server itself to forward inbound connections to TCP port 800 to TCP port 143.

    IMAP, by the way, is a resilient protocol, meaning it keeps a TCP session open indefinitely, even when not actively pulling down mail. This is by design. This is mainly something done in IMAP version 4, but that's splitting hairs.
  3. n4mwd

    n4mwd Serious Server Member

    I tried that, but it didn't work right. I added "address=/MyExternalName.com/" to the dnsmasq custom config box. I then opened a DOS box in Windows and did "ping MyExternalName.com" and it shows the real IP address instead of the internal one. I checked "Interecpt port 53" to make sure windows wasn't cheating. But strange enough, if I ping www.MyExternalName.com, it shows the internal address. The same is true when I use any other prefix (not necessarily a real one). Actually, I just noticed that if I ping <invalid URL> it translates to the local IP.

    One other problem is that the mail server is currently running on a Windows box. The asterisk server runs on the router. They have different internal IPs. I plan to move the mail server to the router in the future, but for now, that's the way it is. The problem is that the DNS rerouting trick we are attempting to do doesn't distinguish between mail requests and VOIP requests.

    Also, I don't use a dynamic IP. I have a static one so at least I don't have that headache.

    I used an older version of tomato on my 54g and I didn't have to worry about any of this stuff. Why is it different now?
  4. koitsu

    koitsu Network Guru Member

  5. n4mwd

    n4mwd Serious Server Member

    In theory, it should have worked. I must have accidentally checked the "Do the opposite of whats in the custom config box" button. What was happening was that if the name resolved with the real DNS, it would return that IP. If not, it would resolve to So http://asjfhlkjehflkjnleqkrj433r5n54335t45gjk.com would resolve to the router IP.

    When that didn't work, I also tried adding it to the hosts file, but that only seemed to work on the router itself.

    If I could get this working, I could probably create a mail.myserver.com DNS entry and use that to direct it to the proper internal address using your method.
  6. koitsu

    koitsu Network Guru Member

    Like I said -- it works for other people, including myself. Hopefully others can chime in here and help you, my time right now is spent on FreeBSD kernel work.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice