Router behind router: port forwarding fails

Discussion in 'Tomato Firmware' started by DeepC, Oct 21, 2012.

  1. DeepC

    DeepC Serious Server Member


    I have a two router setup:
    • R1: Vodafone Easybox 903, static IP This is a VDSL modem/router. Its DMZ setting points to router 2. Everything else is turned off (Firewall, DHCP, UPnP, etc).
    • R2: WRT54GL with Tomato v1.28, static IP WAN is disabled. This router is supposed to do DHCP, port forwarding, wireless, and QoS.
    Internet -> R1 (easybox) -> R2 (tomato) -> PC

    The problem: inbound traffic seems to ignore port forwarding rules and gets rejected. Outbound traffic works though, traceroute clearly shows that the traffic is routed PC -> R2 -> R1.

    For example, a webserver running on the PC at port 4711 is not accessible from the internet. In theory, R1 should route everything to R2 because of R1-DMZ, and R2 should port forward to PC.

    For debugging, I added a port forwarding rule to R1 forwarding 4711 to PC. This works (webserver accessible from outside). If that rule forwards to R2, it does not work although R2 has another port forwarding for 4711 to PC. I don't trust the R1/easybox very much but this seems to indicate that there is a problem on R2/tomato. I also tried setting R2/tomato's DMZ to PC. Should not require any port forwarding then but also does not work.

    Configuration on R2/tomato:

    WAN type disabled
    Use WAN port for LAN: yes
    Subnet Mask:
    Default Gateway:

    Current Routing Table
    Destination Gateway Subnet Mask Metric Interface * 0 br0 (LAN) * 0 lo
    default 0 br0 (LAN)

    Mode: router (not gateway)

    Port forwarding TCP, Ext Port 4711, Int Address (that is PC).

    I am running out of ideas but stil want to use Tomato for everything as I did for the last 5+ years (with a dumb ADSL modem though). Any advice? Thanks a lot...
  2. koitsu

    koitsu Network Guru Member

    The port forwarding rules on Tomato are bound to interface vlan2, which is the WAN interface/port on your router. This is why the forwards don't work. Proof:

    root@gw:/tmp/home/root# iptables -L -n -v
    Chain INPUT (policy DROP 359 packets, 30157 bytes)
    pkts bytes target    prot opt in    out    source              destination
    1017 63244 DROP      all  --  *      *            state INVALID
    90502  21M ACCEPT    all  --  *      *            state RELATED,ESTABLISHED
      120  7844 ACCEPT    all  --  lo    *  
    120K 8843K ACCEPT    all  --  br0    *  
    463K  29M ACCEPT    icmp --  *      *  
        1    44 ACCEPT    udp  --  *      *            udp dpts:33434:33534
    73682  26M ACCEPT    udp  --  *      *            udp spt:67 dpt:68
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
        4  181 ACCEPT    all  --  br0    br0  
      865 92742 DROP      all  --  *      *            state INVALID
    177K 9523K TCPMSS    tcp  --  *      *            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
      55M  36G ACCEPT    all  --  *      *            state RELATED,ESTABLISHED
    22001 1579K wanin      all  --  vlan2  *  
    277K  19M wanout    all  --  *      vlan2  
    277K  19M ACCEPT    all  --  br0    *  
    21991 1578K upnp      all  --  vlan2  *  
    Chain OUTPUT (policy ACCEPT 320K packets, 36M bytes)
    pkts bytes target    prot opt in    out    source              destination
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
    21466 1545K ACCEPT    udp  --  *      *          udp dpt:28642
      465 25976 ACCEPT    tcp  --  *      *          tcp dpt:28642
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
      10  604 ACCEPT    tcp  --  *      *          tcp dpt:113
        0    0 ACCEPT    tcp  --  *      *          tcp dpt:22
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination
    Look very carefully at the "wanin" chain near the bottom -- there are two forwards there (one for TCP port 22, one for TCP port 113) being forwarded to (Windows machine on my LAN).

    So what uses the "wanin" chain? Look up at the "FORWARD" chain and notice the target field which says "wanin", then notice what interface it's bound to -- vlan2. vlan2 is the WAN interface (e.g. in my case, it has my public Internet IP):

    root@gw:/tmp/home/root# ifconfig vlan2
    vlan2      Link encap:Ethernet  HWaddr E0:CB:4E:C0:00:C5
               inet addr:  Bcast:  Mask:
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:53163458 errors:0 dropped:0 overruns:0 frame:0
               TX packets:22344172 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:697687979 (665.3 MiB)  TX bytes:2210002750 (2.0 GiB)
    So try this instead:

    * Hook R1's LAN port up to R2's WAN port
    * Give R1 a LAN IP address of
    * On R1, set DMZ to
    * Give R2 a WAN IP address of netmask (static IP)
    * Give R2 a LAN IP address of netmask (this is the default)
    * Add the port forwards to R2, forwarding them to machines on your LAN that exist within the network space
  3. DeepC

    DeepC Serious Server Member

    koitsu, thank you thank you thank you ;-)

    This is working great. There was a short heart-stopper moment of not working-ness. Fortunately I could resolve that by changing the mode from "Router" to "Gateway". Also, thanks for the explanation. Now everything makes sense...

    koitsu likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice