1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using iptables to get Wake On Lan (WOL) to work

Discussion in 'HyperWRT Firmware' started by cat101, Jan 22, 2005.

  1. cat101

    cat101 Network Guru Member

    Hi everyone,

    I'm trying to get the WRT54G (running HyperWRT 2.0b4) to forward every UDP packet coming on to the WAN interface for port 9 to the 192.168.1.255 address on the internal network. As people have mentioned on other posts (http://www.broadbandreports.com/faq/6790) the router does not know which IP is connected to which port (when the machines are off) so the solution is to broadcast the "magic packet" to all the ethernet ports.

    Since the current web management interface does not allow me to forward packets to a broadcast address I just added this rule directly into the router's netfilter

    iptables -t nat -I PREROUTING 4 -p udp -i vlan1 --dport 9 -j DNAT --to-destination 192.168.1.255:9

    Now, I've successfully used this same rule to do things like converting a UDP port 9 packet to a port 11 packet and send it to machine X. Still for some reason this does not work to wake up my machine (which was able to remote start when I had a netgear router).

    Any ideas on what may be the problem?? Another test I did was sending a broadcast ping to the internal network (from the router shell) and I only got a reply from the router itself (192.168.1.1). On a regular network all the machines should have replied. Do you think that maybe there is something that prevents broadcast packets from being sent?

    Thanks for you help

    Cat101

    PS: I don't have any extra forwarding enabled, except for having a DMZ machine and using QoS on one Ethernet port
     
  2. Toril

    Toril Network Guru Member

    Dunno if you can get a command shell in HyperWRT, but try this:

    cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    If it's a "1" they're disabled, if "0" it's not. It's the same as Cisco's "no ip directed-broadcast" command. Prevents ye olde tyme Smurf attacks. So be careful, might be something you wouldn't mind disabling on the Lan but not on the Wan...
     
  3. cat101

    cat101 Network Guru Member

    Thanks for the reply, icmp_echo_ignore_broadcasts es 0 so there must be an other problem.

    Cat101

    PS:Here is a dump off all the tables and chains in case it helps

    # iptables -L --line-number
    Chain INPUT (policy ACCEPT)
    num target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    # iptables -t nat -L --line-number
    Chain PREROUTING (policy ACCEPT)
    num target prot opt source destination
    1 DROP all -- anywhere 192.168.1.0/24
    2 DNAT icmp -- anywhere host-xx-xx-xx-xx.yyyyy.netto:192.168.1.1
    3 TRIGGER all -- anywhere host-xx-xx-xx-xx.yyyyy.netTRIGGER type:dnat match:0 relate:0
    4 DNAT all -- anywhere host-xx-xx-xx-xx.yyyyy.netto:192.168.1.2

    Chain POSTROUTING (policy ACCEPT)
    num target prot opt source destination
    1 MASQUERADE all -- anywhere anywhere
    2 MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    # iptables -t mangle -L --line-number
    Chain PREROUTING (policy ACCEPT)
    num target prot opt source destination
    1 MARK all -- anywhere anywhere MARK set 0x100

    Chain INPUT (policy ACCEPT)
    num target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    num target prot opt source destination
     

Share This Page