DD-WRT: How to allow port forwarding to apply to requests originating from inside the LAN?

With the original firmware of my router I had port forwarding defined from port 80 to the server in the LAN, which I used in conjunction with an external dynamic DNS service.

I've now upgraded to DD-WRT and alas the port forwarding only works for requests to the external IP from outside the LAN. From inside the LAN I can only access the server by its internal IP.

How can I get the external IP (and thereby the domain name connected to the dynamic external IP) to be properly accessible also from inside the LAN?

I prefer to find out how to achieve it with standard DD-WRT definitions but using e.g. iptables isn't out of the question.

UrEl

Posted 2011-05-19T10:42:51.953

Reputation: 771

Answers

Seems like it's a bug in recent DD-WRT builds.

Use iptables:

iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

(change your subnet according to your specific LAN)

From http://hax.at/text/41

UrEl

Posted 2011-05-19T10:42:51.953

Reputation: 771

Can somoene (UrEl?) please explain why that iptables command works? I'd like to use it, but what if it opens up my entire network. :) – ragerdl – 2015-07-16T07:37:02.260

Saving it in the firewall script worked for me. I didn't try it as a startup script. – ragerdl – 2015-07-16T07:41:06.963

That was NOT obvious! worked like a charm :) – Jay – 2011-10-14T03:04:16.370

I set this as a startup command and rebooted the router, but no change — still doesn’t work. – Timwi – 2012-03-11T22:57:11.287

Worked for me. Thank you very much. Now I can access my ddns assigned IP from my internal network on my DD-WRT routers. – nusi – 2012-05-07T00:27:54.493

3This worked for me, but only if I saved it as the firewall script and not the startup script. – Jarett Millard – 2012-07-29T05:00:57.327

@Timwi - As Jarett mentioned, I too had to put this in the "Firewall" section, not the "Startup" section. – dan_linder – 2014-02-22T03:53:24.097

In spirit of UrEl's answer: A self-configuring iptables script that can just be copy-pasted without further adaptation can be found on the DD-WRT forum:

insmod ipt_mark 
insmod xt_mark 
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001 
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark 
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

As noted by Jarett, this has to be used as Firewall script and not as Startup script.

krlmlr

Posted 2011-05-19T10:42:51.953

Reputation: 572

This solution worked for me better than UrEI's one because the latter made my SIP phone unable to connect. – jamix – 2014-09-24T10:09:31.097

What's the difference between this and @UrlEl's rule (besides dynamically getting wan interface and ip address)? – Piotr Dobrogost – 2017-02-20T21:23:19.813

Try disabling "Filter WAN NAT redirection" in the Security->Firewall tab. From the help description:

Filter WAN NAT Redirection Prevents hosts on LAN from using WAN address of router to contact servers on the LAN (which have been configured using port redirection).

Tobias Plutat

Posted 2011-05-19T10:42:51.953

Reputation: 5 051

It was already disabled (by default). Any other ideas? – UrEl – 2011-05-19T10:59:43.973

That is weird - on my LAN, this setting is exactly what makes the difference. Which build are you using? Maybe you should double-check your port forwarding - maybe there's something wrong there that you missed (maybe the IPs have changed between your external and internal access, thus breaking port forwardings?) – Tobias Plutat – 2011-05-19T11:12:27.463

I'm using 16994. In the mean time I found this: http://hax.at/text/41

– UrEl – 2011-05-19T11:26:29.140

Oh, how I love buggy DD-WRT releases! (Establishing a connection from clients used to take ages for some time... until I found out that host names in static leases should only contain alphabetic characters. Arrgh!) – Tobias Plutat – 2011-05-19T11:37:43.567

It sounds like your real problem is that you need two views of the DNS A record. Externally your dynamic dns points to your network public IP which forwards port 80 to the local host. All you need to do is add an entry in dnsmasq with an A record pointing the same fully qualified domain name to the local host ip for your local hosts. You can do that by adding the following on the Services page/Additional dnsmasq options:

 address=/www.mydomain.com./xx.xx.xx.xx

just replace the xx's with the local ip and the domain name with your domain name. Don't forget the trailing dot or it will append your local domain name to it.

systemconcierge

Posted 2011-05-19T10:42:51.953

Reputation: 86

This is what I did, and it works! But is it possible to do this for certain ports? This will only work if you're forwarding ports to a single computer. If you're forwarding ports to multiple computers, it won't work... – rinogo – 2015-06-30T19:05:22.797