NAT loopback/hairpinning query

[nightcustard]

When running my 8900 as a modem/router, I can leave my home-hosted Wireguard VPN running on my phone and am able to access both LAN and WAN while the phone is connected to the LAN.
I've recently been using my ISP's modem with the 8900 acting as a router only. In this configuration I can no longer use the VPN when connected to my LAN (which is a pain).
Is there an 8900 configuration change I could make to regain this LAN/VPN functionality? I've tried adding a static route but as I don't really know what I'm doing, I'm relying too much on luck and some guidance would be very welcome!

[billion_fan]

When running my 8900 as a modem/router, I can leave my home-hosted Wireguard VPN running on my phone and am able to access both LAN and WAN while the phone is connected to the LAN.
I've recently been using my ISP's modem with the 8900 acting as a router only. In this configuration I can no longer use the VPN when connected to my LAN (which is a pain).
Is there an 8900 configuration change I could make to regain this LAN/VPN functionality? I've tried adding a static route but as I don't really know what I'm doing, I'm relying too much on luck and some guidance would be very welcome!

Does the 8900 obtain a public IP from your ISP modem?? Or does it receive a private IP??

Also if you adjust the VPN settings on your phone and try to connect the LAN IP of the VPN server does that work?

[nightcustard]

Hi BF
In answer to your questions:
The 8900 receives a private IP from the modem (192.168.1.2) and is in the DMZ, so it's not double-firewalled.
If I change the phone's VPN endpoint to the address of the VPN server on my LAN, I can connect successfully to other LAN & WAN IPs.

Essentially I'm looking for a way to redirect any request to my public IP address from within the LAN to the VPN server but can't think how to do this; Interestingly, I can access LAN IPs by adding a One-to-One NAT with the Global IP address set to my public IP address and the Internal IP address set to the VPN server address & 'Valid' set to 'True'. I'm not sure about the security implications of this and it doesn't permit access to the WAN from the phone.

Thanks, Mike

[billion_fan]

Hi BF
In answer to your questions:
The 8900 receives a private IP from the modem (192.168.1.2) and is in the DMZ, so it's not double-firewalled.
If I change the phone's VPN endpoint to the address of the VPN server on my LAN, I can connect successfully to other LAN & WAN IPs.

Essentially I'm looking for a way to redirect any request to my public IP address from within the LAN to the VPN server but can't think how to do this.

Thanks, Mike

Only thing I think of is it has something to do with double NAT/private IP (even though you have DMZ the connection you still have double NAT)

I'm thinking you can't change the ISP router to modem only mode?

Is the VPN server installed behind the Billion or ISP router?

[nightcustard]

Hi BF

You're correct, I can't change the ISP router to modem only; The VPN server is installed behind the Billion router. I edited my previous comment so I don't know whether you spotted the One-to-One NAT observation - is this relevant?
It looks like I need to play with iptables. If I can figure out how to redirect all queries to my public IP address to the VPN server using the (hopefully) unique port number as the filter, I think that could work. It would be good to figure it out as one day I'll be going full fibre and won't be able to use the Billion as a modem.
Incidentally, as a work-around I'm using Tasker on my (Android) phone to detect if it's home (connected to my WiFi network) and switch off the VPN.

[nightcustard]

Success (of sorts)!

I've added a couple of NAT rules using iptables which appears to permit VPN operation within my LAN. The commands I ran are as follows:

Code: Select all

iptables -t nat -A PREROUTING -i br0 -s 192.168.1.0/24 -d nn.nn.nnn.nnn/32 -p udp -m udp --dport XXXXX -j DNAT --to-destination 192.168.1.5
iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.5/32 -p udp -m udp --dport XXXXX -j SNAT --to-source 192.168.1.1

where 192.168.1.0/24 is my LAN
nn.nn.nnn.nnn/32 is my public IP address
XXXXX is the port number of my Wireguard server
192.168.1.5 is the address of my Wireguard server
192.168.1.1 is the address of the Billion router

The info for the NAT rules came from here: https://unix.stackexchange.com/question ... pback-work

The PREROUTING table now looks like:

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             base-address.mcast.net/4
PPTP_PRE   all  --  anywhere             anywhere
L2TP_PRE   all  --  anywhere             anywhere
IPSEC_PRE  all  --  anywhere             anywhere
GRE_PRE    all  --  anywhere             anywhere
OVPN_PRE   all  --  anywhere             anywhere
VS_X_PRE   all  --  anywhere             anywhere
VS_PRE     all  --  anywhere             anywhere
1to1_PRE   all  --  anywhere             anywhere
RMA_PRE    all  --  anywhere             anywhere
DMZ_PRE   !icmp --  anywhere             anywhere
DNAT       udp  --  192.168.1.0/24      host-nn-nn-nnn-nnn.as13285.net  udp dpt:XXXXX to:192.168.1.5

The POSTROUTING table now looks like:

Code: Select all

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
1to1_POST  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere             ctstate DNAT mark match 0x1000000/0x1000000
MASQUERADE  all  --  anywhere             anywhere
SNAT       udp  --  192.168.1.0/24      192.168.1.5         udp dpt:XXXXX to:192.168.1.1

There are a couple of issues with this approach:

These rule changes won't survive a reboot and if my public IP address changes, then I've got to re-edit the PREROUTING rule.

BTW, I used PuTTY to ssh into the router and used 'sh' to enter into a BusyBox shell, from which I could use the iptables commands.