Hi. I am seeing unexpected behaviour with my RUT901 NAT configuration. I am unsure if I have configured Port Forward/Firewall/NAT correctly.
My desire is for all incoming UDP traffic destined for port 50002 to be directed to a specific private IP. I have set a port forward rule for this and it seems to work correctly.
I also want any outbound UDP traffic destinated for port 50002 from that private IP to be delivered to the external target, maintaining the source port (which is also 50002).
What appears to be happening, looking at TCPdump output on the RUT is that the inbound traffic is forwarded correctly to the private IP on port 50002. The outbound traffic destined for WAN target port 50002 and with client source port 5002 is preserved as far as the RUT - however when it exits the RUT via its gateway address - the source port has been changed to a random other port. It is not preserving the source port when it is delivered to the WAN target.
I am not sure if I need a special rule for outbound traffic to preserve the source port number. I’ve tried adding rules to the firewall section, and the NAT section but that doesnt seem to influence the client source port number that is used when the traffic exits the RUT to the WAN. Can you advise what the correct rules are and what section of the RUT I should put them to achieve what I want here please? I can supply screenshots and pcap output to show what is happening if required.
Please navigate to System → Package Manager and install the IPtables NAT extra package.
Once installed, go to Network → Firewall → Custom Rules and add the following rule to the text box: iptables -t nat -I POSTROUTING -s 192.168.1.100 -p udp --sport 50002 -j MASQUERADE --to-ports 50002
(Replace 192.168.1.100 with the device’s IP address.)
This rule explicitly forces the external source port to 50002
Please note that this configuration will only work if your WAN interface has a public IP address. You can verify this by navigating to Network → WAN. If the IP address falls within any of these ranges - 10.0.x.x, 192.168.x.x, 172.16.x.x to 172.31.x.x, 100.64.x.x to 100.127.x.x, it is an IP address under CGNAT, and your desired configuration wouldn’t be possible.
thanks for responding. I’m afraid my WAN (mobile actually) address is private - a 10.183.0.x It is in a very narrow subnet (255.255.255.252) - and is not overlapping with the private address LAN side of the router (standard 192.168.1.x / 255.255.255.0). So the custom rule below is not likely to work??
I’m not sure why the port number is being changed in the first place. When I originally set this up it was all working correctly. I think I then changed something in the firewall section of the config menus and now it is remapping the source port number. Is there a way to reset all the firewall rules back to the RUT defaults (without resetting all the other config sections?)
Here is an example of the packets. Incoming first from UDP 10.10.65.41:50002 (the server) to destination 10.53.128.1:50002 (the advertised SIM WAN address). The actual target devices is connected on the LAN side of the RUT and has IP address 192.168.111.
I am puzzled as to why there are 4 packet captures incoming and only 3 outgoing. The 192.168.1.1 to 192.168.1.111 hop is repeated. I’ve looked at the details of these two packets and they seem to be identical.
You can see that in the final exit the source port is changed from 50002 to 50943 and I dont understand why that has happened.
client port issue notwithstanding. To set this up I added a rule in the Port Forward section to say all incoming traffic to the mobile WAN address with destination UDP 50002 should be directed to the connected lan device IP 192.168.1.111 with no port translation. This works.
I initially had no other rules in the other sections for the outgoing traffic - nothing in Traffic Rules, NAT rules, or custom, Settings, Zones and it appeared to be working. I then changed something (cant remember what) and it started randomly changing the source port on the final outgoing hop.
Any advice you can give would be much appreciated.
Hi Justinas. I was wondering if using the DMZ feature would help me with here? I normally use the RUT241 in bridge mode. I only switched to NAT as I wanted to be able to access the RUT remotely to perform some tcpdumps and problem investigation. If I continue with NAT mode and place my connected device in the DMZ - will that have the effect of routing all incoming traffic in and out to the DMZ desginated device without port translation and still allow me to access the RUT remotely? I do not require firewall functionality etc. (I didnt have it in Bridge mode anyway) so I just want a 1:1 translation in and out for all traffic plus a port forward perhaps to allow me onto the RUT web interface ?
Hi. There appears to be a problem with the RUT software. I am now using Bridge Mode and the router initally was passing the traffic on without changing the source port number. However over the weekend it seems to have once again started changing the source port as the traffic is passed through the mobile WAN interface (see below). This is a RUT 241 and I am on the latest .19 stable firmware. My understanding was that in Bridge mode this should not happen and the router should not be modifying the traffic in any way ?
I attach the routing table output and a capture showing the source port being modified.
For troubleshooting purposes, we will require more sensitive information from your end, such as the troubleshoot file, which may contain passwords, public IP addresses, serial numbers, and such. To avoid leaking this information, we have sent you a form to fill out, which you will receive in your e-mail inbox that you have registered your account with in the forums. In the Ticket ID field of the form, please enter the ID of this thread, which is 17405.
Hi Justinas. I have since reset the rut to factory settings and setup bridge mode again. This time it appears to be forwarding traffic correctly without modifying the source port - so fsr.
I am suspecting that even though I deleted the various firewall rules, port forwards and access control settings I had made while in NAT mode and also then rebooted, something was still left behind in the settings. Hence my question too about providing an option in the gui (or commands for the command line) to delete any firewall rules or other config as although the documentation says when in bridge or pass through modes these features are disabled I think some of that old config must have been responsible for the trace you see above where the source port was modified. If it happens again I will share a troubleshooting log of course. Thanks for the help to date.