Problem with port forwarding and LAN clients

Here is a workaround that I'm posting in hopes it might be helpful for
someone else.

Recall that I identified the problem to be

       In a nutshell: For each LAN host and port number, the BGW320-505
       allows/supports only one WAN-ip connection from the LAN.

I think the right fix would be for the router to reroute directly through the LAN
traffic from the LAN to its WAN-ip and by port forwarding back into the LAN.  Maybe this will be in the next firmware update.  The script below implements this on the client side.
______________

My workaround applies in the following case:

(1) Portable devices connecting to the LAN run Linux and connect using dhclient
(eg. wicd) or connect with NetworkManager.  I have tested with Debian 10 and
Fedora 34.  You may need to modify the script or where it goes if you are using
a different distribution. You need to have wget installed. 

(2) You have set up with a Dynamic DNS service one url resolving  your current
"Broadband IPv4 Address" (WAN-ip) for each host on your LAN that you need to
connect to remotely or locally.

(3) You have allocated a static LAN address for each host on your LAN that you need to connect to locally (and for the remote connections that you have
set up port forwarding to those hosts).

(4) Your portable device's DNS resolver is not configured to ignore /etc/hosts.  

___________

Here's the idea.  Suppose for illustration that you have two hosts on your LAN
that you need to access both remotely and locally.  Say their hostnames are host1 and host2.

Suppose you have also set up two urls with your dynamic dns service

host1.ddns.net
host2.ddns.net

both of which resolve to your router's current WAN-ip address.

Finally suppose that you have allocated static LAN addresses for host1 and host2:

192.168.1.111  for host1
192.168.1.222  for host2

After you've edited it for your own router and hosts, when you make a network connection, the shell script below checks whether you are on your home LAN by looking for your router's serial number.  If you are, then it adds the lines

192.168.1.111  host1.ddns.net
192.168.1.222  host2.ddns.net

to /etc/hosts.  If instead you are connecting to a different network, the script
removes those lines.

The point is that an application that is set up to connect to host1.ddns.net will
do so remotely by port forwarding through your WAN-ip and do so locally through 192.168.1.111 without leaving the LAN.

#!/bin/bash

PATH=/bin:/usr/bin:/usr/sbin
IFS=" "

# If connections are made via dhclient (eg, using wicd), as (Edited per community guidelines) put this script in
#
# /etc/dhcp/dhclient-exit-hooks.d/BGW320-505-workaround
#
# and set its permissions with "chmod 755 BGW320-505-workaround".

# If connections are made using NetworkManager, as (Edited per community guidelines) put this script in
#
# /etc/NetworkManager/dispatcher.d/BGW320-505-workaround
#
# and set its permissions with "chmod 755 BGW320-505-workaround". Also
# remove the initial "#" from the following line
#
#network_manager="true"

# We determine that we are connected to the home LAN by checking for its serial number.
#
# The serial number appears under the Device->System Information tab
# in the router pages at 192.168.1.254.

router_serial_number=""

# Put static LAN addresses (set under Home Network->IP Allocation in the router)
# followed by corresponding Dynamic DNS URLs in the local_resolutions variable.
# This will be appended to /etc/hosts when you connect to the BGW320-505 LAN.
# Your setting should look something like
#
# local_dns_resolutions="
# 192.168.1.111   host1.ddns.net
# 192.168.1.222   host2.ddns.net"
#
local_dns_resolutions=""

###############

# If all goes well, the remainder will not need editing.

HOSTSFILE=/etc/hosts

# Massage local_resolutions into a basic regular expression "re" matching its lines
re="$( echo $local_dns_resolutions | sed '/^\ *$/d' | sed 's/\ /\\ /g' | tr "\n" "|" | sed 's/|/\\|/g' | sed 's/\\|$//1' )"

if ( [ "$network_manager" != "true" ] || [ "$2" == "up" ] ) ; then
    if $( wget -q -O - http://192.168.1.254/cgi-bin/sysinfo.ha | grep -q ">${router_serial_number}<" )  ; then
	# Put non-blank lines in local_dns_resolutions into HOSTSFILE,
	# if none are there already
	grep -q "$re" $HOSTSFILE || ( echo $local_dns_resolutions | sed '/^\ *$/d' >> $HOSTSFILE )
    else
	# Remove all lines in local_dns_resolutions from HOSTSFILE
	sed -i "/$re/d" $HOSTSFILE
    fi
fi

exit 0

Let' see if we can point you in the right direction, @mr_greenjeans.

 

Are you using any third party equipment on your network?

 

We recommend that you factory reset your gateway, and set up everything again. This will restore the gateway to the default settings but it will also refresh the network.

 

Let us know if this helps.

 

Marc, AT&T Community Specialist

Thanks for your help, Marc,

No, I'm not using any third party equipment for routing.  I just have the BGW320 connected to two desktops and a VOIP box with ethernet cables and a number of laptops that connect via wifi.

I'll try a factory reset and setting everything up again.  

I did set up logging in the router via port 514 UDP to rsyslog on one of the desktop machines.  Maybe there will be something in the log when it stops forwarding ssh from the WAN address from a laptop on the LAN.

Thanks again!

Thanks for the additional suggestions!

Just to follow up on Marc's suggestions:

(1) I did do a factory reset, then set the router back up.  I'm still having the smae problem.

(2) Hoping for some insight, I set up the router to log to a file at the "Notice" level, but didnt' get what I hoped for.  All I get are packet DROP warnings with "reason=POLICY-INPUT-GEN-DISCARD".  And none are from addresses relevant to the problem connections.

(3)  I watched what happens when trying to make an ssh connection in a client routing table and in the router NAT.

(a) Making a connection from a LAN client to a LAN host at its LAN address does not show up in the router NAT.

(b) Making multiple connections from a remote client to a local host shows up as expected in the router NAT.

(c) The problematic case, connecting a LAN client to a LAN host at its WAN address initially works as in (b).  Subsequent connections fail.  The client routing shows that SYN is sent to the router, but there is no response.  As I said in my first post, this can be fixed temporarily by deleting and adding back the relevant port forwarding.  Alternatively, after a few minutes, it seems to fix itself. 

I'd surmise that the router has some sort of greylisting, but it doesn't make sense that it would only be suspicious about LAN to LAN connections at its WAN address!

Incidentally, I've noticed the same problem with IMAPs (port 993) connections to a mail server.

I'll try the ConnecTech team.

Thanks again!

I believe I now know the cause of the problem.

I talked with three very nice techs at ConnecTech, each in turn deciding the
problem was outside the scope of his division.  After becoming convinced that no user configuration could fix the problem, I decided it's not worth $49/month to find out whether its a Bug or a Feature of the firmware.  Let me guess Feature.

In a nutshell: For each LAN host and port number, the BGW320-505 allows/supports only one WAN-ip connection from the LAN.  Furthermore, when that connection is closed, the socket goes into TIME_WAIT state for 18 or 20 seconds before a new connection can be made.

Neither of these limitations apply to remote client connections or to LAN client
connections to a LAN-ip host.

In practical terms this means, for example

 -If you have a mail server on your LAN, only one portable device (laptop, tablet,
  etc) can connect to it (say by IMAP) at a time.  Don't just leave Thunderbird or
  Squirrelmail running.

- If you have applications, that connect via ssh (eg, Unison and X2go), only one
  portable device on the LAN can use at most one such application at a time.

A work-around would be to assign different ports to each combination of client-application-host, configure combinations individually, and open all those ports in the router firewall. Either living with the problem or buying another router would be easier and less of a nuisance to maintain, though.

Hi @mr_greenjeans, we are happy to help with you networking needs.

 

Port forwarding is used to route incoming and outgoing data on your home network from a remote location. 

• Every device connected to the Internet has an IP address divided into various ports that send and receive data.
• Your gateway routes this data to where it needs to go. When you set up port forwarding, you set up rules to tell the gateway to route data sent or received on a port to a specific IP address on your home network. 

To open a port for user-defined applications:

1. Go to your gateway settings.
2. Select the Firewall tab.
3. Enter the Device Access Code found on the side of your gateway.
4. Select NAT/Gaming.
5. If you receive a warning message, visit the AT&T Port Forwarding tool to enable port forwarding on your account. Then, you can continue with the steps in this solution.
6. From the Service drop-down, select the application for port forwarding. If your application isn't in the list, or you are setting up port forwarding for a device:
   • Select Custom Services.
   • Enter the name for the application or device in Service Name.
   • Enter the port(s) you wish to open for Global Port Range.
     
     It is recommended to create a separate service entry for each port as opposed to using a port range. In this case the port number should be the same in the Global Port Range fields.
   • In Base Host Port, enter the port number used for the first Global Port Range section.
   • Select the appropriate Protocol from the drop-down for the application or device you are adding.
   • Select Add. Repeat as needed for additional applications and devices.
   • When all applications or devices have been added, select Return to NAT/Gaming. Your new applications or devices will display in the Applications list.
7. From the Needed by Device drop-down, select the device name or IP address of the device to open the port.
8. Select Add.
9. When your selections display in Hosted Applications, select Save.

Hope this helps.

Thank you for contacting us on AT&T Community Forums!

 

Lafayette, AT&T Community Specialist

 

 

Thanks for the detailed, if irrelevant answer! 

You're absolutely correct that port forwarding is a snap to set up. 

That wasn't the problem, though, as I hope I explained in my last post.

Thanks again!

 

@mr_greenjeans, you are correct when trying to host a site, a router behind a router may be the best option.

 

You may need your gateway configured or placed into a Bridged Mode. The internet architecture does not allow for bride mode, but you can setup IP Passthrough, which should allow for most of the same things. 

 

However a business account will have more features that way be applied to suit your business needs.

 

Lafayette, AT&T Community Specialist

 

@mr_greenjeans 

Your issue is that none of the AT&T Gateways support LAN  loopback.. That's why it may work once and then fail further attempts. It was fairly common feature on early consumer routers but has been dropped by the vast majority of providers.

It is a potential security issue. Only some third-party routers still support LAN loopback which is a non-standard network configuration.

Any time you want to connect a LAN device to a LAN device you need to use the LAN address and not a mapped WAN address / port mapping configuration.

If you need to have LAN clients and WAN clients connect to a server  you should have 2 physical interfaces 1 for the WAN an 1 for the LAN with the 2 addresses and 2 instances of the server software. Even with this configuration it is a security risk and is not a good practice for traffic isolation.

Dave

dave006, thanks!  Finally, that explains it.

One thing you suggest I still don't understand.  If I set up two instances of, say, a mail server, one for LAN clients and one for WAN clients, how could applications on portable devices be configured to connect to the one at home, but the other on the road?