
New Member
•
8 Messages
Problem with port forwarding and LAN clients
I am using a BGW320-505 (software v 2.12.4). I'm afraid that what I'm describing
is a bug in that software, but any help would be great!
I have a host "mythical" allocated LAN address 192.168.1.111 listening for ssh
connections on its port 8176. This host sends its hostname to the router when it
connects.
Under the Firewall->NAT/Gaming tab I added a custom service "mythical_ssh"
pointing incoming traffic on port 8176 (TCP) to mythical's port 8176.
Remote clients (that is ones not connecting through the LAN) can reach this host
with
ssh -p 8176 <WAN-ip>
where <WAN-ip> is the "Broadband IPv4 Address" (as displayed by the router under
Broadband->Status) currently assigned. This works flawlessly.
Local clients (that is ones connecting through the LAN) can flawlessly reach this
ssh host directly through the LAN with any of
ssh -p 8176 mythical
ssh -p 8176 192.168.1.111
ssh -p 8176 mythical.attlocal.net
However, connecting from the LAN through the WAN address only works for a while.
That is, a client on the LAN can reach mythical with
ssh -p 8176 <WAN-ip>
a few times, but after a while this fails. Then no client on the LAN can reach
mythical this way. At that point a client on the LAN can still
reach mythical directly through the LAN (eg "ssh -p 8176 mythical.attlocal.net")
or by ssh to a remote ip address, then by ssh back in to the WAN-ip from outside.
This can be fixed temporarily by deleting, then adding back the "mythical_ssh"
application under the Firewall->NAT/Gaming tab.
The reason that this matters is that some applications---Unison for syncing files
and X2go for remote graphical desktops come to mind---need to be configured on
laptops using ssh through the WAN-ip because they sometimes need to connect
remotely. But that configuration also needs to work on the LAN. (I subscribe to
a dynamic DNS service, so I have a fixed url that resolves to whatever the router's
WAN-ip is at the time.)
Accepted Solution
Official Solution
mr_greenjeans
New Member
•
8 Messages
2 years ago
Here is a workaround that I'm posting in hopes it might be helpful for
someone else.
Recall that I identified the problem to be
In a nutshell: For each LAN host and port number, the BGW320-505
allows/supports only one WAN-ip connection from the LAN.
I think the right fix would be for the router to reroute directly through the LAN
traffic from the LAN to its WAN-ip and by port forwarding back into the LAN. Maybe this will be in the next firmware update. The script below implements this on the client side.
______________
My workaround applies in the following case:
(1) Portable devices connecting to the LAN run Linux and connect using dhclient
(eg. wicd) or connect with NetworkManager. I have tested with Debian 10 and
Fedora 34. You may need to modify the script or where it goes if you are using
a different distribution. You need to have wget installed.
(2) You have set up with a Dynamic DNS service one url resolving your current
"Broadband IPv4 Address" (WAN-ip) for each host on your LAN that you need to
connect to remotely or locally.
(3) You have allocated a static LAN address for each host on your LAN that you need to connect to locally (and for the remote connections that you have
set up port forwarding to those hosts).
(4) Your portable device's DNS resolver is not configured to ignore /etc/hosts.
___________
Here's the idea. Suppose for illustration that you have two hosts on your LAN
that you need to access both remotely and locally. Say their hostnames are host1 and host2.
Suppose you have also set up two urls with your dynamic dns service
host1.ddns.net
host2.ddns.net
both of which resolve to your router's current WAN-ip address.
Finally suppose that you have allocated static LAN addresses for host1 and host2:
192.168.1.111 for host1
192.168.1.222 for host2
After you've edited it for your own router and hosts, when you make a network connection, the shell script below checks whether you are on your home LAN by looking for your router's serial number. If you are, then it adds the lines
192.168.1.111 host1.ddns.net
192.168.1.222 host2.ddns.net
to /etc/hosts. If instead you are connecting to a different network, the script
removes those lines.
The point is that an application that is set up to connect to host1.ddns.net will
do so remotely by port forwarding through your WAN-ip and do so locally through 192.168.1.111 without leaving the LAN.
(edited)
0
ATTHelp
Community Support
•
207.4K Messages
2 years ago
Let' see if we can point you in the right direction, @mr_greenjeans.
Are you using any third party equipment on your network?
We recommend that you factory reset your gateway, and set up everything again. This will restore the gateway to the default settings but it will also refresh the network.
Let us know if this helps.
Marc, AT&T Community Specialist
0
0
mr_greenjeans
New Member
•
8 Messages
2 years ago
Thanks for your help, Marc,
No, I'm not using any third party equipment for routing. I just have the BGW320 connected to two desktops and a VOIP box with ethernet cables and a number of laptops that connect via wifi.
I'll try a factory reset and setting everything up again.
I did set up logging in the router via port 514 UDP to rsyslog on one of the desktop machines. Maybe there will be something in the log when it stops forwarding ssh from the WAN address from a laptop on the LAN.
Thanks again!
0
ATTHelp
Community Support
•
207.4K Messages
2 years ago
Hey @mr_greenjeans.
We understand that you're having trouble with port-forwarding. Take a look at the setup steps for port-forwarding with AT&T to make sure your port-forward is setup correct.
Also other options that can help with your setup.
We also suggest that you try reaching out to our ConnecTech team being that this is outside our scope of support.
Please let us know if that helps.
Charles, AT&T Community Specialist
0
0
mr_greenjeans
New Member
•
8 Messages
2 years ago
Thanks for the additional suggestions!
Just to follow up on Marc's suggestions:
(1) I did do a factory reset, then set the router back up. I'm still having the smae problem.
(2) Hoping for some insight, I set up the router to log to a file at the "Notice" level, but didnt' get what I hoped for. All I get are packet DROP warnings with "reason=POLICY-INPUT-GEN-DISCARD". And none are from addresses relevant to the problem connections.
(3) I watched what happens when trying to make an ssh connection in a client routing table and in the router NAT.
(a) Making a connection from a LAN client to a LAN host at its LAN address does not show up in the router NAT.
(b) Making multiple connections from a remote client to a local host shows up as expected in the router NAT.
(c) The problematic case, connecting a LAN client to a LAN host at its WAN address initially works as in (b). Subsequent connections fail. The client routing shows that SYN is sent to the router, but there is no response. As I said in my first post, this can be fixed temporarily by deleting and adding back the relevant port forwarding. Alternatively, after a few minutes, it seems to fix itself.
I'd surmise that the router has some sort of greylisting, but it doesn't make sense that it would only be suspicious about LAN to LAN connections at its WAN address!
Incidentally, I've noticed the same problem with IMAPs (port 993) connections to a mail server.
I'll try the ConnecTech team.
Thanks again!
0
0
mr_greenjeans
New Member
•
8 Messages
2 years ago
I believe I now know the cause of the problem.
I talked with three very nice techs at ConnecTech, each in turn deciding the
problem was outside the scope of his division. After becoming convinced that no user configuration could fix the problem, I decided it's not worth $49/month to find out whether its a Bug or a Feature of the firmware. Let me guess Feature.
In a nutshell: For each LAN host and port number, the BGW320-505 allows/supports only one WAN-ip connection from the LAN. Furthermore, when that connection is closed, the socket goes into TIME_WAIT state for 18 or 20 seconds before a new connection can be made.
Neither of these limitations apply to remote client connections or to LAN client
connections to a LAN-ip host.
In practical terms this means, for example
-If you have a mail server on your LAN, only one portable device (laptop, tablet,
etc) can connect to it (say by IMAP) at a time. Don't just leave Thunderbird or
Squirrelmail running.
- If you have applications, that connect via ssh (eg, Unison and X2go), only one
portable device on the LAN can use at most one such application at a time.
A work-around would be to assign different ports to each combination of client-application-host, configure combinations individually, and open all those ports in the router firewall. Either living with the problem or buying another router would be easier and less of a nuisance to maintain, though.
0
ATTHelp
Community Support
•
207.4K Messages
2 years ago
Hi @mr_greenjeans, we are happy to help with you networking needs.
Port forwarding is used to route incoming and outgoing data on your home network from a remote location.
To open a port for user-defined applications:
It is recommended to create a separate service entry for each port as opposed to using a port range. In this case the port number should be the same in the Global Port Range fields.
Hope this helps.
Thank you for contacting us on AT&T Community Forums!
Lafayette, AT&T Community Specialist
0
0
mr_greenjeans
New Member
•
8 Messages
2 years ago
Thanks for the detailed, if irrelevant answer!
You're absolutely correct that port forwarding is a snap to set up.
That wasn't the problem, though, as I hope I explained in my last post.
Thanks again!
0
0
ATTHelp
Community Support
•
207.4K Messages
2 years ago
@mr_greenjeans, you are correct when trying to host a site, a router behind a router may be the best option.
You may need your gateway configured or placed into a Bridged Mode. The internet architecture does not allow for bride mode, but you can setup IP Passthrough, which should allow for most of the same things.
However a business account will have more features that way be applied to suit your business needs.
Lafayette, AT&T Community Specialist
0
0
mr_greenjeans
New Member
•
8 Messages
2 years ago
dave006, thanks! Finally, that explains it.
One thing you suggest I still don't understand. If I set up two instances of, say, a mail server, one for LAN clients and one for WAN clients, how could applications on portable devices be configured to connect to the one at home, but the other on the road?
0
0