Forwarding to an interface from which traffic came

iam8up · October 7, 2009, 3:50pm

I was long under the impression this capability was impossible with the Linux Kernel. Then I stumbled upon:

http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

It sure would be nice if we could have that turned on…

fewi · October 7, 2009, 4:21pm

With net.ipv4.ip_forward set 0, a Linux machine cannot route traffic between any interfaces. With it set to 1, it can act as a router between interfaces. Unless I’m missing something in your link, it doesn’t seem to have anything to do with hairpin routing.

Linux and RouterOS (and other solutions) can do hairpin routing, as far as I know.

iam8up · October 8, 2009, 6:27pm

I have this problem with MikroTik. It works on Linksys routers and other things.

I have ether1 going to WAN. It’s IP is 4.1.2.3.

ether2 alone or bridge1 (ether2-5) - done it in both scenarios as the LAN at 10.0.0.0/24

PC at 10.0.0.199 asks for 4.1.2.3:20800 and it fails with the following NAT rule.

/ip firewall nat
add action=dst-nat chain=dstnat comment=“logic - cod4 server” disabled=no
dst-port=20800 protocol=udp to-addresses=10.0.0.199 to-ports=20800

It was explained to me that it was a bug/feature in the Linux kernel to not allow traffic coming from ether2 to router to ether2 (or from bridge1 to bridge1).

fewi · October 8, 2009, 6:36pm

That has nothing to do with any kernel bugs or features. If you search the forums for ‘hairpin’ there’s several threads with working examples. The caveat is that the router will rewrite the source IP address, so the inside target will see the request as coming from the router - but it is possible to have traffic flow that way.

Though the more elegant solution (in my opinion) is split horizon DNS, even if done on the cheap by having the MT router act as a DNS resolver and implementing static entries that point back to the inside IPs.

changeip · October 8, 2009, 6:43pm

yes, you need src and dst nat for this situation. otherwise the replies go directly back to the requestor with the wrong source ip and they get dropped.

iam8up · October 8, 2009, 8:22pm

Is this what I need?

chain=dstnat action=dst-nat to-addresses=10.26.4.15 protocol=tcp dst-address=!10.26.4.254 dst-address-type=local dst-port=80
http://forum.mikrotik.com/t/local-to-local-masquerade/31797/4