Replying to Avatar Arjen

I have a GL.INET MT-3000 router that runs OpenWrt 21. I have added a loopback/hairpin NAT rule that forwards a fixed ip (198.168.21.21:2121) to a service running on the router port 3334. That works.

However, I when i add OpenNDS (captive portal package) I want to also allow this IP for preauthenticated users. The weird thing is that with the manufacturer's version of OpenWRT i can't get it to work, but when using a vanilla (OpenWRT 23.x) it does work. I can't figure out where the difference is and how to fix it.
Avatar
ronniesamuel 1y ago

okay understood. do you think that it could have something to do with DNS rebinding? have you investigated that as yet?

Reply to this note

Please Login to reply.

Discussion

Avatar
Arjen 1y ago

I'm not familiar with DNS rebinding, so no. I'm not doing anything DNS related though either. Or am i misinterpreting you now?

Avatar
ronniesamuel 1y ago

If it is a private IP/local network IP, there is a possibility that it could still be affected. Check between the two versions (the version that works and the version that does not work) and see if such a setting exists; and whether or not it is toggled between on and off in either version.

Avatar
Arjen 1y ago

Interesting! i'll check that out, i did find this in the meanwhile!

https://forum.openwrt.org/t/dns-rebind-attack/39141

So i'll check those same logs to see if that's what's happening to me too!

Avatar
rejon 1y ago

that’s right, I have same router, the manufacturer version is forked China trash fire, only use openwrt image

Avatar
ronniesamuel 1y ago

I don't think that we misinterpreted each other. It is all good. Quick question though: the pre authenticated users are coming from the outside right?

Avatar
Arjen 1y ago

They're coming from lan. So someone would connect to the access point, and then make requests to 198.168.21.21:2121, which is NAT-ed to port 3334 on the router itself. So no traffic from/to wan.

Avatar
ronniesamuel 1y ago

okay cool