Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
| inbox:firewall:fw3_configurations:fw3_nat [2018/09/06 01:49] – dturvene | docs:guide-user:firewall:fw3_configurations:fw3_nat [2023/12/10 11:36] – [Extras] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== NAT examples |
| - | The [[inbox:firewall:firewall3:overview|fw3 application]] has extensive support for | + | The [[docs:guide-user:firewall:overview|fw4 application]] has extensive support for [[https:// |
| - | [[https:// | + | NAT is a powerful feature and is credited with extending the life of the IPv4 protocol. |
| - | NAT is a powerful feature and is credited with extending the life of the IPv4 | + | |
| - | protocol. | + | |
| - | + | ||
| - | As with other firewall section, this section will not delve into NAT background | + | |
| - | and theory. Some useful links for this are: | + | |
| + | As with other firewall section, this section will not delve into NAT background and theory. | ||
| + | Some useful links for this are: | ||
| * https:// | * https:// | ||
| * https:// | * https:// | ||
| Line 14: | Line 11: | ||
| OpenWrt supports DNAT, SNAT, MASQUERADING. | OpenWrt supports DNAT, SNAT, MASQUERADING. | ||
| - | ===== NAT Diagnostics | + | ===== NAT diagnostics |
| - | See [[inbox: | + | See [[docs: |
| - | analyzing the netfilter rules. | + | analyzing the netfilter rules and investigating conntrack sessions. |
| - | + | ||
| - | Additionally, | + | |
| - | IP connections between the WAN-side | + | |
| - | invaluable when debugging NAT traffic. | + | |
| - | through the [[https:// | + | |
| - | at ''/ | + | |
| - | + | ||
| - | :!: The nf_conntrack parameters can be tuned using parameters in the sysfs | + | |
| - | filesystem under ''/ | + | |
| - | ===== NAT Example Configurations | + | ===== NAT example configurations |
| - | This section contains typical uses of the fw3 NAT features | + | This section contains typical uses of the fw4 NAT features |
| ==== Port forwarding for IPv4 (DNAT) ==== | ==== Port forwarding for IPv4 (DNAT) ==== | ||
| Line 34: | Line 22: | ||
| the SSH (22) port of a single LAN-side station. | the SSH (22) port of a single LAN-side station. | ||
| - | <file> | + | <code bash> |
| config redirect | config redirect | ||
| | | ||
| Line 44: | Line 32: | ||
| | | ||
| | | ||
| - | </file> | + | </code> |
| To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4 | To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4 | ||
| address on the LAN-side network: | address on the LAN-side network: | ||
| - | <file> | + | |
| + | <code bash> | ||
| ssh -p 2222 192.168.10.13 hostname; cat / | ssh -p 2222 192.168.10.13 hostname; cat / | ||
| - | </file> | + | </code> |
| When the rule is enabled STA2 will reply with its hostname and kernel version. | When the rule is enabled STA2 will reply with its hostname and kernel version. | ||
| When the rule is disabled, the connection is refused. | When the rule is disabled, the connection is refused. | ||
| The passionate reader will ask "So what netfilter rules does this create?" | The passionate reader will ask "So what netfilter rules does this create?" | ||
| - | <file> | + | <code bash> |
| iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0]" | iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0]" | ||
| ... | ... | ||
| iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/ | iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/ | ||
| - | </file> | + | </code> |
| - | The first rule matches packets coming in the WAN-side if on TCP port 2222 and | + | |
| - | jumps to the '' | + | The first rule matches packets coming in the WAN-side if on TCP port 2222 and jumps to the '' |
| - | '' | + | The second rule matches packets coming in from the LAN-side to the WAN-side if on TCP port 2222. |
| - | The second rule matches packets coming in from the LAN-side to the WAN-side if | + | The DNAT target uses the same '' |
| - | on TCP port 2222. The DNAT target uses the same '' | + | |
| - | parameters as the first rule to find the " | + | |
| The next thought of the passionate reader is "So what is IN the conntrack table?" | The next thought of the passionate reader is "So what is IN the conntrack table?" | ||
| - | <file> | + | |
| + | <code bash> | ||
| ipv4 2 tcp 6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2 | ipv4 2 tcp 6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2 | ||
| - | </file> | + | </code> |
| This record shows the WAN-side src=STA1 and dst=192.168.10.13: | This record shows the WAN-side src=STA1 and dst=192.168.10.13: | ||
| LAN-side src=STA2:22 src=STA1. | LAN-side src=STA2:22 src=STA1. | ||
| ==== DNAT to translate a LAN-side address on the WAN-side ==== | ==== DNAT to translate a LAN-side address on the WAN-side ==== | ||
| - | This redirect rule will cause the router to translate the WAN-side source of | + | This redirect rule will cause the router to translate the WAN-side source of 1.2.3.4 to the LAN-side STA2 and route the ICMP echo to it. |
| - | 1.2.3.4 to the LAN-side STA2 and route the ICMP echo to it. The rule is | + | The rule is reflexive in that STA2 will be translated by to 1.2.3.4 on the WAN-side. |
| - | reflexive in that STA2 will be translated by to 1.2.3.4 on the WAN-side. | + | |
| - | < | + | < |
| config redirect | config redirect | ||
| option src wan | option src wan | ||
| Line 91: | Line 80: | ||
| </ | </ | ||
| - | ==== DNAT to redirect all WAN-side port traffice to a LAN-side server ==== | + | ==== LAN-side |
| All redirection requires some form of NAT and connection tracking. For | All redirection requires some form of NAT and connection tracking. For | ||
| public servers behind the firewall the DNAT target is used to translate the | public servers behind the firewall the DNAT target is used to translate the | ||
| Line 97: | Line 86: | ||
| LAN-side. | LAN-side. | ||
| - | < | + | :!: Due to the high visibility of a public server, it may warrant putting |
| + | it/them in a [[docs: | ||
| + | |||
| + | < | ||
| config redirect | config redirect | ||
| option target DNAT | option target DNAT | ||
| Line 111: | Line 103: | ||
| </ | </ | ||
| - | In this example, STA2 is running an email server (e.g. postfix) listening on | + | In this example, STA2 is running an email server (e.g. postfix) listening on port 2525 for incoming email. |
| - | port 2525 for incoming email. | + | |
| - | This redirect rule states: any incoming traffic from the wan on port 25, | + | This redirect rule states: any incoming traffic from the wan on port 25, redirect to STA1 port 2525. |
| - | redirect to STA1 port 2525. | + | |
| - | To verify what is going on dump ''/ | + | To verify what is going on dump ''/ |
| - | dynamic connnection for incoming traffic. | + | There can be quite a few conntrack records in it so we will search on just the ones using port 2525: |
| - | records in it so we will search on just the ones using port 2525: | + | |
| - | <file> | + | <code> |
| ... | ... | ||
| ipv4 2 tcp 6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2 | ipv4 2 tcp 6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2 | ||
| ... | ... | ||
| - | </file> | + | </code> |
| The connection is coming from STA1 port 25 to the DUT and is translated to STA2 | The connection is coming from STA1 port 25 to the DUT and is translated to STA2 | ||
| on port 2525 with a response destination to STA1. | on port 2525 with a response destination to STA1. | ||
| - | In the reference topology, the above rule alone will not allow SMTP traffic to | + | The relevant |
| - | the server. Why? | + | |
| - | blocking all traffic | + | |
| - | accepting email traffic to the LAN-side so it is being dropped. | + | |
| - | topology, an additional rule must be added to the firewall | + | |
| - | traffic. | + | |
| - | + | ||
| - | < | + | |
| - | config rule | + | |
| - | option src wan | + | |
| - | option dest lan | + | |
| - | option proto tcp | + | |
| - | option dest_port 2525 | + | |
| - | option target ACCEPT | + | |
| - | option name ' | + | |
| - | option enabled 1 | + | |
| - | </ | + | |
| - | + | ||
| - | Since DNAT translation occurs early in the ip stack (the PREROUTING chain), the | + | |
| - | ' | + | |
| - | FORWARD chain - notice the port match is for 2525. | + | |
| - | + | ||
| - | :!: This is illustrated because some (most!) netfilter configurations accept too | + | |
| - | much WAN-side traffic. | + | |
| ==== Source NAT (SNAT) ==== | ==== Source NAT (SNAT) ==== | ||
| Line 158: | Line 125: | ||
| a fictitious one on port 8080. | a fictitious one on port 8080. | ||
| - | < | + | < |
| config redirect | config redirect | ||
| option target | option target | ||
| Line 171: | Line 138: | ||
| To test: | To test: | ||
| - | |||
| - use netcat to listen on the STA1, the WAN-side station: '' | - use netcat to listen on the STA1, the WAN-side station: '' | ||
| - use netcat to connect on the STA2, the LAN-side station: '' | - use netcat to connect on the STA2, the LAN-side station: '' | ||
| - | Type something on the LAN-side station and see it echoed on the WAN-side | + | Type something on the LAN-side station and see it echoed on the WAN-side station. |
| - | station. | + | Check the connection on the WAN-side station using '' |
| - | and see the line: | + | |
| - | '' | + | < |
| + | tcp 0 0 192.168.3.171: | ||
| + | </ | ||
| The WAN-side station shows the SNAT address connecting to it on port 8080! | The WAN-side station shows the SNAT address connecting to it on port 8080! | ||
| - | When used alone, Source NAT is used to restrict a computer' | + | When used alone, Source NAT is used to restrict a computer' |
| - | internet while allowing it to access a few services by forwarding what appears to be | + | a few local services, e.g. [[http:// |
| - | a few local services, e.g. [[http:// | + | While DNAT hides the local network from the internet, SNAT hides the internet from the local network. |
| - | internet. | + | |
| - | internet from the local network. | + | |
| ==== MASQUERADE ==== | ==== MASQUERADE ==== | ||
| - | This is the most used and useful NAT function. | + | This is the most used and useful NAT function. |
| - | network on the LAN-side to a single public address/ | + | It translates a local private network on the LAN-side to a single public address/ |
| - | then the reverse. | + | It is the default firewall configuration for **every** IPv4 router. |
| - | router. | + | As a result it is a very simple |
| - | The LAN-side uses a | + | The LAN-side uses a [[https:// |
| - | [[https:// | + | The router translates the private addresses to the router address: |
| - | The router translates the private addresses to the router | + | |
| - | address: | + | |
| The masquerade is set on the WAN-side | The masquerade is set on the WAN-side | ||
| - | < | + | |
| + | < | ||
| config zone | config zone | ||
| option name ' | option name ' | ||
| Line 208: | Line 172: | ||
| option masq ' | option masq ' | ||
| </ | </ | ||
| + | |||
| Simple, no? | Simple, no? | ||
| - | The router will generally get its WAN ip address from the upstream DHCP server | + | The router will generally get its WAN ip address from the upstream DHCP server and be the DHCP server (and usually DNS server) for LAN stations. |
| - | and be the DHCP server (and usually DNS server) for LAN stations. | + | The '' |
| - | configuration file defines the private network and the '' | + | |
| - | file defines how the OpenWrt router assigns LAN-side IPv4 addresses. | + | |
| - | When MASQUERADE is enabled, **all** forwarded traffic between WAN and LAN is | + | When MASQUERADE is enabled, **all** forwarded traffic between WAN and LAN is translated. |
| - | translated. | + | Essentially, |
| - | MASQUERADE firewall rules. | + | |
| Dump ''/ | Dump ''/ | ||
| The following connection tracks SSH (22) access from STA1 to STA2. | The following connection tracks SSH (22) access from STA1 to STA2. | ||
| - | <file> | + | |
| + | <code> | ||
| ipv4 2 tcp 6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2 | ipv4 2 tcp 6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2 | ||
| - | </file> | + | </code> |
| :!: MASQUERADE supports two or more private LAN zones | :!: MASQUERADE supports two or more private LAN zones | ||
| Line 230: | Line 193: | ||
| :!: not tested | :!: not tested | ||
| - | The following rule redirects all LAN-side HTTP traffic through an | + | The following rule redirects all LAN-side HTTP traffic through an external proxy at 192.168.1.100 listening on port 3128. |
| - | external proxy at 192.168.1.100 listening on port 3128. | + | It assumes the //lan// address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy. |
| - | It assumes the //lan// address to be 192.168.1.1 - this is needed to masquerade | + | |
| - | redirected traffic towards the proxy. | + | |
| - | < | + | < |
| config redirect | config redirect | ||
| option src lan | option src lan | ||
| Line 254: | Line 215: | ||
| </ | </ | ||
| + | ===== Extras ===== | ||
| + | ==== NAT ==== | ||
| + | Enable masquerading aka NAT on the WAN zone. | ||
| + | |||
| + | <code bash> | ||
| + | uci set firewall.@zone[1].masq=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 NAT ==== | ||
| + | Enable IPv6 masquerading aka NAT66 on the WAN zone. | ||
| + | |||
| + | <code bash> | ||
| + | uci set firewall.@zone[1].masq6=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | Announce IPv6 default route for the ULA prefix. | ||
| + | |||
| + | <code bash> | ||
| + | uci set dhcp.lan.ra_default=" | ||
| + | uci commit dhcp | ||
| + | service odhcpd restart | ||
| + | </ | ||
| + | |||
| + | Disable IPv6 source filter on the upstream interface. | ||
| + | |||
| + | <code bash> | ||
| + | uci set network.wan6.sourcefilter=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| + | </ | ||
| + | |||
| + | ==== Selective NAT ==== | ||
| + | Enable masquerading selectively for a specific source subnet. | ||
| + | |||
| + | <code bash> | ||
| + | uci -q delete firewall.nat | ||
| + | uci set firewall.nat=" | ||
| + | uci set firewall.nat.family=" | ||
| + | uci set firewall.nat.proto=" | ||
| + | uci set firewall.nat.src=" | ||
| + | uci set firewall.nat.src_ip=" | ||
| + | uci set firewall.nat.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 selective NAT ==== | ||
| + | Enable IPv6 masquerading selectively for a specific source subnet. | ||
| + | |||
| + | <code bash> | ||
| + | uci -q delete firewall.nat6 | ||
| + | uci set firewall.nat6=" | ||
| + | uci set firewall.nat6.family=" | ||
| + | uci set firewall.nat6.proto=" | ||
| + | uci set firewall.nat6.src=" | ||
| + | uci set firewall.nat6.src_ip=" | ||
| + | uci set firewall.nat6.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== NPT ==== | ||
| + | Enable IPv4 to IPv4 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_PFX=" | ||
| + | WAN_PFX=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname " | ||
| + | saddr map { " | ||
| + | EOF | ||
| + | uci -q delete firewall.npt | ||
| + | uci set firewall.npt=" | ||
| + | uci set firewall.npt.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 NPT ==== | ||
| + | Enable IPv6 to IPv6 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_PFX=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | network_get_prefix6 WAN_PFX " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname " | ||
| + | saddr map { " | ||
| + | EOF | ||
| + | uci -q delete firewall.npt6 | ||
| + | uci set firewall.npt6=" | ||
| + | uci set firewall.npt6.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== Multi-WAN IPv6 NPT ==== | ||
| + | Enable IPv6 network prefix translation with multiple WAN interfaces (e.g. for [[docs: | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | |||
| + | LAN_IF=lan | ||
| + | WAN_IFS=" | ||
| + | |||
| + | network_get_prefix_assignment6 LAN_PFX " | ||
| + | |||
| + | for iface in $WAN_IFS; do | ||
| + | network_get_device dev " | ||
| + | network_get_prefix6 pfx " | ||
| + | nft add rule inet fw4 srcnat_wan oif " | ||
| + | done | ||
| + | EOF | ||
| + | uci -q delete firewall.npt6 | ||
| + | uci set firewall.npt6=" | ||
| + | uci set firewall.npt6.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== Symmetric dynamic IPv6 NPT ==== | ||
| + | Enable symmetric dynamic IPv6 to IPv6 network prefix translation. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | LAN_IF=" | ||
| + | sleep 5 | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_get_device LAN_DEV " | ||
| + | network_get_prefix_assignment6 LAN_PFX " | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | network_get_prefix6 WAN_PFX " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname " | ||
| + | saddr map { " | ||
| + | nft add rule inet fw4 srcnat \ | ||
| + | oifname " | ||
| + | saddr map { " | ||
| + | EOF | ||
| + | uci -q delete firewall.npt6 | ||
| + | uci set firewall.npt6=" | ||
| + | uci set firewall.npt6.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 to IPv4 NAT with Jool ==== | ||
| + | Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Jool. | ||
| + | Use DNS64 to resolve domain names. | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install jool-tools-netfilter | ||
| + | . / | ||
| + | json_init | ||
| + | json_add_string " | ||
| + | json_add_string " | ||
| + | json_add_object " | ||
| + | json_add_string " | ||
| + | json_close_object | ||
| + | json_dump > / | ||
| + | uci set jool.general.enabled=" | ||
| + | uci set jool.nat64.enabled=" | ||
| + | uci commit jool | ||
| + | service jool restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 to IPv4 NAT with Tayga ==== | ||
| + | Enable IPv6 to IPv4 NAT aka NAT64 for IPv6-only networks with Tayga. | ||
| + | Use DNS64 to resolve domain names. | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install tayga | ||
| + | uci del_list firewall.lan.network=" | ||
| + | uci add_list firewall.lan.network=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | uci -q delete network.nat64 | ||
| + | uci set network.nat64=" | ||
| + | uci set network.nat64.proto=" | ||
| + | uci set network.nat64.prefix=" | ||
| + | uci set network.nat64.ipv6_addr=" | ||
| + | uci set network.nat64.dynamic_pool=" | ||
| + | uci set network.nat64.ipv4_addr=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| + | </ | ||
| + | |||
| + | ==== TTL ==== | ||
| + | Modify TTL for egress traffic. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | WAN_TTL=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | nft add rule inet fw4 mangle_postrouting \ | ||
| + | oifname " | ||
| + | EOF | ||
| + | uci -q delete firewall.ttl | ||
| + | uci set firewall.ttl=" | ||
| + | uci set firewall.ttl.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== IPv6 hop limit ==== | ||
| + | Modify IPv6 hop limit for egress traffic. | ||
| + | |||
| + | <code bash> | ||
| + | cat << " | ||
| + | WAN_HLIM=" | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan6 WAN_IF | ||
| + | network_get_device WAN_DEV " | ||
| + | nft add rule inet fw4 mangle_postrouting \ | ||
| + | oifname " | ||
| + | EOF | ||
| + | uci -q delete firewall.hlim | ||
| + | uci set firewall.hlim=" | ||
| + | uci set firewall.hlim.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== FTP passthrough ==== | ||
| + | Enable NAT passthrough for FTP using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-nf-nathelper | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== SIP passthrough ==== | ||
| + | Enable NAT passthrough for SIP, PPTP, GRE, etc. using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-nf-nathelper-extra | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | ==== RTSP passthrough ==== | ||
| + | Enable NAT passthrough for RTSP using [[packages: | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install kmod-ipt-nathelper-rtsp | ||
| + | service firewall restart | ||
| + | </ | ||