Skip to main content
Unix & Linux

Return to Answer

improve answer.
Source Link
vittorio88
vittorio88
  • 131
  • 1
  • 7
  1. My socat didn't forward traffic when the UDP broadcast destination was 255.255.255.255. I avoided this by restricting the broadcast subnet to the one I use is probably safer.
  2. When I set the bind address to 0.0.0.0, I ran into a broadcast storm due to traffic bouncing back into socat from my LAN. I first solved this by binding to my public ddns, however this is not ideal because ddns may not be available and my dynamically assigned IP address my change.

The ugly

Since I couldn'twas able to bind to all interfaces with0.0.0.0 bind=0.0.0.0, my solution is to bind(all addresses) and avoid the broadcast storm by adding an iptables rule to block incoming broadcast from bouncing back into socat from the wan IP addressLAN side. This rule, that wayin addition to an iptables rule to accept traffic that gets broadcast on the lan no longer reachesUDP port 9, and an iptables rule to log it we get the wan interface again. I discover my public wan IP address by bindingfollowing three rules in addition to my ddns hostnamethe socat command.

socatiptables -uI input_wan_rule -T1p UDPudp -LISTEN:-dport 9,bind=vitto.example.net,fork UDP-DATAGRAM:192.168.20.255:9,broadcast

Verify socat is listening with netstat:

netstatj ACCEPT -tunam |comment grep--comment ":9""firewall entry to allow udp port 9 to socat"

On OpenWrt (, and most iptables systems), this also requires the following line, so the packet isn't dropped:

iptables -I INPUTinput_wan_rule -p udp --dport 9 -j ACCEPTLOG --log-prefix 'Received MAGIC PACKET on udp/9'

I couldn't figure out a way for socat to "bind to the IP of my wan interface", so I pointed it to my public hostname vitto.example.net. While this works, it will not update if the IP address changes, and the IP address it resolves to at boot time, may not be the one on the interface at the time.

For the lazy OpenWRTers, paste this into /etc/firewall.user

iptables -I INPUTinput_lan_rule -p udp --dport 9 -d 192.168.20.0/24 -j ACCEPTDROP -m comment --comment "firewall"block entrybroadcast tofrom allowbouncing udpback portto 9socat to socat"avoid storm" killall socat 2>/dev/null socat -u -T1 UDP-LISTEN:9,bind=vittobind=0.somewhere0.net0.0,fork UDP-DATAGRAM:192.168.20.255:9,broadcast &

Then issue:For the OpenWRTers, pasting this into /etc/firewall.user and issuing /etc/init.d/firewall restart is sufficient.

/etc/init.d/firewall restart
  1. My socat didn't forward traffic when the UDP broadcast destination was 255.255.255.255.
  2. When I set the bind address to 0.0.0.0, I ran into a broadcast storm.

The ugly

Since I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my public wan IP address by binding to my ddns hostname.

socat -u -T1 UDP-LISTEN:9,bind=vitto.example.net,fork UDP-DATAGRAM:192.168.20.255:9,broadcast

Verify socat is listening with netstat:

netstat -tuna | grep ":9"

On OpenWrt (, and most iptables systems), this also requires the following line, so the packet isn't dropped:

iptables -I INPUT -p udp --dport 9 -j ACCEPT

I couldn't figure out a way for socat to "bind to the IP of my wan interface", so I pointed it to my public hostname vitto.example.net. While this works, it will not update if the IP address changes, and the IP address it resolves to at boot time, may not be the one on the interface at the time.

For the lazy OpenWRTers, paste this into /etc/firewall.user

iptables -I INPUT -p udp --dport 9 -j ACCEPT -m comment --comment "firewall entry to allow udp port 9 to socat" killall socat 2>/dev/null socat -u -T1 UDP-LISTEN:9,bind=vitto.somewhere.net,fork UDP-DATAGRAM:192.168.20.255:9,broadcast &

Then issue:

/etc/init.d/firewall restart
  1. My socat didn't forward traffic when the UDP broadcast destination was 255.255.255.255. I avoided this by restricting the broadcast subnet to the one I use is probably safer.
  2. When I set the bind address to 0.0.0.0, I ran into a broadcast storm due to traffic bouncing back into socat from my LAN. I first solved this by binding to my public ddns, however this is not ideal because ddns may not be available and my dynamically assigned IP address my change.

I was able to bind to 0.0.0.0 (all addresses) and avoid the broadcast storm by adding an iptables rule to block incoming broadcast from bouncing back into socat from the LAN side. This rule, in addition to an iptables rule to accept traffic on UDP port 9, and an iptables rule to log it we get the following three rules in addition to the socat command.

iptables -I input_wan_rule -p udp --dport 9 -j ACCEPT -m comment --comment "firewall entry to allow udp port 9 to socat" iptables -I input_wan_rule -p udp --dport 9 -j LOG --log-prefix 'Received MAGIC PACKET on udp/9' iptables -I input_lan_rule -p udp --dport 9 -d 192.168.20.0/24 -j DROP -m comment --comment "block broadcast from bouncing back to socat to avoid storm" killall socat 2>/dev/null socat -u -T1 UDP-LISTEN:9,bind=0.0.0.0,fork UDP-DATAGRAM:192.168.20.255:9,broadcast &

For the OpenWRTers, pasting this into /etc/firewall.user and issuing /etc/init.d/firewall restart is sufficient.

edited body
Source Link
vittorio88
vittorio88
  • 131
  • 1
  • 7

Since I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my pbulicpublic wan IP address by binding to my ddns hostname.

Since I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my pbulic wan IP address by binding to my ddns hostname.

Since I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my public wan IP address by binding to my ddns hostname.

improved formatting, elaborated upon answer, further described solution.
Source Link
vittorio88
vittorio88
  • 131
  • 1
  • 7

socat, as indicated by the previous answer, is badass. The previous socat answer, however, didn't forward traffic when the destination was 255.255.255.255. When I set the broadcast destination to my subnet 192.168.20.255, I ran into the broadcast storm issue mentioned in said answera few issues with it.

  1. My socat didn't forward traffic when the UDP broadcast destination was 255.255.255.255.
  2. When I set the bind address to 0.0.0.0, I ran into a broadcast storm.

MySince I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my pbulic wan IP address by binding to my ddns hostname.

socat, as indicated by the previous answer, is badass. The previous socat answer, however, didn't forward traffic when the destination was 255.255.255.255. When I set the broadcast destination to my subnet 192.168.20.255, I ran into the broadcast storm issue mentioned in said answer.

My solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my wan IP address by binding to my ddns hostname.

socat, as indicated by the previous answer, is badass. The previous socat answer, however, I ran into a few issues with it.

  1. My socat didn't forward traffic when the UDP broadcast destination was 255.255.255.255.
  2. When I set the bind address to 0.0.0.0, I ran into a broadcast storm.

Since I couldn't bind to all interfaces with bind=0.0.0.0, my solution is to bind to the wan IP address, that way traffic that gets broadcast on the lan no longer reaches the wan interface again. I discover my pbulic wan IP address by binding to my ddns hostname.

improved formatting, elaborated upon answer, further described solution.
Source Link
vittorio88
vittorio88
  • 131
  • 1
  • 7
Source Link
vittorio88
vittorio88
  • 131
  • 1
  • 7