1

In my network I have an OpenWRT Router with nftables in it. I also have a gaming server who is in its own network (192.168.36.x) and a client in another network (192.168.1.x). In the client I have an application that fires a broadcast packet (255.255.255.255) in order to discover instances of the server application, that of course won't traverse networks. So I'm trying to leverage nftables DNAT capabilities to forward the broadcast packet from the client in 192.168.1.x to the server in 192.168.36.x, but with no success to now.

I set up this chain:

table ip nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; iif "br-lan" ip daddr 255.255.255.255 udp dport 10308-10310 dnat to 192.168.36.36 } }

where br-lan is the bridge on the router where 192.168.1.x hosts are connected, but it seems nothing is received on the server. Other variants I tried without any success:

  • iif br-lan ip daddr 192.168.1.255 udp dport 10308-10310 dnat to 192.168.36.36
  • iif br-lan meta pkttype broadcast udp dport 10308-10310 dnat to 192.168.36.36
  • iif br-lan udp dport 10308-10310 dnat to 192.168.36.36
  • ip daddr 255.255.255.255 udp dport { 10308, 10309, 10310 } dnat to 192.168.36.36
  • meta pkttype broadcast udp dport 10308-10310 dnat to 192.168.36.36

Of all these, particularly interesting is iif br-lan udp dport 10308-10310 dnat to 192.168.36.36 (i.e. one where I don't put any filter on the destination address): in this case, it seems that all the packets are actually forwarded to the server, but unfortunately this brings another issue because the application fires both the local broadcast packet and also remote unicast discovery packets to get info from remote servers, and if I route all these packets I end up with an endless list of duplicates. So I need to apply my rule only to my local broadcast packet.

EDIT: Disregard the above paragraph. I just realized that those packets are correctly forwarded just because they're not broadcast packets.

Am I approaching this problem in the correct way? Is there any other thing I could try? Unfortunately socat is not helping here, because that would rewrite the source IP address which is used by the client to actually connect to the server, so that's not an option either.

Improve this question

1 Answer 1

Reset to default
1

I managed to solve my issue! Drawing inspiration from this answer, this rule works perfect:

#!/usr/sbin/nft -f table netdev dcs_broadcast delete table netdev dcs_broadcast table netdev dcs_broadcast { chain dcs_lan { type filter hook ingress device br-lan priority 0; pkttype broadcast ether type ip udp dport 10308-10310 counter fwd to br-36 } }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.