We have a 44-network here that is not routed to/from the Internet. While it has gateways to the internet, the gateways have the standard firewall in place which prevents Internet users from accessing the 44 network, except for a few specific port-forwards we have in place.
To start experimenting with mesh/backbone connectivity, I have connected the WAN ports of two nodes of a small mesh network to this 44 network (just using a VLAN switch). From a computer connected to the 44 network I can reach the admin console of both mesh nodes at port 8080 of their WAN addresses, as expected. It works well - I can look at all of the screens.
Now here is the part where I am getting stuck. I would like to access the mesh status page from my home network (and the Internet). I am trying to do it by way of the 44 network. If I do a DSTNAT from a port on the Internet side (of the gateway router) to the WAN address of the mesh node and call up that address and port from a browser, I get an immediate response that says:
I do not know where this message is coming from. Is there something in the mesh firewall that does not like this arrangement ?
Or is it coming from my (MikroTik) router? How can I make it work?
To start experimenting with mesh/backbone connectivity, I have connected the WAN ports of two nodes of a small mesh network to this 44 network (just using a VLAN switch). From a computer connected to the 44 network I can reach the admin console of both mesh nodes at port 8080 of their WAN addresses, as expected. It works well - I can look at all of the screens.
Now here is the part where I am getting stuck. I would like to access the mesh status page from my home network (and the Internet). I am trying to do it by way of the 44 network. If I do a DSTNAT from a port on the Internet side (of the gateway router) to the WAN address of the mesh node and call up that address and port from a browser, I get an immediate response that says:
Forbidden
Rejected request from RFC1918 IP to public server addressI do not know where this message is coming from. Is there something in the mesh firewall that does not like this arrangement ?
Or is it coming from my (MikroTik) router? How can I make it work?
My best guess is that this is coming from the MikroTik router--doesn't like the fact that you're not using 10.x.x.x, 192.168.x.x, or 172.16.x.x private addresses with a NAT involved. Both sides of the router (Internet on one side and 44.x.x.x on the other) are using IANA addresses, where basic routing and firewalling can be used.
If your 44.x.x.x is integrated into the internet--routing, DNS, etc.--then a NAT is not necessary. The firewall coming into your 44.x.x.x could only allow the specific IP addresses to be routed into your network that are desired. The home computer on the internet would be using the direct registered internet 44.x.x.x specific address assigned to the mesh node's wan interface to get to it.
Ultimately, to scale and integrate multiple mesh islands with multiple backbone 44.x.x.x allocations we can look at how the internet already does this. BGP would need to be implemented if all the possible traffic routing scenarios are going to work. This is no different than each mesh island being a company with a private network integrating into the internet with multiple connection points. The backbone networks ether have to be known and routable on the internet (44.x.x.x addresses) or looking like another private companies' network with the assigned private addresses for all the complexity to work.
Joe AE6XE
Post-lunch siesta Google revealed the answer is right here in the forum.
It turns out that this *is* a feature of AREDN - there is a filter just for this. I am sure it is trying to prevent something evil but I do not think/hope it applies here.
Anyway the answer is to go to /etc/config.mesh/uhttpd and set the option for RFC1918 filtering to 0. Apparently at one time this was in /etc/config/uhttpd but that did not work for me.
again - I have no trouble reaching the admin console from the 44 network directly. My desired path is:
Internet/192.168.x.x/44.x.x.x/10.x.x.x Its a triple-NAT and it works fine.
Of course, you can only reach the node and mesh status pages. But that is exactly what I want. Success!
The evil to prevent now is a "dns rebinding" attack--what this option was intended for. Are all of the 3 NAT boundaries also doing SNAT? I suspect if you are using SNAT, that you can leave this security measure turned on. Basically the current configuration looks like it was trying to route an "unroutable" address (the defined private addresses in RFC1918) back out the 44.x.x.x wan interface. If the incoming connection had a SNAT when coming in through the 44.x.x.x network, then the mesh node would think the reply goes back to a 44.x.x.x address and not a 192.168.x.x address.
Joe AE6XE