If there are possibly multiple WAN interfaces (OP describes packets arriving first on an interface, then an other), enable it on all involved. The directed subnet broadcast must be enabled globally and on the receiving WAN interface (not the target LAN interface). This can be done when routing but there are more risks involved (including participating in reflected attacks). Tools always have options to use broadcast packets which end up as broadcast Ethernet frames that will reach all hosts, including the target host. stanza (and deleted in a down command), and the ip neighbour as up command.ĭirected subnet broadcast ( since kernel 4.19) For example if it's configured with interfaces and ifupdown, the two iptables commands could be added as pre-up commands in the iface lan0. System integration depends on the method used for network configuration. Iptables -I FORWARD -m conntrack -ctstate DNAT -d 192.168.1.101 -j ACCEPTĪ remote host on Internet can now do this to wake the sleeping host: wakeonlan -i 192.0.2.2 -p 9 12:34:56:78:9a:bc So still on the router, using iptables, do the DNAT and allow the redirected packet: iptables -t nat -I PREROUTING ! -i lan0 -p udp -dport 9 -j DNAT -to-destination 192.168.1.101 The issue of a first packet arriving elsewhere in OP's description is worked around by selecting all interfaces that aren't the lan0 interface. As one port maps to one target, if there are multiple WOL hosts, each should have a different port. This port on the sleeping host should be preferably unused and firewalled (packets dropped), or actually running the discard service. On the router: ip neighbour replace 192.168.1.101 lladdr 12:34:56:78:9a:bc dev lan0 nud permanentĪs it's unclear if the packet received by the NIC will be consumed or still correctly made available to the waking host, it's traditionally port 9 that has been chosen because that's the discard service in case it's "running" and either would be the same.
Let's say the WAN address on the router is 192.0.2.2 on wan0, the LAN side on the router is 192.168.1.1/24 on interface lan0 and the sleeping host 192.168.1.101/24 on an interface with MAC address 12:34:56:78:9a:bc. The sleeping host thus needs a static address (or one with a permanent DHCP lease). With NAT to "port forward", a remote host can then use the wakeonlan command (rather than the etherwake command, because it can change the UDP port). The router can now send or forward easily a WOL Magic Packet™ without having to use any broadcast anywhere. That way the previous problem will never happen. Since there is control on the router, one can set a permanent ARP entry on the router for the sleeping host. Here are two methods to overcome this relying only on the network stack (and companions like iptables or tc). If the MAC entry has been evicted from the router's ARP table, when the host is asleep it can't answer the ARP query, thus the router can't get the MAC address needed to reach the sleeping host to send it the WOL Magic Packet™ even if such packet includes 16 times this MAC address in its payload. Normally it's dynamically handled by ARP. The issue of waking an host is that to send it a packet, the network stack must know the MAC address of the NIC. If knockd is just completely out of the question, how would you implement a WOL packet forwarder on Debian 10? So is there a way to force knockd to listen on an unaddressed interface anyways?
I can see the syn packet coming into the unaddressed interface with tcpdump, and knockd uses tcpdump under the hood. It breaks my plan on using knockd, because knockd refuses to listen on interfaces without an IP address. Its a bit weird, the syn packet is only seen on unaddressed interface, then all other packets are seen on the actual addressed vlan interface.
Problem is, the traffic destined for the FW itself are processed initially in on unaddressed vlan interface. I would send the syn packet using netcat from a linux server in the first subnet, sending the packet to the gateway IP (the untangle box). My initial solution to this was to use knockd, listen for a syn packet on one of its interfaces on one subnet, then execute a etherwake command on the other subnet to wake up the host. I have an untangle box (debian 10 underneath) that I am attempting to forward a WOL packet from a host in one subnet to a host in another subnet.