Topic: Port forwarding not working on 7.09

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

fabioxgn

20 Mar 2008, 15:32

Hi, all my port forwardings just stopped working, and I can't figure out why. here are my firewall rules:

I configured everything in /etc/config/firewall

accept:proto=tcp dport=45208
forward:proto=tcp dport=45208:192.168.1.10:80
forward:proto=tcp dport=5504:192.168.1.4:5500
forward:proto=tcp dport=5505:192.168.1.5:5500
forward:proto=tcp dport=5506:192.168.1.6:5500
forward:proto=tcp dport=5508:192.168.1.8:5500
forward:proto=tcp dport=5509:192.168.1.9:5500
forward:proto=tcp dport=5511:192.168.1.11:5511
forward:proto=tcp dport=5960:192.168.1.3:3389
forward:proto=tcp dport=8085:192.168.1.3:80

And here are my iptables output:

root@OpenWrt:/etc/init.d# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@OpenWrt:/etc/init.d# /etc/init.d/firewall start
root@OpenWrt:/etc/init.d# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                             LISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags                                                                             :SYN/SYN
input_rule  all  --  anywhere             anywhere
input_wan  all  --  anywhere             anywhere
LAN_ACCEPT  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-res                                                                             et
REJECT     all  --  anywhere             anywhere            reject-with icmp-po                                                                             rt-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/S                                                                             YN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                             LISHED
forwarding_rule  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB                                                                             LISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-res                                                                             et
REJECT     all  --  anywhere             anywhere            reject-with icmp-po                                                                             rt-unreachable

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             ubuntu              tcp dpt:80
ACCEPT     tcp  --  anywhere             192.168.1.4         tcp dpt:5500
ACCEPT     tcp  --  anywhere             192.168.1.5         tcp dpt:5500
ACCEPT     tcp  --  anywhere             192.168.1.6         tcp dpt:5500
ACCEPT     tcp  --  anywhere             192.168.1.8         tcp dpt:5500
ACCEPT     tcp  --  anywhere             192.168.1.9         tcp dpt:5500
ACCEPT     tcp  --  anywhere             192.168.1.11        tcp dpt:5511
ACCEPT     tcp  --  anywhere             192.168.1.3         tcp dpt:3389
ACCEPT     tcp  --  anywhere             192.168.1.3         tcp dpt:80

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 45                                                                             208

Chain output_rule (1 references)
target     prot opt source               destination

Any ideas?

Post #2

knox

20 Mar 2008, 15:34

your post is missing the essential information from iptables -t nat -vL

Post #3

fabioxgn

20 Mar 2008, 15:39

knox wrote:

your post is missing the essential information from iptables -t nat -vL

here it goes:

root@OpenWrt:/etc/init.d# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 1143 packets, 120K bytes)
 pkts bytes target     prot opt in     out     source               destination
  511 24904 NEW        tcp  --  any    any     anywhere             anywhere            state NEW
 1077  110K prerouting_rule  all  --  any    any     anywhere             anywhere
   35  1632 prerouting_wan  all  --  eth0.1 any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 36 packets, 2445 bytes)
 pkts bytes target     prot opt in     out     source               destination
  781 55571 postrouting_rule  all  --  any    any     anywhere             anywhere
  780 55243 MASQUERADE  all  --  any    eth0.1  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 4 packets, 538 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain NEW (1 references)
 pkts bytes target     prot opt in     out     source               destination
  511 24904 RETURN     all  --  any    any     anywhere             anywhere            limit: avg 50/sec burst 100
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   288 ACCEPT     tcp  --  any    any     anywhere             anywhere            multiport dports 45208
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 45208 to:192.168.1.10:80
    3   144 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5504 to:192.168.1.4:5500
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5505 to:192.168.1.5:5500
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5506 to:192.168.1.6:5500
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5508 to:192.168.1.8:5500
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5509 to:192.168.1.9:5500
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5511 to:192.168.1.11:5511
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 5960 to:192.168.1.3:3389
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere            multiport dports 8085 to:192.168.1.3:80

Post #4

fabioxgn

20 Mar 2008, 15:46

Well, after doing some research, I saw several people with the same problem saying that after some time it just stops working, and that seens to be the case here.

I just rebooted the router and all the port forwarding started working again.

Is there some fix to this?

Post #5

seamusabshere

20 Mar 2008, 18:09

fabioxgn, the same thing happened for me.

I'm running Kamikaze 7.09 on an ASUS WL-500gP (brcm-2.4). In my /etc/config/firewall, I have:

forward:dport=22:10.0.0.4:22

Port forwarding worked for a while, but then mysteriously stopped working.

Post #6

frostschutz

20 Mar 2008, 18:55

I have the same issue in kk 7.09 but as I already wrote in another thread on this topic, a workaround that works for me stable is to simply not specify a destination port. This way you can not change ports e.g. internet ip 80 to local machine 8080, but at least it works reliably.

Also, I'm not using /etc/config/firewall but /etc/firewall.user to do this:

iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.0.2
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.0.2 -j ACCEPT

Post #7

seamusabshere

20 Mar 2008, 19:25

frostschutz, thanks so much!

Post #8

fabioxgn

20 Mar 2008, 19:32

frostschutz wrote:

I have the same issue in kk 7.09 but as I already wrote in another thread on this topic, a workaround that works for me stable is to simply not specify a destination port. This way you can not change ports e.g. internet ip 80 to local machine 8080, but at least it works reliably.
Also, I'm not using /etc/config/firewall but /etc/firewall.user to do this:
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.0.2
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.0.2 -j ACCEPT

This doesn't work for me, the main reason I'm using OpenWrt is to map different ports.

Post #9

kheston

1 Apr 2008, 09:08

fabioxgn,

Have you tested this yet? I can't live without port translation either...

Post #10

fabioxgn

1 Apr 2008, 11:48

kheston wrote:

fabioxgn,
Have you tested this yet? I can't live without port translation either...

I still didn't find a solution

Post #11

kheston

1 Apr 2008, 17:34

Here's a post that says it's not necessarily an OpenWRT problem but may actually be an issue with the 2.4 kernel:

http://forum.openwrt.org/viewtopic.php?id=14873

I haven't had a chance to load 7.09 with the 2.6 knl and try it, but a guy in the post above said it worked.

Post #12

fabioxgn

1 Apr 2008, 17:36

kheston wrote:

Here's a post that says it's not necessarily an OpenWRT problem but may actually be an issue with the 2.4 kernel:
http://forum.openwrt.org/viewtopic.php?id=14873
I haven't had a chance to load 7.09 with the 2.6 knl and try it, but a guy in the post above said it worked.

I read that post, but I can't upgrade to the 2.6 kernel as I just use wireless

Post #13

kheston

2 Apr 2008, 02:28

It appears, I can't use 2.6 for a different reason...I've got the wrong chip. Oh well.

We'll see how it goes.

Post #14

STuPiDiCuS

3 Apr 2008, 00:52

Just to help muddy the waters even further, I'd like to say that it's doing this to me on 2.6.

Post #15

STuPiDiCuS

3 Apr 2008, 00:56

Also, everything that is working is just forwarded, not translated, just like frostschutz said.

(Last edited by STuPiDiCuS on 3 Apr 2008, 00:59)

Post #16

kaldek

3 Apr 2008, 09:20

Can anyone put some specifics on how long "after a while" is? I've had mine up for on average 2 weeks at a time without reboots and it's not stopped working yet.

Are we talking months here?

Post #17

frostschutz

3 Apr 2008, 09:57

kaldek, to me the problems appeared within a day or two. I just had flashed the router with OpenWRT and noticed the problem the day after or so. I don't have the time (and probably not know-how) to do this, but maybe someone else has and can investigate a little. We already know that the problem only occurs when specifying a target port, so it should be possible to locate that code in the source and add debug messages to it in order to find out which variable gets changed to port+n and why.

Post #18

STuPiDiCuS

3 Apr 2008, 16:12

Mine never worked, period.

Post #19

kaldek

5 Apr 2008, 10:02

STuPiDiCuS wrote:

Mine never worked, period.

Hmmm that's interesting. I have the following code included in IPTables since I need to do port re-writing for inbound connections:

iptables -t nat -A prerouting_wan -p tcp --dport 9210 -j DNAT --to 192.168.0.210:22
iptables -A forwarding_wan -p tcp --dport 22 -d 192.168.0.210 -j ACCEPT

I don't recall it ever having failed yet. I'm curious though - do you guys all use Qos-scripts? It's the one thing I don't as yet use because in my case it kills all traffic through the router (and I haven't bothered working out why yet).

Post #20

frostschutz

5 Apr 2008, 17:56

kaldek wrote:

do you guys all use Qos-scripts?

I am using QoS today (not qos-scripts), however as far as I recall, I did not have QoS configured at all when the port forward first failed for me. Because I'm running a custom QoS solution, I found time to set it up only later on, when I already had a workaround for the forwarding problem (by not doing port translation) in place.

Post #21

mpeterson

5 Apr 2008, 18:50

This is the same as: http://forum.openwrt.org/viewtopic.php?id=13533

In my case the problem starts after some _hours_ after reboot. IMHO it is not a 2.4 bug because 'white russian' works correctly as stated in the above mentioned post.

This bug is making my router unusable and I'm already looking for alternatives.

Post #22

STuPiDiCuS

5 Apr 2008, 20:28

kaldek wrote:

STuPiDiCuS wrote:
Mine never worked, period.
Hmmm that's interesting. I have the following code included in IPTables since I need to do port re-writing for inbound connections:
iptables -t nat -A prerouting_wan -p tcp --dport 9210 -j DNAT --to 192.168.0.210:22
iptables -A forwarding_wan -p tcp --dport 22 -d 192.168.0.210 -j ACCEPT
I don't recall it ever having failed yet. I'm curious though - do you guys all use Qos-scripts? It's the one thing I don't as yet use because in my case it kills all traffic through the router (and I haven't bothered working out why yet).

I only used the webif page to do this, I just realized. That means only /etc/config/firewall is being used. Does it work if we use /etc/firewall.user?

Post #23

mpeterson

6 Apr 2008, 19:01

No, it doesn't, there seems to be a problem with iptables. So no matter what, it doesn't work.

(Last edited by mpeterson on 6 Apr 2008, 19:18)

Post #24

STuPiDiCuS

7 Apr 2008, 01:46

Dang.

Post #25

STuPiDiCuS

17 Apr 2008, 07:09

Hmm,

does this help anyone?

http://forum.openwrt.org/viewtopic.php?id=15323

The discussion might have continued from here.

Page 1 of 1