OpenWrt Forum Archive

Topic: Simple Port Forwarding not working

The content of this topic has been archived between 14 Apr 2018 and 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm really trying not to be frustrated, but I'm trying something simple that should just work. I've done a ton of reading and searching, but I don't know what I'm doing wrong.

My setup: I have a Netgear WNDR3700v2 with OpenWrt Backfire 10.03.1 / LuCI 0.10.0. There is a server on my LAN with a web server running on port 9090. I want to connect on the WAN to port 9090, and access that server. That is really simple and easy to do with the OEM software. But I can't get it to work with OpenWRT (which I really want to run for VLANing my network).

There must be something simple I'm missing. I even went back to a brand new install and the only thing I've set up on the IPs and the Redirect/Rules settings. I've been doing this all with the LuCI interface, but I've been checking the iptables output and it seems right.

Here is my iptables config:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all  --  anywhere             anywhere            
input      all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
forwarding_rule  all  --  anywhere             anywhere            
forward    all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere            
output     all  --  anywhere             anywhere            

Chain forward (1 references)
target     prot opt source               destination         
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            

Chain forwarding_lan (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         
nat_reflection_fwd  all  --  anywhere             anywhere            

Chain forwarding_wan (1 references)
target     prot opt source               destination         

Chain input (1 references)
target     prot opt source               destination         
zone_lan   all  --  anywhere             anywhere            
zone_wan   all  --  anywhere             anywhere            

Chain input_lan (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan (1 references)
target     prot opt source               destination         

Chain nat_reflection_fwd (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  174.54.200.0/21      192.168.0.52        tcp dpt:9090 

Chain output (1 references)
target     prot opt source               destination         
zone_lan_ACCEPT  all  --  anywhere             anywhere            
zone_wan_ACCEPT  all  --  anywhere             anywhere            

Chain output_rule (1 references)
target     prot opt source               destination         

Chain reject (4 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
DROP       all  --  anywhere             anywhere            

Chain zone_lan (1 references)
target     prot opt source               destination         
input_lan  all  --  anywhere             anywhere            
zone_lan_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_lan_REJECT (0 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
zone_wan_ACCEPT  all  --  anywhere             anywhere            
forwarding_lan  all  --  anywhere             anywhere            
zone_lan_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
input_wan  all  --  anywhere             anywhere            
zone_wan_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_ACCEPT (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_wan_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.0.52        tcp spt:9090 dpt:9090 
zone_lan_ACCEPT  tcp  --  anywhere             anywhere            tcp spt:9090 dpt:9090 
zone_lan_ACCEPT  all  --  anywhere             anywhere            
forwarding_wan  all  --  anywhere             anywhere            
zone_wan_ACCEPT  all  --  anywhere             anywhere

Please help! I don't know what else to do.

(Last edited by apple4ever on 9 Apr 2012, 11:18)

config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '34795'
        option 'dest_ip' '192.168.1.100'
        option 'dest_port' '34795'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '34795'
        option 'target' 'ACCEPT'

Example of uTorrent port forwarding on OpenWRT.

JohnnyUSA wrote:

config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '34795'
        option 'dest_ip' '192.168.1.100'
        option 'dest_port' '34795'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '34795'
        option 'target' 'ACCEPT'

Example of uTorrent port forwarding on OpenWRT.

Yeah I already read that and tried that:

config 'redirect'
    option '_name' 'SecuritySpy'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_dport' '9090'
    option 'dest_ip' '192.168.0.52'
    option 'dest_port' '9090'
    option 'target' 'DNAT'
    option 'dest' 'lan'

config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'SecuritySpty'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'dest_port' '9090'

Strange, because for me it works like charm..

JohnnyUSA wrote:

Strange, because for me it works like charm..

I know, it should work like a charm for me too. I don't understand it.

Still no suggestions? Anything I can do or look at?

Why is something so simple not working?

Is it a bug in Backfire 10.03.1? It must be.

Is "192.168.0.52" actually using OpenWrt as default gateway?
Also remove that second rule, its redundant. Port forwards take care of opening the appropriate ports as well.

jow wrote:

Is "192.168.0.52" actually using OpenWrt as default gateway?
Also remove that second rule, its redundant. Port forwards take care of opening the appropriate ports as well.

Yes, it should be using 192.168.0.1 as the default gateway, as that was the old setting as well (I will verify when I get home). I see where you are going with this. I'm going to try to run Wireshark on that computer to see if its getting traffic on 9090 from OpenWrt and its just not getting back, or if its not getting anything at all.

(Just FYI:192.168.0.1 is the default gateway, and the LAN IP of the OpenWrt router. 192.168.0.52 is the IP of the server that has a website hosted on port 9090 (which works from internal to the network as well as with the OEM firmware, so I'm sure its not the computer)).

Okay, I can remove the second rule. I thought that was also need to open from the outside, but that would only be if I wanted to access something directly on the OpenWrt router? Say HTTPS traffic to the LuCI interface (which I've tried and also doesn't work).

Thanks! OpenWrt works great as a router, and I can't want to add more things to it (VLAN, etc), but this is a big deal breaking.

Are you sure src_dport is correct? Normally source ports are random.

My rules look like this:

config redirect                       
        option src              wan
        option src_dport        '16881-16899'
        option dest             lan
        option dest_ip          10.0.0.9
        option proto            tcpudp

EDIT: sorry I get it now src_dport ? dest_port is the map.

(Last edited by towolf on 11 Apr 2012, 00:43)

towolf wrote:

Are you sure src_dport is correct? Normally source ports are random.

<snip>

EDIT: sorry I get it now src_dport ? dest_port is the map.

Yeah, I was adding the ports in a lot of places just to see if I could fix it that way. No luck.

Okay, I ran Wireshark on the the server, and no traffic is coming in on port 9090 from the router (but it is when I connect via my computer).

So the firewall isn't properly routing the traffic.

Your rule listing in the first post shows a source port of 9090 - do you have any src_port (not src_dport) option in your rule?

jow wrote:

Your rule listing in the first post shows a source port of 9090 - do you have any src_port (not src_dport) option in your rule?

Do you mean in the UCI config file (/etc/config/firewall) or in the iptables rules itself?

I added it to the UCI config file with no success.

Okay I tried a sysupgrade to the most recent trunk (April 11th) and still no success.

I can't believe something so simple doesn't work out of the box.

Did u ever managed to get this work? I am having the exact same issue!

doctor78 wrote:

Did u ever managed to get this work? I am having the exact same issue!

Nope, it still doesn't work. Its frustrating as hell when I could buy a 6 year old used router that I could set up and do this in about 10 minutes. I'm probably going to have to go back to the OEM firmware.

What router do you have? I'm wondering if its a bug in the source for this router. Mines a NetGear WNDR3700v2.

doctor78's problem is that the ISP apparently filters ingress traffic on certain ports. At least his rules never see any packets from the outside.

jow wrote:

doctor78's problem is that the ISP apparently filters ingress traffic on certain ports. At least his rules never see any packets from the outside.

Is there a way I can check if mine is actually seeing the packets? Or other logging? Should I submit a ticket on the dev site?

I'm certain its not my ISP because my old NetGear router handled this just fine.

Am I really the only one experiencing this? I feel like I'm crazy.

Edit:

I forgot to mention that I did try some logging, but I don't think I had the correct logging rules set up.

(Last edited by apple4ever on 20 Apr 2012, 20:24)

jow wrote:

doctor78's problem is that the ISP apparently filters ingress traffic on certain ports. At least his rules never see any packets from the outside.

No Jow, my ISP does not filter any traffic. I called them and checked. If I bypass my router the RDC works fine. Through router it does not. I am starting to believe that something is wrong with arokh build.

I am having the same issue on my WNDR3700v2 with 10.03.1

This has only started since I upgraded. Port forwarding does not work at all,packed are not seen at all.

Anyone have a workaround??

I run 10.03.1 on both WNDR3700 and WNDR3700v2 and I see zero issues.
Even the alleged "same problem" from doctor78 turned out to be a misconfigured destination host (it had a completely different ip).
So there is still zero evidence that port forwards are broken. Please post your complete /etc/config/firewall, including modifications to /etc/firewall.user if you did some.

The basic check list to run through before considering port forwards "broken":

a) the destination ip is actually correct, check static lease, check local ip config of destination host
b) the source ip is either unset (should be this way) or it is indeed matching the host trying to use the port forward - 99% of the cases should have the source ip unset ("src_ip" option, not "src_dip")
c) the source port is either unset (should be this way) or it is indeed matching the local outgoing port used by the client - 99% of the cases should have the source port unset ("src_port" option, not "src_dport")
d) ports, protocol match the traffic that should be forewarded
e) a service is actually listening on the destination port of the destination host
f) accessing the own public ip from within the lan is not the same as actually testing a port forward from the outside. OpenWrt will attempt to setup some loopback rules but they only work by default if your lan network is called "lan"
g) traffic rules might overrule traffic redirects. So if you have a rule somewhere that says that tcp/22 should be rejected, it might prevent a port forward on tcp/22 from working
h) services listening on forwarded ports might interfere, so if you try to forward tcp/22 to an internal host but dropbear is listening on tcp/22 as well then it might fail under certain circumstances, so try a different port first
i) use "{ iptables -nvL; iptables -t nat -nvL; } | grep port-nr" to see if you rules are actually reached, a counter of 0 means that either no traffic ever arrived or that the arriving traffic was not matched, because e.g. a bad "src_ip" is set
j) make sure the destination host uses the OpenWrt router as default route!
k) make sure the destination host does not firewall its local port incoming or outgoing!
l) make sure the destination host is actually properly reachable from the router (arp & routing-wise)
m) make sure the outgoing traffic is masqueraded (should be by default)
n) make sure there are no NOTRACK rules in "iptables -t raw -nvL" that prevent conntracking from working
o) make sure you actually created a DNAT rule. SNAT rules are a completely different thing
p) "it works on the vendor firmware" means nothing without ensuring that the final rules are actually the same
q) if port forwards would be truly broken for everyone there would be a lot of reports about it. So far the overwhelming majority of cases turned out to be misconfigurations

So please run through this checklist before jumping to conclusions.

I'm not suggesting there is really a firmware issue, certainly it's probably a config somewhere.. Just need to find where.

Given that I am using default config, likely I am not the only one with the problem.

Followed your directions, thanks. Only thing that comes up.

root@OpenWrt:~# iptables -t raw -nvL
Chain PREROUTING (policy ACCEPT 9670 packets, 3257K bytes)
pkts bytes target     prot opt in     out     source               destination
5406  804K zone_lan_notrack  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
4264 2453K zone_wan_notrack  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 944 packets, 224K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_notrack (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain zone_wan_notrack (1 references)
pkts bytes target     prot opt in     out     source               destination

My Host static IP is good, firewall is off, not ISP blocked, ARP is good. see attached firewall config


---

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             wan
        option network          'wan'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan

config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'src_dport' '34795'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '56976'

#config 'rule'
#       option 'src' 'wan'
#        option 'proto' 'tcpudp'
#        option 'src_ip' ''
#        option 'dest_ip' ''
#        option 'dest_port' '56976'
#        option 'target' 'ACCEPT'

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

jow wrote:

I run 10.03.1 on both WNDR3700 and WNDR3700v2 and I see zero issues.
Even the alleged "same problem" from doctor78 turned out to be a misconfigured destination host (it had a completely different ip).
So there is still zero evidence that port forwards are broken. Please post your complete /etc/config/firewall, including modifications to /etc/firewall.user if you did some.

The basic check list to run through before considering port forwards "broken":

<snip checklist>

So please run through this checklist before jumping to conclusions.

Well the evidence is that this worked before with my old router, and now it doesn't work with this router. So something is not working, otherwise I wouldn't be here complaining about something so simple not working. I'll run through your checklist tonight, but here is my complete /etc/config/firewall:

onfig rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option target 'ACCEPT'
    option _name 'HTTP'
    option src 'wan'
    option proto 'tcp'
    option src_port '8000'
    option dest_port '8000'

config rule
    option target 'ACCEPT'
    option _name 'HTTPS'
    option src 'wan'
    option proto 'tcp'
    option src_port '8443'
    option dest_port '8443'

config rule
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option drop_invalid '1'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'wan'
    option network 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option forward 'ACCEPT'

config include
    option path '/etc/firewall.user'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '9090'
    option dest_ip '192.168.0.52'
    option dest_port '9090'
    option name 'SecuritySpu'
    option src_port '9090'

config forwarding
    option dest 'lan'
    option src 'wan'

config forwarding
    option dest 'wan'
    option src 'lan'

I'll let you know what the checklist brings again.

Just to clarify- I did just switch in my old router, and that works to port forward 9090. So its definitely something with my config.

apple4ever wrote:
config rule
config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '9090'
    option dest_ip '192.168.0.52'
    option dest_port '9090'
    option name 'SecuritySpu'
    option src_port '9090'

That last option src_port '9090' looks to me that you are requiring that the traffic to be forwarded also originates from port 9090 on the originating computer. That is probably not your intention. You might try removing that requirement.
(Ps. jow mentioned that already in #12 ...)

The 'tcpudp' is usually written together. You have a space there. I am not sure if that works.

http://wiki.openwrt.org/doc/uci/firewall#redirects

You don't need to specify the forwarded port twice, if it stays the same in the forwarding.
An example of a working redirect from my /etc/config/firewall:

config 'redirect'
        option '_name' 'someRule'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'src_dport' '17706'
        option 'dest_ip' '192.168.1.188'
        option 'target' 'DNAT'
        option 'dest' 'lan'

(Last edited by hnyman on 21 Apr 2012, 22:24)