Oh I see what you mean. Yeah I dont want that. I tried adding that when it didn't work without it.

I just want  to connect to http://mynetwork.dyndns.org:9090 and have it forward to http//192.168.0.52:9090

I'm pretty sure that was done by LuCI but it only need to be top anyway so I'll fix it.

I didn't think so either but I added it to see it it would work.

Thanks for you suggestions. (no sarcasm intended)

(Last edited by apple4ever on 21 Apr 2012, 21:41)

Okay I did have to update the dyndns entry because it changed at some point with all the cable mode resets. Next I'm going to turn off the src_port of 9090 like hnyman suggested to see of anything improves.

Also I was trying to set being able to connect to LuCi on 8000 and 8443 and that also doesnt work. Any ideas?

Yay it works! I'm not sure which of the 17,000 changes I made that fixed it. I'll try to investigate by going to a default config and see if I can duplicate the problem.

Let me know. I'm still having the same issue ;(

Make sure the wan interface IP matches what you are trying to connect to.
Make sure you can access it from the internal network
SSH in the OpenWrt router and telnet to the internal address and port to make sure the router can get to it.
Make sure you change the wan zone forwardings to access forwards (under Firewall->Zones)
Add this line in the custom rules in the firewall settings:

iptables -t nat -A POSTROUTING -j MASQUERADE

And maybe reboot the cable modem and router a thousand times, and reinstall a thousands times just in case! Haha.

Hah, thanks for the update. Will give it a try tonight. Hope this works I have been totally stumped on this issue.

OMG. Thanks to your instructions, the simplest thing was the cause.

When I looked at my WAN address it was 192.168.0.2... ohh, suspect.

The ISP changed my "modem" to router mode, so in fact my wndr3700 was behind a second set of NAT, hence the firewall issue.
I managed to get into their router and set it to passthrough, works like a charm.

Thanks everyone, never expected this issue.

v

I believe the issue I'm seeing is very similar to the one described in this thread, so rather than starting a new one, I'll continue here.

I'm running packetprotector (openwrt-based) version 3.2 in an ASUS w500G Premium v2 router.

I've tried a ton of things to get my port forwarding to work, and I can't seem to make it work.  I'm not a guru at this stuff, but I know my way around at least a bit...

The situation:  I'm trying to set up my firewall to allow selected ports to be open for email access.  I want to open non-standard ports externally and forward them to standard ports for security reasons.

I have the following /etc/firewall.user:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 51143 -j DNAT --to 192.168.1.50:143

# make sure we are accepting connections for the mail port(s)
iptables -A forwarding_rule -p tcp --dport 51143 -d 192.168.1.50:143 -j ACCEPT
iptables -A forwarding_wan -p tcp --dport 51143 -d 192.168.1.50:143 -j ACCEPT


### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT

the following /etc/config/firewall:

config 'include'
        option 'path' '/etc/firewall.user'

config 'redirect'
        option 'name' 'my mail port redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '51143'
        option 'dest_ip' '192.168.1.50'
        option 'dest_dport' 143
        option 'target' 'DNAT'
        option 'dest' 'LAN'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'dest_ip' ''
        option 'dest_port' '143'
        option 'target' 'ACCEPT'

and the following /etc/config/network:

config 'switch' 'eth0'
        option 'vlan0' '0 1 2 3 5*'
        option 'vlan1' '4 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'macaddr' ''
        option 'ip6addr' ''
        option 'gateway' '192.168.1.1'
        option 'ip6gw' ''
        option 'dns' ''

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'
        option 'gateway' '192.168.1.1'
        option 'macaddr' ''
        option 'ipaddr' ''
        option 'ip6addr' ''
        option 'netmask' ''
        option 'ip6gw' ''
        option 'dns' ''

If I run the command "tcpdump -n -i eth0.1 port 51143", and then in a separate window run the command "telnet <external IP> 51143", I get the following output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.1, link-type EN10MB (Ethernet), capture size 96 bytes
19:35:21.138140 IP 192.168.2.100.4059 > <myremoteIP>.51143: SWE 2535294579:2535294579(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
19:35:21.139061 IP <myremoteIP>.51143 > 192.168.2.100.4059: R 0:0(0) ack 2535294580 win 0

I don't know what all of this means, but I'm curious where the 192.168.2.100 IP is coming from -- my telnet command is actually being run from the router (which is 192.168.1.1).  The telnet command also returns "Connection refused" but the above tcpdump seems to indicate that the command is actually hitting the router before being rejected...

Help, please!  Thanks for any guidance you can provide!

EDIT:  I am also able to telnet to the desired destination machine (192.168.1.50) on port 143 from the router, so internal communications seem to be fine...

(Last edited by avsfan on 12 Jun 2012, 07:19)

Sorry to necrobump; but this is still a non-obvious issue, and it took me quite a while to end up on this page and find the answer:

1. Enable WAN->LAN forwarding
2. Tick 'Masquerade' for the LAN zone. (instead of the custom rule mentioned earlier)

Hopefully this helps someone else in the future.

In my case (OpenWRT Attitude Adjustment on a Rosewill RNX-N300RT 300M Wireless N Router), I suddenly found I could no longer remotely ssh in with port forwards after having had it work for so long I had forgotten how it had all been set up.

I spent an awful lot of time trying to figure out how to set up remote logging, but did not follow through because I read something that suggested that an ISP was blocking traffic--followed quickly by a reply that in the OP's case at least it was not.

I asked "Could something else be blocking packets?"

I don't know the mechanism, but I've satisfied myself that if I have Cisco AnyConnect Secure Mobility Client running on the destination Ubuntu system I'm trying to remote into, sshd will not answer.  If I disconnect, I can ssh in remotely as before, just fine.  (I repeated it to be sure.)

AnyConnect is the VPN client handed me to connect from home to the work network. When I get to work, I want to ssh back in to the home network: can't do it if I left anyconnect running there.

It may be important to mention that I was using it in "split-tunnel" mode.

(Last edited by WRenpoT on 1 Aug 2014, 01:27)

I have got stuck in a similar problem for a week!!

Thanks for justin8 (post 34)! It worked like a charm!
i.e. Enable WAN->LAN forwarding
and Tick 'Masquerade' for the LAN zone.

Or equivalently in /etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'  <- add this line

Hello, guys.

Another one with exactly the same problem. In my case, i'm trying to configure a FTP server at 192.168.2.139, and I have no way of connecting to it from the internet.

I read carefully the whole thread but I am stucked and I have no more ideas. I'm pretty sure that I have something missconfigured, but I can't find it, can you help me please?. For the record, I am not a network expert, just using the luci interface to set my configuration.

This is the information about my configuration (I extracted it from the backup file generated from the luci interface):

network

firewall

I checked that the port is available and open with this tool:

http://www.yougetsignal.com/tools/open-ports/

But for some reason, ftp client can not connect at all. I did not try to check connectivity from the router itself or the wireshark sniffing (I'll try to do that)

I really hope you can help me, I am really desperated.

Thank you very much.