OpenWrt Forum Archive

Topic: Need help with port forwarding - strange behaviour

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mszewcz78
4 Mar 2017, 11:17

Dear All,

I've already spent two days trying to resolve my port forwarding problem, unfortunately w/o any success. It seems my OpenWRT does not forward communication on port 443 and I really don't know why.

My network connections are as follows:
1. WAN -> UPC Horizon router (not much configurable)
2. UPC Horizon DMZ -> Linksys with OpenWRT
3. OpenWRT -> NAS & other internal network devices

Horizon's DHCP range: 192.168.1.100-192.168.1.254 (Linksys has 192.168.1.184)
Linksys's WAN interface: DHCP client
Linksys's LAN interface: Static IP, 192.168.2.1/255.255.255.0, DHCP Server enabled
NAT's IP: 192.168.2.10

I'd like to forward ports 80 & 443 to my NAS server, added port forwarding rules:
1. IPv4-TCP, from any host in WAN, via any router IP at port 80 -> IP 192.168.2.10:80
2. IPv4-TCP, from any host in WAN, via any router IP at port 443 -> IP 192.168.2.10:443

Now, results provided by canyouseeme.org:
1. I can see your service on *.*.*.* on port (80)
2. I could not see your service on *.*.*.* on port (443)

I thought it might be an ISP issue, co I connected my NAS to Horizon's DMS for a while.
Results by canyouseeme.org were correct (visible on 80 & 443) - ergo it seems to be a problem with OpenWRT configuration.

Could you please be so kind and give me any advice in this matter?

The second question is: is it achievable to prepare such NAT loopback rules to have my NAS visible from internal network using my WAN IP/domain name (Horizon doesn't support NAT loopback, so everything has to be done on Linksys).

iptables -L -v -n:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1662  179K delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7513 2850K delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2038  447K delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7513 2850K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
 6693 2808K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  819 41739 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    1    60 zone_wan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  160 11937 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1502  167K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
 1224  149K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    8   368 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
  195 12772 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
   83  4974 zone_wan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  160 11937 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 1878  435K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
 1790  428K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    3   696 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
   85  6040 zone_wan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   160 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
   59  4214 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   368 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
  591 26568 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  819 41739 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
  819 41739 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
  588 25872 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  195 12772 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
  195 12772 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   696 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    3   696 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  195 12772 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  316 21907 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* @rule[8] */
    1    60 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   83  4974 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
   20   600 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
   63  4374 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   85  6040 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
   85  6040 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   63  4374 reject     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

iptables -t nat -L -v:

Chain PREROUTING (policy ACCEPT 1887 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1888  105K delegate_prerouting  all  --  any    any     anywhere             anywhere            

Chain INPUT (policy ACCEPT 187 packets, 12500 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 257 packets, 18512 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1286 packets, 59496 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1758 88400 delegate_postrouting  all  --  any    any     anywhere             anywhere            

Chain delegate_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1758 88400 postrouting_rule  all  --  any    any     anywhere             anywhere             /* user chain for postrouting */
 1207 53692 zone_lan_postrouting  all  --  any    br-lan  anywhere             anywhere            
  472 28904 zone_wan_postrouting  all  --  any    eth0    anywhere             anywhere            

Chain delegate_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1888  105K prerouting_rule  all  --  any    any     anywhere             anywhere             /* user chain for prerouting */
 1744 96739 zone_lan_prerouting  all  --  br-lan any     anywhere             anywhere            
  144  8408 zone_wan_prerouting  all  --  eth0   any     anywhere             anywhere            

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1207 53692 postrouting_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for postrouting */
    0     0 SNAT       tcp  --  any    any     192.168.2.0/24       MS-NAS.lan           tcp dpt:wxw /* NAS-80 (reflection) */ to:192.168.2.1
    0     0 SNAT       tcp  --  any    any     192.168.2.0/24       MS-NAS.lan           tcp dpt:hxxps /* NAS-443 (reflection) */ to:192.168.2.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1744 96739 prerouting_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for prerouting */
    0     0 DNAT       tcp  --  any    any     192.168.2.0/24       192.168.1.91         tcp dpt:wxw /* NAS-80 (reflection) */ to:192.168.2.10:80
    0     0 DNAT       tcp  --  any    any     192.168.2.0/24       192.168.1.91         tcp dpt:hxxps /* NAS-443 (reflection) */ to:192.168.2.10:443

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  472 28904 postrouting_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for postrouting */
  472 28904 MASQUERADE  all  --  any    any     anywhere             anywhere            

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  144  8408 prerouting_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for prerouting */
    1    60 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:wxw /* NAS-80 */ to:192.168.2.10:80
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:hxxps /* NAS-443 */ to:192.168.2.10:443

(wxw & hxxps above were changed by me as, posting "links" is not allowed)

Thank you very much for your help.

(Last edited by mszewcz78 on 4 Mar 2017, 11:27)

Post #2
rj-45
4 Mar 2017, 11:34

Hello,

can please post the file /etc/config/network from the Linksys(OpenWRT).
Second, have you configured the port forwardings in the horizon router?

Christoph

Post #3
mszewcz78
4 Mar 2017, 11:41

cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd76:c410:900d::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        option type 'bridge'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

cat /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.2.10'
        option dest_port '80'
        option name 'NAS-80'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.2.10'
        option dest_port '443'
        option name 'NAS-443'
        option src_dport '443'

/etc/firewall.user is empty

Port forwarding on the horizon is not necessary as Linksys' IP is set in its DMZ host section.
Also, as wrote earlier everything worked fine when I connected NAS directly to the horizon and set it's IP as DMZ host.

Post #4
rj-45
4 Mar 2017, 17:22

I can't see any mistake. have you tried to connect a pc to the upc Router directly and then try to connect to the nas through the linksys?

Post #5
mszewcz78
6 Mar 2017, 01:48

Yes and it works on both ports (80 & 443).
I also noticed, that when trying to connect from WAN to 443 the port is open, but something drops the connection.
Seems that forwarding for port 443 doesn't work as expected.

Post #6
dexslab
19 Mar 2017, 21:16

Ok so i am having the same issue. Port forwarding is there and enabled but only the first rule at the top actually works i have tested this with multiple ports as i have multiple ports open. If i move one to the top boom it allows the access i need. Bad part is that it only affects the wan and not connecting directly via ip address on the internal network. I am not sure why this is happening but it does and it has been driving me NUTS for DAYS!!!!!!!!!!!!

The discussion might have continued from here.