Disclaimer. It turned out the issue that is discussed in this topic is not related to OpenWrt or it's settings. Port & traffic forwarding was setup correctly. The issue is related to network configuration limitations set by ISP. I'm not removing this thread for search purposes.

Hello everyone,

Please help me setup port forwarding for external application acrypt (udpxy with automatic encryption of IPTV channels developed by Planet ISP enthusiasts, this hack works exaclty like updxy but supports both encrypted and non-encrypted channels).
My current setup is the following: TP-Link TL-WR841N with OpenWrt Chaos Calmer 15.05.1 & LuCI 15.05, ISP WAN connection type is DHCP.

Since router local address is set to 10.0.1.1. Since router has just 4MB ROM, I've put this to my /etc/rc.local (using LuCi System > Startup > Local Startup):

i.imgur.com/undefined.gif

I've also put custom rule in Firewall > Custom Rules as it was advised by fellow users:

killall igmprt
iptables -I INPUT -d 239.0.0.0/255.0.0.0 -j ACCEPT

I can see acrypt being executed on port 8888 when I SFTP to my router (using WinSCP) and use top command from Terminal:

i.imgur.com/zGKCI6B.gif

I've got my VLC playlist set up like:

i.imgur.com/GRdoDpV.gif

Here XYZX:1234 is the encrypted or non-encrypted ISP IPTV channel address. This works just perfect: when I open the playlist I can watch IPTV straight away without any delays.

However I wish to access my ISP's IPTV from the Internet. I set up my Firewall > Port Forwards this way:

i.imgur.com/eeX6Iym.gif
i.imgur.com/S7t6w4a.gif

And I also add another custom rule into Firewall > Custom Rules as advised in OpenWrt Wiki:

route add -net 224.0.0.0 netmask 224.0.0.0 wlan0

i.imgur.com/3CLD2SJ.gif

And here're port forwarding rules exposed in case it helps:

i.imgur.com/YmjJTjP.gif
i.imgur.com/undefined.gif

So I connect to my phone's mobile hotspot to test my setup from the outside. I can succesfully open and login to OpenWrt from the Internet using my Planet ISP IP via port 8080 and Google Chrome. I can also open IP:8880 in Google Chrome and it returns white page (thus I double-check this port is open and visible from the outside). Plus the CanYouSeeMe check tool reports both 8080 and 8880 ports of my Planet ISP IP are avaliable from the Internet.

However VLC says it cannot open stream MRU when I try to access IPTV channel using this:

i.imgur.com/zPgyY2b.gif

Please help me, I have no idea what I'm doing wrong. This should be and easy to do thing! In case it helps, acrypt is provided for several CPU types: ARM, MIPS, MIPSEL, X86, etc.

Oh, I cannot post any images using IMG code. That certainly helps a lot.

(Last edited by bananakid on 27 Sep 2017, 13:50)

If you want to enable port forwarding, you should add DNAT rule to PREROUTING chain in nat table.

(Last edited by ulmwind on 25 Sep 2017, 09:22)

Thank you for this tip, however it seems it's above my knowledge. Here's my current firewall config (I've removed entries that are disabled through LuCI):

config rule
    option target 'ACCEPT'
    option family 'ipv4'
    option src_port '8080'
    option dest_ip '10.0.1.1'
    option dest_port '80'
    option name 'Allow-LuCI-WAN'
    option proto 'all'
    option src 'wan'
    option dest 'lan'

config rule
    option target 'ACCEPT'
    option src 'wan'
    option src_port '8880'
    option dest_ip '10.0.1.1'
    option dest_port '8888'
    option name 'Allow-ACRYPT-WAN'
    option family 'ipv4'
    option proto 'all'
    option dest 'lan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPTV-ALL'
    option src 'wan'
    option proto 'all'
    option dest_ip '224.0.0.0/4'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option input 'REJECT'
    option forward 'REJECT'

config include
    option path '/etc/firewall.user'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '8080'
    option dest_ip '10.0.1.1'
    option dest_port '80'
    option name 'Allow-LuCI-WAN'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '8880'
    option dest_ip '10.0.1.1'
    option name 'Allow-ACRYPT-WAN'
    option dest_port '8888'

config forwarding
    option dest 'lan'
    option src 'wan'

config forwarding
    option dest 'wan'
    option src 'lan'

I've tried to route traffic using Firewall > Traffic Rules tab with no result. Here're screenshots of LuCI UI (options that I've changed):

i.imgur.com/xVDNnAE.gif

i.imgur.com/T1YX8I6.gif

i.imgur.com/tMbLfMH.gif

I'm sorry to ask but I really struggle to get it working and testing it because acrypt process sometimes shuts itself down (probably my router hardware is to weak to handle multiple LuCI actions) and my 8880 external port becomes inaccessible from the Internet. It would help a lot if you could provide some support.

Funny thing is I've got a Xiaomi Mi WiFi Router 3 with firmware by Andy Padavan & Prometheus (bitbucket.org/padavan) on another end and I easily can access IPTV on another end by setting up port forwarding through web UI. It feels like it's simpler to setup another Mi WiFi on my end then try to figure out how to setup port forwarding in OpenWrt (and sell TL-WR841N).

Sorry, INPUT chain doesn't play role in port forwarding. PREROUTING with DNAT provides port forwarding. INPUT doesn't influence on it.
What have you done in Padavan to achieve your goal? BTW OpenWRT doesn't support Mi Router 3.
I've studied your question thoroughly, and I can conclude, that port forwarding is applicable, but is not used efficiently in your case.
You use IPTV with udpxy, which provide you access to UDP over TCP. It is executed in address: i.imgur.com/GRdoDpV.gif
You want to use IPTV from wan of your router, in this case it is better to open port in INPUT chain and reconfigure udpxy to listen on wan interface, if it does not listen. But anybody from Internet could connect to wan ip of your router!
You wrote, that you can login to LuCI via wan ip of your router on port 8080, do you confirm it?
Have you tried to use link http://wan_ip:8880/XXX.YYY.ZZZ.WWW:1234?
Try following redirect:

config redirect
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '8880'
    option dest_ip '10.0.1.1'
    option name 'Allow-ACRYPT-WAN'
    option dest_port '8888'

(Last edited by ulmwind on 25 Sep 2017, 16:33)

Hey ulmwind, thanks for taking time to research this issue, I truly appreciate!

Yep I can confirm I can login to LuCI on port 8080 in my current configuration (my previous post) while the connection to LuCi on port 80 will be completely refused. If I open input through WAN zone in Network > Firewall > Zone Settings my LuCI interface is visible on port 80 via any IP (I don't really want that) and it doesn't help with IPTV at all. Very same setup I've got for my 8888 local port as you can notice in my config (port is accessible from Internet via port 8880).

The config you provided is exactly the same as I see it and I've included it in previous message as well.

I surely have tried the link WAN_IP:8880/XXX.YYY.ZZZ.WWW:1234 as I referred to it a bit different in this image i.imgur.com/zPgyY2b.gif – Planet_ISP_IP is meant to be WAN_IP. An as I have set port forwarding and traffic routing like WAN_IP:8880>LAN_IP:8888 as TCP+UDP, I can see a blank page in Chrome when connect to WAN_IP:8880. I assume this means port setup is OK (and CanYouSeeMe.org confirms port 8880 is open for Internet).

What I did today is I grabbed that Xiaomi router that transmits IPTV remotely to Internet perfectly but from different ISP (let's call it ISP-2). I went home and plugged Ethernet cable of Planet ISP in it (just changed static IP from ISP-2 IP to Planet ISP IP). Guess what? Doesn't work! I took Xiaomi back to ISP-2 network (changed IP back to ISP-2) – Xiaomi delivers IPTV perfectly to any Internet IP I want (even Planet ISP). So basically I come to understanding that my Planet ISP somehow blocks sending traffic outside it's (ISP's) IP address range. It's like not my OpenWrt setup is wrong or OpenWrt works wrong. Unfortunately I don't have time to double-check my OpenWrt router setup in ISP-2 network at this time, but that's what I'm strongly willing to do now.

Since ACRYPT is basically fork of UDPXY and both UDPXY (LAN port is 8000, WAN port is 8000) and ACRYPT ports are visible from internet but are not playable via VLC I'll combine them as following. I don't know for sure how UDPXY/ACRYPT thing works but my IT buddy presumes it could be this way: UDPXY/ACRYPT receives request from forwarded port like WAN_IP:8880>LAN_IP:8888>HTTP-to-UDP-stream_IP:1234 but it receives the answer (video stream) like HTTP-to-UDP-stream_IP:1234>WAN_IP:8880. Thus Planet ISP somehow notices wrong IP is trying to access IPTV and refuses to deliver traffic. I'm not sure if this is completely crazy but that's just what other people say! Maybe you can provide any thoughts on UDPXY work principles and if this may be the case

I called Planet ISP technical support but they've got no idea on how it works (lost 20 min of waiting in call line). Tomorrow another IT buddy of mine will try to setup UDPXY on his PC (which happens to be a part of Planet ISP network) and open me his UDPXY to see it it's accessible from different IP of Planet ISP network. I'll try posting on Planet ISP local web forum but I doubt I'll get a solid answer there.

(Last edited by bananakid on 25 Sep 2017, 22:20)

The difference is absence of DNAT string in firewall config file. It presents, of course, if output of iptable -nvL -t nat, but is absent in OpenWRT firewall config.

You've made correct conclusion.

Try to compare log of udpxy (see file like /etc/config/udpxy) accessing it from lan via lan ip with lan port and from wan via wan ip via wan port.

I omitted udp in address, have you inserted it?
WAN_IP:8880/udp/XXX.YYY.ZZZ.WWW:1234

I don't know about acrypt, what is it and what role plays?

It is udp multicast to http tcp proxy, so you send http-requests, it process them, asks multicast udp and answers you.

(Last edited by ulmwind on 25 Sep 2017, 23:33)

Yep, seems like conclusion regarding Planet ISP causing issue is true. Yesterday night me and my IT buddy (who's using Planet ISP as well) experimented by accessing this very same (posted above) OpenWrt configuration at my place from his place. Works like a charm! So it's ISP somehow blocking outgoing traffic.

We think there should be some kind of proxy server for OpenWrt that can hide or camouflage the true recipient of IPTV traffic that goes through my router. Do you you happen to have any idea if such app exists? I know it's kind of off-topic but it seems there was no issue on my side from the very beginning.

Regarding omitted UPD in address – I've corrected it, I'm always double-checking such hings because I'm no-near a pro but a total noob. It's ol' good in previously posted reference too – i.imgur.com/zPgyY2b.gif

You're totally correct on acrypt. acrypt, as far as Planet ISP developer commented on local forum, is udpxy fork that has some improvements (like lower CPU usage), among them is decrypting of Planet ISP IPTV encrypted (payware) channels and surely converting multicast stream to unicast. Usually you have to buy STB to view encrypted channels (and you can use STB only to access channels from HDMI, which makes it hard if not impossible to watch IPTV with IPTV and laptop simultaneously). But developer made this acrypt thing because power users were asking for solution to access (via WiFi or LAN) the IPTV channels they bought from Planet ISP without buying an STB for every single device (including desktops and laptops). It was very generous of Planet ISP to provide such solution to be honest!