Access LAN devices using WAN IP and Port Forwarding

I am migrating from an older router (DDWRT) to a new one using OpenWRT. And I’m having trouble to configure it in a way that is more convenient, as I will explain in the following lines.

I have several home servers (media, management, file, vpn, etc) that I used to access from the public IP address (FQDN) regardless of being at home (LAN) or Roaming (WAN).

Everything is working fine for WAN access, but not anymore for LAN access.

After changing my network to be managed by OpenWRT, I’m not being able to have this scenario working. I have already researched and tried several procedures from this forum (NAT Loopback, Hairpin), but none of those methods are working. I have also tested some other suggestions which basically assigning my DDNS (something.ddns.net for example) as a hostname to a single IP Address. It does work, but since I have more than one server, this solution does not fit my needs.

My router has a PPPoE connection, and a public IP address is assigned to this interface, which is then mapped to a FQDN using DDNS.

I have performed some tests with a raspberry pi connected in my LAN, using the ftptraceroute tool to try to reach the ports used by my services.

On the port forwarding rule, If I disable NAT Loopback, I can reach the router, but tcptraceroute states the port as closed:

root@raspberrypi:~# tcptraceroute DDNS 4443
Selected device eth0, address 192.168.0.138, port 56365 for outgoing packets
Tracing the path to DDNS (PUBLIC_IP) on TCP port 4443, 30 hops max
1 PUBLIC_IP [closed] 1.414 ms 1.155 ms 1.505 ms

If I enable NAT Loopback (which seems to be the appropriate tool to help in my case) tcptraceroute cannot reach the WAN IP address (using Internal or External as Loopback Source IP)

root@raspberrypi:~# tcptraceroute DDNS 4443
Selected device eth0, address 192.168.0.138, port 56365 for outgoing packets
Tracing the path to DDNS (PUBLIC_IP) on TCP port 4443, 30 hops max
1 * * *
2 * * *
3 *^C
# uci show network; uci show firewall
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd00:ab:cd::/48'
network.@device[0]=device
network.@device[0].name='eth0'
network.@device[0].macaddr='XX'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='pppoe'
network.wan.username='XXX'
network.wan.password='YYY'
network.wan.ipv6='auto'
network.wan.mtu='1492'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
network.@device[1]=device
network.@device[1].name='br-lan'
network.@device[1].type='bridge'
network.@device[1].ports='eth1'
network.@device[2]=device
network.@device[2].name='eth1'
network.@device[2].macaddr='XX'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.docker=interface
network.docker.device='docker0'
network.docker.proto='none'
network.docker.auto='0'
network.@device[3]=device
network.@device[3].type='bridge'
network.@device[3].name='docker0'
network.WG=interface
network.WG.proto='wireguard'
network.WG.listen_port='51820'
network.WG.addresses='192.168.2.1'
network.WG.private_key='X'
network.WG.mtu='1420'
network.WG.defaultroute='0'
network.@wireguard_WG[0]=wireguard_WG
network.@wireguard_WG[0].public_key='X'
network.@wireguard_WG[0].allowed_ips='192.168.2.2/32'
network.@wireguard_WG[0].route_allowed_ips='1'
network.@wireguard_WG[0].persistent_keepalive='25'
network.@wireguard_WG[0].description='Cleiton-Samsung'
network.@wireguard_WG[1]=wireguard_WG
network.@wireguard_WG[1].public_key='X'
network.@wireguard_WG[1].allowed_ips='192.168.2.5/32'
network.@wireguard_WG[1].route_allowed_ips='1'
network.@wireguard_WG[1].persistent_keepalive='25'
network.@wireguard_WG[1].description='Cleiton-iPhone'
network.@wireguard_WG[2]=wireguard_WG
network.@wireguard_WG[2].description='Fazenda'
network.@wireguard_WG[2].public_key='X'
network.@wireguard_WG[2].route_allowed_ips='1'
network.@wireguard_WG[2].persistent_keepalive='25'
network.@wireguard_WG[2].allowed_ips='192.168.0.0/16' '172.16.16.0/24'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].masq='1'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='WG'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].network='WG'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='WG'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='WG'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='WG'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wan'
firewall.@forwarding[4].dest='WG'
firewall.@zone[4]=zone
firewall.@zone[4].name='WG_Intranet'
firewall.@zone[4].input='ACCEPT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].network='WG'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='WG_Intranet'
firewall.@forwarding[5].dest='WG'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='WG'
firewall.@forwarding[6].dest='WG_Intranet'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='TVH'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='29981'
firewall.@redirect[0].dest_ip='192.168.0.69'
firewall.@redirect[0].dest_port='9981'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='TVH'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='29982'
firewall.@redirect[1].dest_ip='192.168.0.69'
firewall.@redirect[1].dest_port='9982'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='SSH_Pi'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='8022'
firewall.@redirect[2].dest_ip='192.168.0.138'
firewall.@redirect[2].dest_port='22'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='ZPiSSH'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='2222'
firewall.@redirect[3].dest_ip='192.168.0.122'
firewall.@redirect[3].dest_port='2222'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].dest='lan'
firewall.@forwarding[8]=forwarding
firewall.@forwarding[8].dest='wan'
firewall.@forwarding[9]=forwarding
firewall.@forwarding[9].src='lan'
firewall.@forwarding[10]=forwarding
firewall.@forwarding[10].src='wan'
firewall.@forwarding[11]=forwarding
firewall.@forwarding[11].dest='lan'
firewall.@forwarding[12]=forwarding
firewall.@forwarding[12].dest='wan'
firewall.@forwarding[13]=forwarding
firewall.@forwarding[13].src='lan'
firewall.@forwarding[14]=forwarding
firewall.@forwarding[14].src='wan'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='HTTPS'
firewall.@redirect[4].src_dport='4443'
firewall.@redirect[4].dest_ip='192.168.0.122'
firewall.@redirect[4].dest_port='4443'
firewall.@redirect[4].src='wan'
firewall.@forwarding[15]=forwarding
firewall.@forwarding[15].dest='lan'
firewall.@forwarding[16]=forwarding
firewall.@forwarding[16].dest='wan'
firewall.@forwarding[17]=forwarding
firewall.@forwarding[17].src='lan'
firewall.@forwarding[18]=forwarding
firewall.@forwarding[18].src='wan'

Can someone point me in the right direction to troubleshoot this? I have tcpdump available, but I have no clue on how to test the traffic sniffing for this case.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
iptables-save -c
{
        "kernel": "5.15.25",
        "hostname": "FriendlyWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyelec,nanopi-r4s",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc1",
                "revision": "r19302-df622768da",
                "target": "rockchip/armv8",
                "description": "OpenWrt 22.03.0-rc1 r19302-df622768da"
        }
}
# Generated by iptables-save v1.8.7 on Tue Jun  7 16:24:07 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-MAN - [0:0]
:DOCKER-USER - [0:0]
[1691691:2054545641] -A FORWARD -j DOCKER-USER
[1691691:2054545641] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[1691691:2054545641] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-MAN -i br-lan -o docker0 -j RETURN
[0:0] -A DOCKER-MAN -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
[0:0] -A DOCKER-MAN -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
[1691690:2054545577] -A DOCKER-MAN -j RETURN
[1691690:2054545577] -A DOCKER-USER -j DOCKER-MAN
[0:0] -A DOCKER-USER -i eth0 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[1691691:2054545641] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Jun  7 16:24:07 2022
# Generated by iptables-save v1.8.7 on Tue Jun  7 16:24:07 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[3534:282159] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Jun  7 16:24:07 2022

I have removed some ipv6 firewall rules (since I don't use ipv6) so that things are clear.

You are running 22.03 which has migrated to nftables. I have come across other topics with the same issue. I suppose it is a bug of the release candidate version.

IPv6 related rules would show up in ip6tables-save

Thanks for that. I have found a stable release (OpenWrt 21.02 2022.06.01) for my device. I will give it a try!

Hello. I'm having exactally the same behavior with 21.02. Clean/fresh install with luci. Configured WAN with PPPoE, enabled Port Forwading (external IPs are working fine) but not inside my LAN, using the public IP.

{
        "kernel": "5.4.194",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r16594-ce92de8c8c",
                "target": "rockchip/armv8",
                "description": "AO Build@2022.06.01"
        }
}
# Generated by iptables-save v1.8.7 on Wed Jun  8 13:04:20 2022
*raw
:PREROUTING ACCEPT [600:103976]
:OUTPUT ACCEPT [277:57458]
:zone_docker_helper - [0:0]
:zone_lan_helper - [0:0]
[363:55650] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3: docker CT helper assignment" -j zone_docker_helper
[0:0] -A zone_docker_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Wed Jun  8 13:04:20 2022
# Generated by iptables-save v1.8.7 on Wed Jun  8 13:04:20 2022
*nat
:PREROUTING ACCEPT [86:15798]
:INPUT ACCEPT [14:998]
:OUTPUT ACCEPT [4:292]
:POSTROUTING ACCEPT [2:144]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1883:144839] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[86:15798] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[69:14481] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[17:1317] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[23:2715] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[21:2571] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.122/32 -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.122/32 -p udp -m udp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.0.1
[69:14481] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.0.122:4443
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.0.122:4443
[21:2571] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[21:2571] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[17:1317] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.0.122:4443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 4443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.0.122:4443
COMMIT
# Completed on Wed Jun  8 13:04:20 2022
# Generated by iptables-save v1.8.7 on Wed Jun  8 13:04:20 2022
*mangle
:PREROUTING ACCEPT [600:103976]
:INPUT ACCEPT [297:26414]
:FORWARD ACCEPT [259:66161]
:OUTPUT ACCEPT [279:58994]
:POSTROUTING ACCEPT [544:125347]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
[11:572] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1:52] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Wed Jun  8 13:04:20 2022
# Generated by iptables-save v1.8.7 on Wed Jun  8 13:04:20 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[84:6586] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[214:19868] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[158:15652] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[15:824] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[38:2859] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[18:1357] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
[77973:63417070] -A FORWARD -j DOCKER-USER
[77973:63417070] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[259:66161] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[230:60237] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[29:5924] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
[84:6586] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[196:55184] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[188:54844] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:192] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2:148] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[77977:63417242] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -i eth0 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[77973:63417070] -A DOCKER-USER -j RETURN
[8:384] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[9:912] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[15:824] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
[0:0] -A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[0:0] -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
[0:0] -A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_ACCEPT
[0:0] -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
[0:0] -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[0:0] -A zone_docker_src_ACCEPT -i docker0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[6:192] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[29:5924] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[29:5924] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[38:2859] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[12:384] -A zone_lan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 3" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[26:2475] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6:192] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6:192] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[26:2475] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[31:6072] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -d 239.255.255.250/32 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 1" -j zone_lan_dest_DROP
[0:0] -A zone_wan_forward -d 224.0.0.0/4 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 2" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[18:1357] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 0" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[1:61] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[17:1296] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2:148] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2:148] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[17:1296] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Jun  8 13:04:20 2022

Are you certain you are browsing to the correct IP? There are no hits on the firewall. Try to clear cache, private browser, another browser, or use the numeric IP and not the hostname.

[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.0.122:4443
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 4443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.0.122:4443

Absolutely. I am able to reach my server on port 4443 (HTTPS) using https://public_ip:4443 from the internet side. From LAN side nothing happens (connection timed out). Tested using numeric IP and DDNS, using chorme/windows, safari/mobile and also putty's tcptraceroute on port 4443.

iptables-save -c -t nat | grep 4443 ? If the hit counters on these rules are still zero, do a packet capture
opkg update; opkg install tcpdump; tcpdump -i br-lan -n port 4443 and try again to access it.

1 Like

Thanks @trendy . Now read the weirdest thing: It works only when tcpdump is running. If I stop the dump, it stops working on LAN interface. :laughing:

Testing using linux tcptraceroute:

Selected device eth0, address 192.168.0.138, port 58315 for outgoing packets
Tracing the path to Public_DNS (Public_IP) on TCP port 4443, 30 hops max
 1  Public_IP  0.896 ms  0.653 ms  0.701 ms
 2  Public_IP [open]  1.524 ms  2.169 ms  1.179 ms
root@OpenWrt:~# tcpdump -i br-lan -n port 4443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
16:45:04.867683 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:04.926020 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:04.933630 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:04.953793 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:04.954067 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:04.954620 IP 192.168.0.122.4443 > 192.168.0.138.58315: Flags [S.], seq 2987723699, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:04.954717 IP Public_IP.4443 > 192.168.0.138.58315: Flags [S.], seq 2987723699, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:04.955226 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0
16:45:04.955303 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0
16:45:05.026589 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:05.026883 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:05.027676 IP 192.168.0.122.4443 > 192.168.0.138.58315: Flags [S.], seq 2988861118, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:05.027837 IP Public_IP.4443 > 192.168.0.138.58315: Flags [S.], seq 2988861118, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:05.028354 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0
16:45:05.028518 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0
16:45:05.033687 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:05.033974 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [S], seq 1882034251, win 0, length 0
16:45:05.034305 IP 192.168.0.122.4443 > 192.168.0.138.58315: Flags [S.], seq 2988970382, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:05.034399 IP Public_IP.4443 > 192.168.0.138.58315: Flags [S.], seq 2988970382, ack 1882034252, win 42340, options [mss 1460], length 0
16:45:05.034835 IP 192.168.0.138.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0
16:45:05.034890 IP 192.168.0.1.58315 > 192.168.0.122.4443: Flags [R], seq 1882034252, win 0, length 0

I confirmed also with google chrome (when TCPDUMP is running) and it also works.

Tcpdump is not affecting in any way the NAT. And apart from that there are packets missing from the tcpdump, a proper connection would have.
For example this is a SYNACK
16:45:04.954717 IP Public_IP.4443 > 192.168.0.138.58315: Flags [S.], seq 2987723699, ack 1882034252, win 42340, options [mss 1460], length 0
but there is no SYN, nor ACK
Most likely you have some asymmetry.

I am able to see the ACKs when using google chrome:

root@OpenWrt:~# tcpdump -i br-lan -n port 4443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
17:48:10.713936 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [P.], seq 3312734944:3312735680, ack 1388736969, win 1026, length 736
17:48:10.714103 IP 192.168.0.1.55856 > 192.168.0.122.4443: Flags [P.], seq 3312734944:3312735680, ack 1388736969, win 1026, length 736
17:48:10.714639 IP 192.168.0.122.4443 > 192.168.0.164.55856: Flags [.], ack 736, win 165, length 0
17:48:10.714785 IP Public_IP.4443 > 192.168.0.164.55856: Flags [.], ack 3312735680, win 165, length 0
17:48:10.715312 IP 192.168.0.122.4443 > 192.168.0.164.55856: Flags [P.], seq 1:829, ack 736, win 165, length 828
17:48:10.715484 IP Public_IP.4443 > 192.168.0.164.55856: Flags [P.], seq 0:828, ack 1, win 165, length 828
17:48:10.767414 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [.], ack 829, win 1023, length 0
17:48:10.767580 IP 192.168.0.1.55856 > 192.168.0.122.4443: Flags [.], ack 829, win 1023, length 0
17:48:16.288334 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [P.], seq 736:1515, ack 829, win 1023, length 779
17:48:16.288243 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [P.], seq 736:1515, ack 829, win 1023, length 779
17:48:16.288431 IP 192.168.0.1.55856 > 192.168.0.122.4443: Flags [P.], seq 736:1515, ack 829, win 1023, length 779
17:48:16.295267 IP 192.168.0.122.4443 > 192.168.0.164.55856: Flags [P.], seq 829:2002, ack 1515, win 165, length 1173
17:48:16.295443 IP Public_IP.4443 > 192.168.0.164.55856: Flags [P.], seq 828:2001, ack 780, win 165, length 1173
17:48:16.352047 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [.], ack 2002, win 1026, length 0
17:48:16.351963 IP 192.168.0.164.55856 > 192.168.0.122.4443: Flags [.], ack 2002, win 1026, length 0
17:48:16.352143 IP 192.168.0.1.55856 > 192.168.0.122.4443: Flags [.], ack 2002, win 1026, length 0

But the strange thing for me, is that this is all working only while tcpdump is running. If I press Ctrl + C, then I'm not able to access the server again... A work around would be keep tcpdump running in the background starting at startup. But, this is very strange for me...

Again, in the whole capture there isn't a single packet going from the client to the public_ip.
This is how the packets should look like:

19:16:01.492686 IP 10.0.2.54.35252 > 222.333.444.555.3022: Flags [S], seq 1796847036, win 64240, options [mss 1460,sackOK,TS val 1864111746 ecr 0,nop,wscale 7], length 0
19:16:01.493450 IP 222.333.444.555.3022 > 10.0.2.54.35252: Flags [S.], seq 1819220877, ack 1796847037, win 65160, options [mss 1460,sackOK,TS val 514732349 ecr 1864111746,nop,wscale 7], length 0
19:16:01.495863 IP 10.0.2.54.35252 > 222.333.444.555.3022: Flags [.], ack 1, win 502, options [nop,nop,TS val 1864111750 ecr 514732349], length 0
19:16:01.497603 IP 10.0.2.54.35252 > 222.333.444.555.3022: Flags [P.], seq 1:42, ack 1, win 502, options [nop,nop,TS val 1864111751 ecr 514732349], length 41
19:16:01.498018 IP 222.333.444.555.3022 > 10.0.2.54.35252: Flags [.], ack 42, win 509, options [nop,nop,TS val 514732354 ecr 1864111751], length 0
19:16:01.506794 IP 222.333.444.555.3022 > 10.0.2.54.35252: Flags [P.], seq 1:563, ack 42, win 509, options [nop,nop,TS val 514732362 ecr 1864111751], length 562
19:16:01.510343 IP 10.0.2.54.35252 > 222.333.444.555.3022: Flags [.], ack 563, win 498, options [nop,nop,TS val 1864111765 ecr 514732362], length 0

@trendy isn't that because I'm receiving the packet in the local IP instead of public?

In the logs sent:
Server: 192.168.0.122:4443 - This has port forwarding enabled on OpenWRT
Client: 192.168.0.164 - From this client I would like to access 192.168.0.122:4443, but using the public IP (Public_IP:4443) so that I don't need to change it everytime I access it from LAN or Public.

No, the filter on tcpdump is the 4443 port for everything going through br-lan. And you are using this port on both public and private ip.

Hi all.

Just sharing a workaround: With the help of @trendy , I could verify that what I was trying to accomplish could be done while running tcpdump in my bridge interface.

So I added the following line to System > Startup > Local Startup:
nohup tcpdump -i br-lan -n port 44444 > /dev/null 2>&1 &

The final file is like this:

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

nohup tcpdump -i br-lan -n port 44444 > /dev/null 2>&1 &
[ -f /usr/bin/lcd2usb_echo ] && (sleep 10 && /usr/bin/lcd2usb_echo)&
exit 0

Basically the TCPDUMP is running listenning on port 44444 (random port, with few output), dumping the output to dev/null. This is running already for 6 days, without any side effect. Altough it is not a fix, I consider an easy workaround, and might be of help for somebody else.

Now I'm able to access my internal servers using my ddns, instead of local IP (which would require me to change it everytime I leave home or get back).