I have a ZBT-WE826 router that had an old version (barrier braker) installed, I performed the update to version 18.06.01 but now the FTP from Wan to Lan is not working anymore.
I forwarded the 21 port to the correct host but can't connect, always stuck at LIST command.
Looking for help on the forum I tried to install the kmod-nf-nathelper package but had no luck.
I really need to have it working again, any suggestions?
Tell me if you need some command output
FTP is not a firewall- or NAT-friendly protocol as it creates a control connection in one direction and a data connection in the other (as originally defined), or, when in "passive mode", both a control and data connection. FTP is also not encrypted. As a result, HTTP-S, sftp, scp and other similar protocol have replaced FTP for many applications.
Most home users don't need to supply FTP services to the outside world and, due to security concerns, probably shouldn't.
What are you doing that you couldn't do more securely with scp, sftp, rsync, HTTP-S, or the like?
If you really need to get FTP running, the list of kernel modules (conntrack-related, in particular), as well as the custom firewall rules you've established would be a good start.
To test whether you are serving an external service properly you need to come in from an independent ISP connection. Attempting to use your public IP from inside the LAN has uncertain results.
It could be the limited conntrack modules don't support FTP, and the "extra" version needs to be installed.
Thank you Jeff and MK24,
the router is used to link 2 local network, one is the local network (router's WAN port) and the other is a local network ( router's LAN ports) inside an industrial equipment.
root@OpenWrt:~# lsmod
cfg80211 202032 5 rt2x00lib,mt76x2e,mt7603e,mt76,mac80211
compat 544 4 rt2800soc,rt2800pci,mac80211,cfg80211
crc_ccitt 960 2 rt2800lib,ppp_async
crc_itu_t 960 0
eeprom_93cx6 1984 1 rt2800pci
ehci_hcd 32912 1 ehci_platform
ehci_platform 4384 0
gpio_button_hotplug 6176 0
ip_tables 10096 3 iptable_nat,iptable_mangle,iptable_filter
ip6_tables 9856 2 ip6table_mangle,ip6table_filter
ip6t_REJECT 896 2
ip6table_filter 608 1
ip6table_mangle 1088 1
ipt_MASQUERADE 640 1
ipt_REJECT 864 2
iptable_filter 608 1
iptable_mangle 832 1
iptable_nat 672 1
leds_gpio 2752 0
mac80211 390272 7 rt2800lib,rt2x00soc,rt2x00pci,rt2x00lib,mt76x2e,mt7603e,mt76
mmc_block 20496 0
mmc_core 74688 2 mmc_block,mtk_sd
mt76 18880 2 mt76x2e,mt7603e
mt7603e 28288 0
mt76x2e 42944 0
mtk_sd 19024 0
nf_conntrack 55488 15 nf_nat_ftp,nf_conntrack_ftp,nf_conntrack_ipv6,ipt_MASQUERADE,xt_state,xt_nat,xt_conntrack,xt_REDIRECT,xt_CT,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat,nf_flow_table,nf_conntrack_rtcache
nf_conntrack_ftp 5152 1 nf_nat_ftp
nf_conntrack_ipv4 4928 24
nf_conntrack_ipv6 5040 6
nf_conntrack_rtcache 2432 0
nf_defrag_ipv4 1024 1 nf_conntrack_ipv4
nf_defrag_ipv6 8944 1 nf_conntrack_ipv6
nf_flow_table 12176 2 xt_FLOWOFFLOAD,nf_flow_table_hw
nf_flow_table_hw 1984 1
nf_log_common 2624 2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv4 3232 0
nf_log_ipv6 3360 0
nf_nat 9360 5 nf_nat_ftp,xt_nat,nf_nat_redirect,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_nat_ftp 1184 0
nf_nat_ipv4 3760 1 iptable_nat
nf_nat_masquerade_ipv4 1392 1 ipt_MASQUERADE
nf_nat_redirect 1088 1 xt_REDIRECT
nf_reject_ipv4 2048 1 ipt_REJECT
nf_reject_ipv6 2464 1 ip6t_REJECT
nls_base 4736 1 usbcore
ohci_hcd 22480 1 ohci_platform
ohci_platform 3936 0
ppp_async 6176 0
ppp_generic 21104 3 pppoe,ppp_async,pppox
pppoe 8032 0
pppox 1168 1 pppoe
rt2800lib 86624 3 rt2800soc,rt2800pci,rt2800mmio
rt2800mmio 5376 2 rt2800soc,rt2800pci
rt2800pci 3568 0
rt2800soc 2384 0
rt2x00lib 31120 7 rt2800soc,rt2800pci,rt2800mmio,rt2800lib,rt2x00soc,rt2x00pci,rt2x00mmio
rt2x00mmio 2144 3 rt2800soc,rt2800pci,rt2800mmio
rt2x00pci 1568 1 rt2800pci
rt2x00soc 1120 1 rt2800soc
slhc 4224 1 ppp_generic
usb_common 2176 1 usbcore
usbcore 119376 4 ohci_platform,ohci_hcd,ehci_platform,ehci_hcd
x_tables 12240 24 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_FLOWOFFLOAD,xt_CT,iptable_mangle,iptable_filter,ip_tables,ip6t_REJECT,ip6table_mangle,ip6table_filter,ip6_tables
xt_CT 2496 0
xt_FLOWOFFLOAD 2608 0
xt_LOG 736 0
xt_REDIRECT 672 0
xt_TCPMSS 2688 2
xt_comment 448118
xt_conntrack 2176 16
xt_limit 960 18
xt_mac 576 0
xt_mark 640 0
xt_multiport 1184 0
xt_nat 1504 12
xt_state 672 0
xt_tcpudp 1728 16
xt_time 1568 0
Firewall settings
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '169.254.5.20'
option dest_port '21'
option name 'FTP'
option src_dport '21'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '169.254.5.20'
option dest_port '20'
option name 'ftp attivo'
option src_dport '20'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2122'
option dest_ip '169.254.5.20'
option dest_port '2122'
option name 'ftp data'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2121'
option dest_ip '169.254.5.20'
option dest_port '2121'
option name 'ftp data2'
I updated all the package, but still not working
I'm not sure you understood.
There have been changes in the firewall that likely would cause this. Since you are not willing to use another technology such as scp , sftp , rsync , HTTP-S, or the like:
thanks for your reply lleachii,
i have installed kmod-nf-nathelper but i didn't see a new voice on the menu or on the firewall page, where should i look for it?
I have made the rules from Firewall - Port Forwards
You need both kmod-ipt-raw and kmod-nf-nathelper. After these kmods are loaded and the firewall was restarted, you should see a number of nathelper rules in the output of iptables-save.
I was missing package kmod-ipt-raw, here the output of iptables-save
root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.6.2 on Thu Dec 6 16:49:45 2018
*nat
:PREROUTING ACCEPT [86:9175]
:INPUT ACCEPT [38:3787]
:OUTPUT ACCEPT [25:1794]
:POSTROUTING ACCEPT [7:482]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 169.254.0.0/16 -d 169.254.5.20/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (reflection)" -j SNAT --to-source 169.254.1.1
-A zone_lan_postrouting -s 169.254.0.0/16 -d 169.254.5.20/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: ftp attivo (reflection)" -j SNAT --to-source 169.254.1.1
-A zone_lan_postrouting -s 169.254.0.0/16 -d 169.254.5.20/32 -p tcp -m tcp --dport 2122 -m comment --comment "!fw3: ftp data (reflection)" -j SNAT --to-source 169.254.1.1
-A zone_lan_postrouting -s 169.254.0.0/16 -d 169.254.5.20/32 -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp data2 (reflection)" -j SNAT --to-source 169.254.1.1
-A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 169.254.0.0/16 -d 192.168.10.123/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (reflection)" -j DNAT --to-destination 169.254.5.20:21
-A zone_lan_prerouting -s 169.254.0.0/16 -d 192.168.10.123/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: ftp attivo (reflection)" -j DNAT --to-destination 169.254.5.20:20
-A zone_lan_prerouting -s 169.254.0.0/16 -d 192.168.10.123/32 -p tcp -m tcp --dport 2122 -m comment --comment "!fw3: ftp data (reflection)" -j DNAT --to-destination 169.254.5.20:2122
-A zone_lan_prerouting -s 169.254.0.0/16 -d 192.168.10.123/32 -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp data2 (reflection)" -j DNAT --to-destination 169.254.5.20:2121
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP" -j DNAT --to-destination 169.254.5.20:21
-A zone_wan_prerouting -p tcp -m tcp --dport 20 -m comment --comment "!fw3: ftp attivo" -j DNAT --to-destination 169.254.5.20:20
-A zone_wan_prerouting -p tcp -m tcp --dport 2122 -m comment --comment "!fw3: ftp data" -j DNAT --to-destination 169.254.5.20:2122
-A zone_wan_prerouting -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp data2" -j DNAT --to-destination 169.254.5.20:2121
COMMIT
# Completed on Thu Dec 6 16:49:45 2018
# Generated by iptables-save v1.6.2 on Thu Dec 6 16:49:45 2018
*raw
:PREROUTING ACCEPT [405:36142]
:OUTPUT ACCEPT [349:152637]
:zone_wan_helper - [0:0]
-A PREROUTING -i br-wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
-A zone_wan_helper -d 169.254.5.20/32 -p tcp -m tcp --dport 21 -m conntrack --ctstate DNAT -m comment --comment "!fw3: FTP (CT helper)" -j CT --helper ftp
COMMIT
# Completed on Thu Dec 6 16:49:45 2018
# Generated by iptables-save v1.6.2 on Thu Dec 6 16:49:45 2018
*mangle
:PREROUTING ACCEPT [406:36182]
:INPUT ACCEPT [358:30794]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [351:152941]
:POSTROUTING ACCEPT [351:152941]
-A FORWARD -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec 6 16:49:45 2018
# Generated by iptables-save v1.6.2 on Thu Dec 6 16:49:45 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i br-wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Dec 6 16:49:45 2018
how can i load the modules?
With lsmod i get this output and i can't see the module name on it
nf_conntrack 55488 38 nft_redir_ipv4,nft_redir,nft_nat,nft_masq_ipv4,nft_masq,nft_ct,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_ipv6,ipt_MASQUERADE,xt_state,xt_nat,xt_conntrack,xt_REDIRECT,xt_NETMAP,xt_CT,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_masquerade_ipv4,nf_nat_irc,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_nat,nf_flow_table,nf_conntrack_tftp,nf_conntrack_snmp,nf_conntrack_sip,nf_conntrack_rtcache,nf_conntrack_proto_gre,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,nf_conntrack_broadcast,nf_conntrack_amanda
nf_conntrack_amanda 1696 2 nf_nat_amanda
nf_conntrack_broadcast 768 1 nf_conntrack_snmp
nf_conntrack_ftp 5152 3 nf_nat_ftp
nf_conntrack_h323 34368 3 nf_nat_h323
nf_conntrack_ipv4 4928 37
nf_conntrack_ipv6 5040 6
nf_conntrack_irc 2864 2 nf_nat_irc
nf_conntrack_pptp 3456 2 nf_nat_pptp
nf_conntrack_proto_gre 2464 1 nf_conntrack_pptp
nf_conntrack_rtcache 2432 0
nf_conntrack_sip 17632 3 nf_nat_sip
nf_conntrack_snmp 720 2 nf_nat_snmp_basic
nf_conntrack_tftp 2752 2 nf_nat_tftp
nf_defrag_ipv4 1024 1 nf_conntrack_ipv4
nf_defrag_ipv6 8944 1 nf_conntrack_ipv6
nf_flow_table 12176 2 xt_FLOWOFFLOAD,nf_flow_table_hw
nf_flow_table_hw 1984 1
nf_log_common 2624 2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv4 3232 0
nf_log_ipv6 3360 0
nf_nat 9360 14 nft_nat,nf_nat_pptp,xt_nat,xt_NETMAP,nf_nat_tftp,nf_nat_sip,nf_nat_redirect,nf_nat_proto_gre,nf_nat_masquerade_ipv4,nf_nat_irc,nf_nat_ipv4,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_nat_amanda 736 0
nf_nat_ftp 1184 0
nf_nat_h323 5024 0
nf_nat_ipv4 3760 2 nft_chain_nat_ipv4,iptable_nat
nf_nat_irc 992 0
nf_nat_masquerade_ipv4 1392 2 nft_masq_ipv4,ipt_MASQUERADE
nf_nat_pptp 1664 0
nf_nat_proto_gre 816 1 nf_nat_pptp
nf_nat_redirect 1088 2 nft_redir_ipv4,xt_REDIRECT
nf_nat_sip 7168 0
nf_nat_snmp_basic 6320 0
nf_nat_tftp 512 0
nf_reject_ipv4 2048 3 nft_reject_ipv4,nft_reject_inet,ipt_REJECT
nf_reject_ipv6 2464 3 nft_reject_ipv6,nft_reject_inet,ip6t_REJECT
nf_tables 64912 25 nft_set_rbtree,nft_set_hash,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir_ipv4,nft_redir,nft_quota,nft_numgen,nft_nat,nft_meta,nft_masq_ipv4,nft_masq,nft_log,nft_limit,nft_exthdr,nft_ct,nft_counter,nft_chain_route_ipv6,nft_chain_route_ipv4,nft_chain_nat_ipv4,nf_tables_ipv6,nf_tables_ipv4,nf_tables_inet
nf_tables_inet 640 0
nf_tables_ipv4 544 0
nf_tables_ipv6 576 0
Have you installed them on your router, either with opkg or by building them into your ROM?
I have installed them with opkg