Something is wrong here. All default chains are missing. Did you install iptables additionally?
ubus call system board; nft list chain inet fw4 forward
Something is wrong here. All default chains are missing. Did you install iptables additionally?
ubus call system board; nft list chain inet fw4 forward
# Completed on Mon Jun 27 12:40:16 2022
root@OpenWrt:~# ubus call system board; nft list chain inet fw4 forward
{
"kernel": "5.4.188",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "Netgear WNDR4300 v2",
"board_name": "netgear,wndr4300-v2",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "ath79/nand",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
-ash: nft: not found
N I didn't install iptables. Only installed fping opkg.
/etc/init.d/firewall status; /etc/init.d/firewall restart; iptables-save -t nat -c
root@OpenWrt:~# /etc/init.d/firewall status; /etc/init.d/firewall restart; iptables-save -t nat -c
inactive
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Redirect 'Pre route'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'sun'
* Forward 'sun' -> 'lan'
* Zone 'lan'
* Zone 'wan'
* Zone 'sun'
* Populating IPv4 nat table
* Redirect 'Pre route'
* NAT 'Post route'
* Zone 'lan'
* Zone 'wan'
* Zone 'sun'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'sun'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'sun'
* Forward 'sun' -> 'lan'
* Zone 'lan'
* Zone 'wan'
* Zone 'sun'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'sun'
* Flushing conntrack table ...
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
# Generated by iptables-save v1.8.7 on Mon Jun 27 13:05:50 2022
*nat
:PREROUTING ACCEPT [9:536]
:INPUT ACCEPT [3:176]
:OUTPUT ACCEPT [1:100]
:POSTROUTING ACCEPT [1:100]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_sun_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_sun_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_sun_postrouting - [0:0]
:zone_sun_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7:438] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[7:438] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_sun_prerouting
[1:100] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:100] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_sun_postrouting
[1:100] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[7:438] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 6607 -m comment --comment "!fw3: Pre route" -j DNAT --to-destination 192.168.200.1:6607
[0:0] -A zone_sun_postrouting -m comment --comment "!fw3: Custom sun postrouting rule chain" -j postrouting_sun_rule
[0:0] -A zone_sun_postrouting -d 192.168.200.1/32 -p tcp -m tcp --dport 6607 -m comment --comment "!fw3: Post route" -j SNAT --to-source 192.168.200.2
[0:0] -A zone_sun_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_sun_prerouting -m comment --comment "!fw3: Custom sun prerouting rule chain" -j prerouting_sun_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Jun 27 13:05:50 2022
You must activate the firewall service permanently.
/etc/init.d/firewall enable
The port forwarding rule is correct
[0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 6607 -m comment --comment "!fw3: Pre route" -j DNAT --to-destination 192.168.200.1:6607
The second rule is redundant. The masquerading on the sun zone is enabled so it should work without the SNAT rule, which in this case takes precedence.
[0:0] -A zone_sun_postrouting -d 192.168.200.1/32 -p tcp -m tcp --dport 6607 -m comment --comment "!fw3: Post route" -j SNAT --to-source 192.168.200.2
[0:0] -A zone_sun_postrouting -m comment --comment "!fw3" -j MASQUERADE
Try to access the inverter. If it doesn't work, post again
iptables -t nat -nvL zone_lan_prerouting; iptables -t nat -nvL zone_sun_postrouting
to check the rules for hits.
root@OpenWrt:~# /etc/init.d/firewall enable
root@OpenWrt:~#
root@OpenWrt:~#
done, enabled firewall using the command. All parameters seems to be working.
should I delete the second rule?
Leave it that way, it is not a problem, but restart the router to make sure that the firewall starts.
rebooted how to check firewall is up and running?
/etc/init.d/firewall status
root@OpenWrt:~# /etc/init.d/firewall status
active with no instances
root@OpenWrt:~#
It's OK now.
Thanks for the help. It is working fine I think
The only thing is how to summarize all this for an alternative Openwrt method (instead of using dd-wrt, bcz forum support is best on both Openwrt and Fresh tomato, which I as previously using.) , to solve this thread.
I would omit the SNAT rule. Masquerading does not depend on the router IP address (which may change) and allows you to ping the device.
EDIT:
BTW, when masquerading is enabled, you should be able to access the device directly by its IP address (192.168.200.1) without port forwarding on the router lan interface.
inverter at 192.168.200.1 doesn't have any web interface or something fancy. I can try connecting sun2000 app, which requires direct connection to the inverter's AP.
https://support.huawei.com/enterprise/en/doc/EDOC1100096889?section=j00b
Hi KOA, i'm exactly in the same point than you (but some days ago )
Could you please help me from scartch to configure my router client through openwrt (i mean from clean install of openwrt to connect the huawei solar of wlcrs).
My configuration :
I have a raspberry pi with HA, as well as you, my raspberry is to far away from the inverter so I need to connect another router (TP LINK WR802N with openwrt) in wifi to the inverter as a client and then configure it.
Could you help me please with screen shot of your configuration ? Your help will be much appreciated !!!!!
My configuration : ISP router (main IP: 192.168.1.1) / raspberry 3B with HA / router TPLINK WR802N as client with openwrt / huawei inversor with the following IP : 192.168.199.1 (and not 200.1, I think like usal, i'm the only one on earth with this specificity... )
How can we change these rules for the next version of OpenWrt i.e 22.03, which changes over to nfttables ?
If you create the rules using LuCI, you do not need to change anything.
If you insist on custom rules, they must be created in /etc/nftables.d/
.
No, I am not insisting on custom rules, I recommended the same setting i.e from LUCI and it seems to be working.
I summarized all the steps in this thread. any issues to be fixed in that?