Cannot get port forwarding to work

Antoniooo · July 20, 2020, 1:28pm

Hello OpenWrt community,

I've been trying to get port forwarding to work on port 44193 (for torrents) for the last two days without any success. I have been going through the many threads about this issue and I've tried many of the proposed solutions, but I just can't get it to work. Hopefully you can help me out.

Device: R7800
Build: hnyman - stable openwrt-19.07: owrt1907-r11113-153392e209-20200623 (ath10k-ct)
Version: LuCI openwrt-19.07 branch (git-20.167.61968-87da00a) / OpenWrt 19.07-SNAPSHOT r11113-153392e209

Setup:
Our ISP provider has provided us with a box. An ethernet cable is connected from that box to the R7800, which then distributes Wi-Fi (2.4 GHz and 5 GHz has been setup).

Port fowarding:

/etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config redirect
	option name 'Torrent'
	option target 'DNAT'
	option dest 'lan'
	option src 'wan'
	option dest_ip '192.168.1.137'
	option dest_port '44193'
	option src_dport '44193'
	list proto 'tcp'
	list proto 'udp'

Output for /etc/init.d/firewall restart:

 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'Torrent'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'Torrent'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'
 * Running script '/usr/lib/bcp38/run.sh'

Things I've tried:

Reboot router
/etc/init.d/firewall restart
Disabling UPnP in router and torrent client
Adding inbound rules for TCP/UDP for port 44193 in Windows Firewall (where the torrent client is installed)
Specifying source IP address, external IP address and source port (tried with different combinations)

No matter what I try or do, sites like https://www.canyouseeme.org/ and https://www.yougetsignal.com/tools/open-ports/ report the port as closed.

Please help out. Thanks!

lleachii · July 20, 2020, 1:37pm

@Antoniooo, welcome to the community!

The Wiki says (and LuCI does automatically) specifying protocol on one line - even though this doesn't seem to be the issue, your rule looks OK:

config redirect
	option name 'Torrent'
	option target 'DNAT'
	option dest 'lan'
	option src 'wan'
	option dest_ip '192.168.1.137'
	option dest_port '44193'
	option src_dport '44193'
	list proto 'tcpudp'

Did you actually use a port test in your BitTorrent software?
Also be aware that if your software isn't running, it also may give a closed result.
I would suggest testing by running your BitTorrent software and seeing if incoming connections are established for torrents.

Antoniooo · July 20, 2020, 1:45pm

Thank you very much, @lleachii!

Did you actually use a port test in your BitTorrent software?

Yes. The uTorrent client has an inbuilt port test; it also reports the port as closed.

Also be aware that if your software isn't running, it also may give a closed result.

Yes, I've run the two port checker sites while downloading. They still report the port as closed.

I would suggest testing by running your BitTorrent software and seeing if incoming connections are established for torrents.

For every change I made, I did exactly that.

lleachii · July 20, 2020, 1:51pm

I guess most importantly then:

Do you actually receive a Public IP address on WAN?

Antoniooo · July 20, 2020, 1:59pm

Yes. All devices connected to either the 2.4 GHz or 5 GHz Wi-Fi is assigned the same static IP address. Is that OK? I've made no changes to how this work - it was just like this automatically upon installing OpenWrt.

vgaetera · July 20, 2020, 2:09pm

Make sure:

The WAN IP address on your router status page matches this one.
The firewall on the destination host allows incoming traffic on the port you forward.

lleachii · July 20, 2020, 2:11pm

No, as @vgaetera noted, we're talking about WAN, not LAN.

In other words: Please verify the IP on the WAN Interface matches what you see at the IP check site.

It was also added to check the firewall on the client machine running uTorrent.

Antoniooo · July 20, 2020, 2:20pm

Thanks for the answers, @vgaetera and @lleachii!

The IP address on https://ipleak.net/ does match the IPv4 for WAN. Am I looking at this correctly?

I've also run the Torrent Address detection on ipleak.net and it reports back the same IP address as well as port 44193.

I've already created two inbound rules for TCP/UDP for port 44193 in Windows Firewall (where the torrent client is installed).

vgaetera · July 20, 2020, 2:29pm

Services often have their own list of allowed IP addresses which is typically limited to localhost or local subnet.
Check out the service documentation and configuration and verify that it allows connections from the internet.

Antoniooo · July 20, 2020, 2:32pm

Sorry, I'm a bit clueless as to what you mean. What is "Services" in this case?

vgaetera · July 20, 2020, 3:08pm

I mean that in case you use 44193/TCP to access the torrent client remotely via RPC or web interface, make sure it is configured properly, otherwise never mind.

Antoniooo · July 20, 2020, 3:26pm

I use the torrent client on my local Windows computer. I'm connected to the Wi-Fi and I have the IP address that https://ipleak.net reports. I think everything is configured properly, but I'm no expert.

Here's my Firewall - Zone settings (haven't touched this):

Interfaces:

lleachii · July 20, 2020, 3:41pm

Your images don't provide much, you already noted that your configs were mostly default...

Haven't asked yet:

Have you allowed the uTorrent executable in Windows Firewall?
Are you sure the port is set at 44193 in uTorrent
Does your ISP allow inbound connections (e.g. are you using a cellular/VPN, etc.)?

Antoniooo · July 20, 2020, 3:54pm

Have you allowed the uTorrent executable in Windows Firewall?

Yes.

Are you sure the port is set at 44193 in uTorrent

Yes. That's where I got the port from.

Does your ISP allow inbound connections (e.g. are you using a cellular/VPN, etc.)?

No VPN or cellular. They've installed their own "router" (don't know what else to call it), which is mounted on the wall. In order to use our own router (in my case, the R7800), I have to connect an ethernet cable from their router to our router using the yellow WAN port. When you configure a new router, you get redirected to their internal site, where you add your new router's MAC-address. When you've done that, you have access to the internet. Does that make sense?

lleachii · July 20, 2020, 6:17pm

I can't think of anything except this...

From the machine with the uTorrent client, does the WebRTC Local IP check on that site actually say 192.168.1.137?
Does any other port forwarding work?
https://www.grc.com/x/ne.dll?bh0bkyd2 (Test all service ports screenshot it...wanna see if there's some upstream blocking)

@vgaetera, any ideas?

Antoniooo · July 20, 2020, 7:31pm

From the machine with the uTorrent client, does the WebRTC Local IP check on that site actually say 192.168.1.137?

Which site and what is this check? Is it ipleak.net? The IP address on there is the one that matches the IPv4 for the WAN interface on OpenWrt, which is not 192.168.1.137. It is the same static public IP address that is assigned to all devices connected to the router. The IP address of the Windows PC (the machine with the uTorrent client) is 192.168.1.137 - that is according to the ipconfig command on Windows (it is also listed on OpenWrt with my PC's host name).

Does any other port forwarding work?

I've tried with three different ports. It does not seem to work.

https://www.grc.com/x/ne.dll?bh0bkyd2 (Test all service ports screenshot it...wanna see if there's some upstream blocking)

Thank you for your help and patience!

mk24 · July 20, 2020, 7:39pm

"Test all service ports" was 1-1024, so it doesn't include the high number you're trying to forward.

Try a simple local case like opening SSH port 22 TCP on the router. Be sure you have a secure password and close the port again after testing because there will be attempts to hack it.

Right now you don't know if the problem is in the router or the PC or the ISP.

Also it rarely works to test services by trying to access your public IP from a different PC on the LAN. The ISP has to support such a hairpin route, or you can add configuration to your router to make it work-- but then you aren't really testing anything. Either use a third party site or a separate Internet connection to confirm or deny that your server can be reached from outside.

Antoniooo · July 20, 2020, 7:56pm

I've tried port 22, but it doesn't work. That port is also closed. I've used a mobile hotspot which is a separate internet connection.

SkipBoNZ · July 22, 2020, 9:43pm

What is this box? Is it a cable modem or a router (or other ONT etc.)?

The reason I say this is that your WAN interface protocol is set to DHCP, implying it is a router with a DHCP server, meaning you'll need to NAT on that device to.

Antoniooo · July 23, 2020, 11:26am

Hello, @SkipBoNZ, thank you for your answer!

I've done some googling, and it is apparently a "FTTH (fiber to the home) Gateway".

It's getting a bit technical with the talk of DHCP and NAT. What do I need to do? Is it something I can do from the OpenWrt interface, or would it require for me to login on the FTTH box? I don't know if I can do the latter.