Typically, the firewall can differentiate the connections by their state.
New incoming connections are recognized as NEW and incoming replies to outgoing connections as ESTABLISHED or RELATED, so they can safely block the former and allow the latter.
1 Like
iptables-save -t nat -c | grep 44193
If there are hits, the rule is working.
2 Likes
Thank you all for your answers, I appreciate it!
Just to be sure again, the IP you get from https://ipleak.net/ is the exact same as the one your openwrt WAN reports, right?
The last digits are identical.
Typically, the firewall can differentiate the connections by their state.
New incoming connections are recognized asNEWand incoming replies to outgoing connections asESTABLISHEDorRELATED, so they can safely block the former and allow the latter.
Got it, thanks!
iptables-save -t nat -c | grep 44193
If there are hits, the rule is working.
I executed this command through the OpenWrt shell, but nothing came up. I ran the port checker tool after running the command, and then executed it again, but still no changes. What is this supposed to do?
That's weird.
iptables-save -t nat
What does it say?
2 Likes
# Generated by iptables-save v1.8.3 on Fri Jul 24 23:25:38 2020
*nat
:PREROUTING ACCEPT [153764:30516984]
:INPUT ACCEPT [31557:2097984]
:OUTPUT ACCEPT [44997:3138616]
:POSTROUTING ACCEPT [97:16856]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Jul 24 23:25:38 2020
It looks like you have removed the port forwarding.
2 Likes
Sorry, my bad. I enabled the port forward again and ran the first command you posted. This is the output. The part where it says "XX" is the last digits of my public IP.
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.137/32 -p tcp -m tcp --dport 44193 -m comment --comment "!fw3: P2P (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.137/32 -p udp -m udp --dport 44193 -m comment --comment "!fw3: P2P (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XX.XX.XX/32 -p tcp -m tcp --dport 44193 -m comment --comment "!fw3: P2P (reflection)" -j DNAT --to-destination 192.168.1.137:44193
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XX.XX.XX/32 -p udp -m udp --dport 44193 -m comment --comment "!fw3: P2P (reflection)" -j DNAT --to-destination 192.168.1.137:44193
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 44193 -m comment --comment "!fw3: P2P" -j DNAT --to-destination 192.168.1.137:44193
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 44193 -m comment --comment "!fw3: P2P" -j DNAT --to-destination 192.168.1.137:44193
It told me to let others respond...
I was gonna respond earlier...
..".because they're your Internet Service Provider."
All zeroes, nothing is reaching your router at this port.
2 Likes
So is this because I configured something wrong or is it because my ISP are blocking incoming connections?
OpenWrt is correctly configured.
I don't know if you should configure something on the ISP box.
If you are not sure, better consult your ISP.
2 Likes
What are the first numbers of your WAN IP address? You are smart not announcing your full IP address here, but the first three numbers shouldn't be an issue. That way we're sure you have a real public IP address.
1 Like
I had the same problem when I had to set up port forwarding. It seems there's a bug in LuCI and it does not create all the ufw/iptables rules needed for port forwarding to work.
The workaround is to edit /etc/config/firewall to add a ufw SNAT rule manually, or just add the iptables rules directly through the custom rules page under LuCI > network > firewall.
See this thread.
1 Like
Starts with: 87.7x.xx.xx
I pasted this in /etc/config/firewall and restarted the firewall:
config nat
option proto tcp
option src lan
option dest_ip 192.168.1.137
option dest_port 44193
option snat_ip 192.168.1.1
option target SNAT
It didn't work. 
opkg update
opkg install tcpdump
tcpdump -i any tcp port 44193
Then check the port 44193/tcp from the outside while monitoring the tcpdump output.
If there's no connection attempts, then we can do nothing.
2 Likes
That is indeed a public IP. Really strange issue
1 Like
No connection attempts.I'll contact my ISP. Thank you.
2 Likes
Hello everyone,
I got it to work. I contacted my ISP and I got a static public IP address that allows port forwarding. I now control port forwards through LuCI.
Thank you all for helping me out!
3 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.