Can't do port forward

I have two private networks 192.168.31.0/24 (lan) and 172.16.0.0/24 (lan_vpn)
router is 192.168.31.1

I have a device with IP 172.16.0.240 with opened port 9999
I have another device with IP 192.168.31.115 and I want to connect to the device 172.16.0.240 with port 9999

I made this rule

config redirect
	option dest 'lan_vpn'
	option target 'DNAT'
	option name 'tr'
	option src 'lan'
	option src_dport '9999'
	option dest_ip '172.16.0.240'
	option dest_port '9999'
	list proto 'tcp'

when I do curl 192.168.31.1:9999, the connection is hanging, so I have a connection but data is not going

curl 172.16.0.240:9091 from the router works fine

tcpdump -i br-lan-vpn port 9999

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan-vpn, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:47:05.921773 IP laptop.lan.35426 > 172.16.0.240.9999: Flags [S], seq 2309968053, win 32120, options [mss 1460,sackOK,TS val 218829279 ecr 0,nop,wscale 7], length 0
20:47:05.921961 IP 172.16.0.240.9999 > laptop.lan.35426: Flags [S.], seq 3162080214, ack 2309968054, win 28960, options [mss 1460,sackOK,TS val 17615980 ecr 218829279,nop,wscale 9], length 0
20:47:06.913003 IP 172.16.0.240.9999 > laptop.lan.35426: Flags [S.], seq 3162080214, ack 2309968054, win 28960, options [mss 1460,sackOK,TS val 17616080 ecr 218829279,nop,wscale 9], length 0
20:47:06.935850 IP laptop.lan.35426 > 172.16.0.240.9999: Flags [S], seq 2309968053, win 32120, options [mss 1460,sackOK,TS val 218830288 ecr 0,nop,wscale 7], length 0
20:47:06.935970 IP 172.16.0.240.9999 > laptop.lan.35426: Flags [S.], seq 3162080214, ack 2309968054, win 28960, options [mss 1460,sackOK,TS val 17616082 ecr 218829279,nop,wscale 9], length 0

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:900a:d16a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key '(key)'
	list addresses '10.200.200.3'

config wireguard_wireguard
	option description 'ru'
	option public_key '(key)'
	option endpoint_host '55.55.55.55'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config device
	option type 'bridge'
	option name 'br-lan-vpn'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'lan_vpn'
	option proto 'static'
	option device 'br-lan-vpn'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

config route
	option interface 'wireguard'
	option target '0.0.0.0/0'
	option gateway '10.200.200.3'
	option table '100'

config rule
	option in 'lan_vpn'
	option src '172.16.0.240/32'
	option lookup '100'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wireguard'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow wireguard out'
	option dest 'wan'
	list dest_ip '55.55.55.55'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_vpn'

config forwarding
	option src 'lan_vpn'
	option dest 'wg'

config redirect
	option dest 'lan_vpn'
	option target 'DNAT'
	option name 'tr'
	option src 'lan'
	option src_dport '9999'
	option dest_ip '172.16.0.240'
	option dest_port '9999'
	list proto 'tcp'

config zone
	option name 'lan_wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan_wg'
	option dest 'lan_vpn'

I think you need a different rule, the same as here: Connect to jellyfin on pi from guest network - #5 by AndrewZ

I added new rule and disable previous one, but nothing changed

config rule
	option name 'my_rule'
	option src 'lan'
	option src_port '9999'
	option dest 'lan_vpn'
	list dest_ip '172.16.0.240'
	option dest_port '9999'
	option target 'ACCEPT'
	list proto 'tcp'

Where I suggested to use src_port ?

I want to open website from browser
192.168.31.1:9999 or 172.16.0.240:9999

You mentioned only one server initially, but if you have two servers and need to access them from different subnet, then you will need two symmetric rules.

You have the lan network in 2 firewall zones (lan and lan_wg). It should only be in one.

I have just one server with ip: 172.16.0.240:9999
and I want to access to this server with 192.168.31.1:9999 or directly 172.16.0.240:9999
my IP is from subnet 192.168.31.0/24

I've tried a lot of variants but no luck
now I have this configs, but it doesn't help

lan -> 192.168.31.0/24
lan_vpn -> 172.16.0.0/24


this traffic rule don't help

Nat rule also don't help

Once again - remove the source port from your traffic rule.

Thank you for helping.
I removed the source port from the traffic rule

but nothing changed

curl 192.168.31.1:9999
curl: (7) Failed to connect to 192.168.31.1 port 9999 after 6 ms: Couldn't connect to server

image
after ~2min

curl 172.16.0.240:9999
curl: (28) Failed to connect to 172.16.0.240 port 9999 after 134381 ms: Couldn't connect to server

any help?:confused:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Thank you.

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Xiaomi AX3600",
	"board_name": "xiaomi,ax3600",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq807x/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:900a:d16a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key '(key)'
	list addresses '10.200.200.3'

config wireguard_wireguard
	option description 'ru'
	option public_key '(key)'
	option endpoint_host '1.1.1.1'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config device
	option type 'bridge'
	option name 'br-lan-vpn'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'lan_vpn'
	option proto 'static'
	option device 'br-lan-vpn'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

config route
	option interface 'wireguard'
	option target '0.0.0.0/0'
	option gateway '10.200.200.3'
	option table '100'

config rule
	option in 'lan_vpn'
	option src '172.16.0.240/32'
	option lookup '100'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wireguard'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow wireguard out'
	option dest 'wan'
	list dest_ip '1.1.1.1'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_vpn'

config forwarding
	option src 'lan_vpn'
	option dest 'wg'

config forwarding
	option src 'lan_vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'lan_vpn'

config redirect
	option dest 'lan_vpn'
	option target 'DNAT'
	option name 'ttt'
	option src 'lan'
	option src_dport '9999'
	option dest_ip '172.16.0.240'
	option dest_port '9999'
	option enabled '0' <---- DISABLED

config rule
	option name 'my_rule'
	option src 'lan'
	option dest 'lan_vpn'
	list dest_ip '172.16.0.240'
	option dest_port '9999'
	option target 'ACCEPT'
	list proto 'tcp'

config redirect
	option dest 'lan_vpn'
	option target 'DNAT'
	option src 'lan'
	option src_dport '9999'
	option dest_ip '172.16.0.240'
	option dest_port '9999'
	option enabled '0' <---- DISABLED

config nat
	option src 'lan_vpn'
	option dest_ip '172.16.0.240'
	option target 'MASQUERADE'
	list proto 'all'
	option enabled '0' <---- DISABLED

Given that the source is the lan, and the destination is the lan_vpn, you don't need port forwrding. Just simply basic fowarding as you have here:

What is the operating system of the host that is at 172.16.0.240?

What is the operating system of the host that is at 172.16.0.240?

linux container(172.16.0.240) and host(172.16.0.250) is a QNAP server

from openwrt I can ping both IP .240 and .250

local IP is 192.168.31.1/172.16.0.1

ping 172.16.0.240
PING 172.16.0.240 (172.16.0.240): 56 data bytes
64 bytes from 172.16.0.240: seq=0 ttl=64 time=0.397 ms

ping 172.16.0.250
PING 172.16.0.250 (172.16.0.250): 56 data bytes
64 bytes from 172.16.0.250: seq=0 ttl=64 time=0.371 m

I have this rule but it doesn't help

config forwarding
	option src 'lan'
	option dest 'lan_vpn'

I can't ping 172.16.0.240 from 192.168.31.100
but ping to 172.16.0.250 is working

ping 172.16.0.250
PING 172.16.0.250 (172.16.0.250) 56(84) bytes of data.
64 bytes from 172.16.0.250: icmp_seq=1 ttl=63 time=2.52 ms

ping 172.16.0.240
PING 172.16.0.240 (172.16.0.240) 56(84) bytes of data.
^C
--- 172.16.0.240 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21279ms

Check your linux container's local firewall configuration (and/or the supervisor/hypervisor and the host os for that container -- especially if it is a windows host OS). It may well be restricting connections originating from other subnets.

as I see nothing is blocked

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Why I can ping from 192.168.31.1 but not from 192.168.31.100?

Because this is your router, and your router actually is pinging from it's address on that network (172.16.0.1)