I have set up everything I thought would need to set up, but my friend and a port checker can't get a connection to a Minecraft server on port 25565. I should have a public IP from my operator, since everything worked fine on my old router. I'm using a ZTE MF-286 with the internal 4G modem for my internet.
I tried using tcpdump but I don't quite know how to use it. It would be nice to know if the connection is even reaching my router.
Many cellular based ISPs do not provide public IP addresses (some do, of course).
What are the fist 2 octets of your WAN IP (bold sections: aaa.bbb.ccc.ddd)
I know my ISP provides a public IP, as it's a thing you can enable from their website and they give a new APN to use. And it worked with my previous router, that was provided by another ISP. My IP starts with 85.76.
Ok... that is a proper public IP 
-- it was worth verifying!
Let's see your full text config:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Here's /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdde:1a01:5ee0::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 5 0t'
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth 'none'
option apn 'internet4'
option pdptype 'ipv4'
And here /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'trilium'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.0.149'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'dfcvdfdf'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.0.149'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'minecraft'
option src 'wan'
option src_dport '25565'
option dest_ip '192.168.0.149'
option dest_port '25565'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.0.149'
option dest_port '22'
config rule
option name 'minecraft'
option src 'wan'
option src_port '25565'
option dest 'lan'
list dest_ip '192.168.0.149'
option target 'ACCEPT'
This should be a redirect rule, not a traffic rule.
That's something I added while trying to get stuff working, I removed it now through LuCI, but it didn't help.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'trilium'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.0.149'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'dfcvdfdf'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.0.149'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'minecraft'
option src 'wan'
option src_dport '25565'
option dest_ip '192.168.0.149'
option dest_port '25565'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.0.149'
option dest_port '22'
Have you verified that the host at 192.168.0.149 is listening and ready for connections (Minecraft must be running, the local firewall on that host must allow inbound connections, etc.)?
Yes, I'm able to connect to the server just fine from the local network, so that should be no problem.
are you using a dynamic dns service? have you verified that the IP has updated properly?
Check the following:
nslookup < your.dynamic.dns.address >
Do all of those match?
I do use a DDNS, and that's working correctly. I've also tried using the straight IP but that obviously doesn't work any better.
The IP reported by the WAN interface on the other hand is weird. There's two interfaces showing. WAN with protocol QMI Cellular, and WAN_4 with protocol Virtual dynamic interface (DHCP client). WAN doesn't show an IP, and WAN_4 shows one starting with 10.200. Could this be the problem?
Yes, this is an RFC1918 address, or in other words, not a public IP address. This is why I asked earlier about the IP address on your WAN. Your response earlier was that you have an address that begins with 85.76.x.y -- how did you determine that address?
The address startimg with 85.76 was from typing "my ip" into DuckDuckGo. It seems the actual interface doesn't have an address? The one with QMI Cellular protocol.
This will always return a public IP address, even if you don't actually have a public IP on your actual connection.
You are almost certainly behind CG-NAT for IPv4, and therefore you will not be able to do port forwarding the simple way. You have the following options:
Ask your provider for a public IP address (you may have to pay extra for this, if it is even available).
I have done this, and it worked with my old router. Although I can try an IPv6, I think the ISP says those are always public.
I enabled IPv6 for the WAN and did nothing else and now it works... I guess I'm not touching anything now. Thanks for helping.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.